handling ddos attacks

Paul_A_Vixie · May 21, 2004, 4:16am

Ok, I 'll buy that right now; we have a DDoS Attack on our core nameservers
from 66.165.10.24. Where do we start, do I call the police in Bellingham or
Washington State Police. We have blocked their ips but, we know they will
come in another way.

the best thing is if you call the FBI, or NIPC. if you call your local FBI
field office and say you're experiencing a cyberattack and could they give
you the number for NIPC then it'll probably produce the results you want,
even if NIPC has been renamed one or more times since i last talked to them,
or if this old functionality within FBI is now handled by DHS, or both.

Scott_Weeks1 · May 21, 2004, 5:11pm

: the best thing is if you call the FBI, or NIPC. if you call your local FBI
: field office and say you're experiencing a cyberattack and could they give
: you the number for NIPC then it'll probably produce the results you want,
: even if NIPC has been renamed one or more times since i last talked to them,
: or if this old functionality within FBI is now handled by DHS, or both.

Call your local branch of the US Secret Service, if you're in the
states, and ask for their electronic crimes division. If you're not in
the states, contact your comprable local authority. They can work with
you to coordinate with other jurisdictions, etc.

Wow, you guys have a lot of time on your hands! A DoS program was put on
a PC where I do my day job and was put there by someone from the 81.x.x.x
range. I have to get back to doing the netgeeking that I missed while
troubleshooting the problem. How much more of my time do you think it'd
take to convince international authorities that some kid who ran LC4 from
Europe, got a password and put something from
Files ≈ Packet Storm
on one of the computers to attack his enemy of the day is worth their time
and effort? Think globally. It ain't gonna happen...

: > Ok, I 'll buy that right now; we have a DDoS Attack on our core nameservers
: > from 66.165.10.24. Where do we start, do I call the police in Bellingham or
: > Washington State Police. We have blocked their ips but, we know they will
: > come in another way.

You could always call someone here:
http://www.whitehouse.gov/homeland/contactmap.html and we could bomb the
crap outta them if they're not in the US...

scott

Richard_Cox · May 21, 2004, 7:19pm

If you can get past "local" barriers, it very probably will happen.
I'm in regular touch with the relevant authorities and I can tell you
that the FBI is 100% targeted on getting results in exactly that area.

While there are obvious difficulties with Russian (and neighbouring
country) ISPs, for the rest of Europe any such misconduct gets fast
action - as witness the speed with which Law Enforcement moved over
the Sasser worm - the author of which is already in custody.

If you are aware of any live case believed to be originating in Europe,
I'm sure you can think of a suitable person with whom to get in touch!

Valdis_Kletnieks · May 21, 2004, 7:36pm

*alledged* author.

I mention this mostly because there's been at one case where they've arrested
somebody for creating a minor tweaked variant, and gotten the press pointed at
that rather than the fact that they never did (to my knowledge) find the guy
who did the bulk of the work....