My company is being DDoS'd by a single IP from a GoDaddy customer.
I havent had success with the abuse@godaddy.com email. Was hoping someone
that could help might be watching the list and could contact me off-list.
//Jason
2. Aug 2015 19:59 by jason.leblanc@infusionsoft.com:
My company is being DDoS'd by a single IP from a GoDaddy customer.
DDoS = multiple IPs
DoS = single IP
Not to be difficult, but how can it be a DDoS attack if it’s coming from a single IP? Normally you would just block this IP at your borders or ask your upstreams to do so before it consumes your bandwidth. You still want to get GoDaddy to address the problem, of course, but you should do that via their abuse@godaddy.com<mailto:abuse@godaddy.com> contact, or their abuse page at https://supportcenter.godaddy.com/AbuseReport/Index (submit via the “malware” button).
-mel
Just block it
It seems most people colloquially use DDoS for both, and reserve DoS for magic-packet blocking exploits like the latest BIND CVE, FYI.
Bring pedantic for its own sake, when there's little possibility of confusion, isn't really constructive. Everyone, including you, knew what he meant.
Feel free to try to reclaim the old meaning of the word "hacker" while
you're at it. That ship sailed long ago, and so has the DoS/DDoS distinction.
3. Aug 2015 04:20 by Valdis.Kletnieks@vt.edu:
DDoS = multiple IPs
DoS = single IP
It seems most people colloquially use DDoS for both, and reserve DoS for
magic-packet blocking exploits like the latest BIND CVE, FYI.
Given how easy it still is to put a fake source address in an IP
packet, it seems optimistic to assume that just because the packets
all have the same return address, they're actually coming from the
same place.
R's,
John
Concur 100% - we see that from time to time, multiple sources spoofing the same source IP.
John,
What would be the point of spoofing the source IPs to be identical? You're just making the attack trivial to block. Plus you could never do any kind of TCP session attack, since you can't complete a handshake. I would have to call this sort of attack a LAAADDoS (Lame Attempt At A DDoS). 
-mel beckman
Attackers do strange things all the time.
Most endpoint organizations don't have any way to detect/classify DDoS traffic, so they've no idea how to block it.
Plus, it can asymmetrically strain load-balanced server instances, links, et. al.
Most DDoS attacks don't involve TCP and 3-way handshakes. That isn't to say they aren't common, but one oughtn't to assume that having the ability to do so is a prerequisite for an attacker.
Hi,
What would be the point of spoofing the source IPs to be identical? You're just making the attack trivial to block. Plus you could never do any kind of TCP session attack, since you can't complete a handshake. I would have to call this sort of attack a LAAADDoS (Lame Attempt At A DDoS).
perhaps spoofing an IP that cannot be blocked as its one that needs to be allowed for the site IT to operate? some
cloud service IP or such.... ?
alan
Children!
Regards,
Dovid
Reflection attack as a secondary goal against the spoofed source IP? Primary goal would be a SYN flood of many servers.
But SYN floods are easily detected and deflected by all modern firewalls. If a handshake doesn’t complete within a certain time interval, the SYN is discarded.
Many DDOS attacks are full-fledged TCP sessions. The zombies are used to simulate legitimate users, and because they’re coming from thousands of legitimate IP addresses sending what looks like completely normal traffic (e.g. HTTP queries) they are difficult to distinguish from real clients systems. There are of course unicast DDOS attacks prosecuted over UDP or ICMP. The majority I’ve seen, however, are TCP.
In any event, I think it’s not useful to misuse the term DDoS, and that it refers to any attack where the source addresses are distributed across the Internet, making them difficult to identify and therefore block.
-mel
But SYN floods are easily detected and deflected by all modern firewalls. If a handshake doesn’t complete within a certain time interval, the SYN is discarded.
This is incorrect. I've seen a 20gb/sec stateful firewall taken down by a 3mb/sec spoofed SYN-flood due to DDoS exhaustion. I've seen a 10gb/sec load-balancer taken down by 60s of 6kpps of HOIC:
<https://app.box.com/s/a3oqqlgwe15j8svojvzl>
The majority I’ve seen, however, are TCP.
<https://en.wikipedia.org/wiki/Hasty_generalization>
In any event, I think it’s not useful to misuse the term DDoS, and that it refers to any attack where the source addresses are distributed across the Internet, making them difficult to identify and therefore block.
Again, that ship sailed long ago.
That should read 'state exhaustion', apologies.
And any half-awake server operator would have turned on SYNCOOKIES a long time ago.