Re: UDP flood DDoS attack with spoofed IP addresses

On 07/12/2007 09:52, Thomas Goirand wrote:
> Has any of you had to deal with this type of attack? What is the way to
> get the real IPs and finally found out where is the botnet and destroy it?

Hi Thomas.

While I haven't had any experience with dealing with this, I don't think you can find out the offending IP directly. I think you'd need to speak to the your upstream ISP and they should be able to identify the router that the packets are coming to their router from, then they or you will need to talk to the ISP whose router that is, and trace back from there, until you find the ISP whose router received the request(s) from within their network. Being a Botnet, you'd probably have to do this for many different source ISPs.

Probably the easiest way to handle this for now is to prevent the flood reaching your server by asking your ISP to block traffic on their main router for the specific UDP ports that you are being attacked on where packets are destined for your IP address(es).

Gavin

-- 

Gavin Westwood
Solutium
http://www.solutium.net - Going the extra mile to provide a fast,
helpful, reliable Web Hosting service.




-- 
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org