All,
I'm currently experiencing a DDOS attack on my home DSL connection.
Thousands of requests to port 80.
I'm on an SBC business class account.
I'm guessing that calling the regular customer support won't get me anywhere.
Any suggestions?
Charles,
You're going to need an enterprise grade DDoS protection provider and
should expect to spend anywhere from hundreds to thousands per month
for this service. This is not a service the majority of transit
providers are capable of offering.
Best regards, Jeff
Turn off your DSL modem for awhile, and hope for a new dynamic IP?
Mark
Turn off whatever you have listening on port 80.
I have a static range. 
Mark Price wrote:
I did. Still getting pounded.
John Peach wrote:
And its not covered by your SLA?
Adrian
Have you spoken with your provider? They should be giving you options, like changing your static address, or null routing the attackers upstream, or perhaps blocking port 80 to you, to limit your ingress traffic.
- Dan
Charles Wyble wrote:
Dude, he's on SBC man. They're not going to do anything but tell him
to restart the modem.
Dan White wrote:
Have you spoken with your provider? They should be giving you options,
like changing your static address, or null routing the attackers
upstream, or perhaps blocking port 80 to you, to limit your ingress
traffic.
For DSL? I've never had that kind of luck with SBC's (now AT&T) home
products, and I've been using their DSL since 2001. This is one instance
where paying the big bucks for at least a T1 can show some some return.
Even if it's "business DSL" it's still treated the same as "drooling
user DSL".
Purely my personal experience.
~Seth
Good, Fast, Cheap, pick any two. Consumer grade AT&T DSL is fast and cheap, and now you realize why Good is not included when you go with Fast and Cheap.
jc
Charles Wyble wrote:
Charles Wyble wrote:
All,
I'm currently experiencing a DDOS attack on my home DSL connection.
Thousands of requests to port 80.
I'm on an SBC business class account.
I'm guessing that calling the regular customer support won't get me
anywhere.Any suggestions?
Okay, this is going to sound REALLY lame, but IMHO it may be your best bet to
get action from SBC:
1) File a police report with your local law enforcement agency and (CRITICAL)
get a case number. (You should have well documented when the attack started,
too. If asked why you waited so long to report it, explain that you were not
familiar with procedures. You may also be asked what you have that someone wants
to attack. "I don't know" is an acceptable answer, if that is the truth.) When
local law enforcement completes taking the report, request that your local law
enforcement escalate the case to the local/regional FBI office (specifically
mention InfraGuard).
2) Call your local FBI office and ask to speak to the InfraGuard coordinator.
(If it is a small office, they may refer you to your regional office.) Tell them
you are being DDOSed, that you have filed a report with local law enforcement
(give them agency and case number), tell them who is your ISP and contact
information, and tell them ISP has been uncooperative at resolution. Ask them
can they please help -- at a minimum, can they contact the ISP and get them to
start null routing DDOS traffic.
Just out of curiosity, do you have any traffic capture? If so, what type of
attack is it? SYN flood, Apache instance starvation, etc.?
You may want to do some packet capture for hand-over to law enforcement.
I know this sounds lame, but I also CONSTANTLY hear from InfraGuard that they
want to be informed of these types of attacks, and they will help when resources
permit.
Don't expect miracles. But it is better than nothing.
Finally, document, document, document!!!
Jon
- --
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC USA
o: 843-849-8214
c: 843-813-2924 (NEW!)
s: 843-564-4224
http://www.linkedin.com/in/jonrkibler
My PGP Fingerprint is:
BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253
Jon Kibler wrote:
Charles Wyble wrote:
All,
I'm currently experiencing a DDOS attack on my home DSL connection.
Thousands of requests to port 80.
I'm on an SBC business class account.
I'm guessing that calling the regular customer support won't get me
anywhere.Any suggestions?
Okay, this is going to sound REALLY lame, but IMHO it may be your best bet to
get action from SBC:1) File a police report with your local law enforcement agency and (CRITICAL)
get a case number. (You should have well documented when the attack started,
too. If asked why you waited so long to report it, explain that you were not
familiar with procedures. You may also be asked what you have that someone wants
to attack. "I don't know" is an acceptable answer, if that is the truth.) When
local law enforcement completes taking the report, request that your local law
enforcement escalate the case to the local/regional FBI office (specifically
mention InfraGuard).2) Call your local FBI office and ask to speak to the InfraGuard coordinator.
(If it is a small office, they may refer you to your regional office.) Tell them
you are being DDOSed, that you have filed a report with local law enforcement
(give them agency and case number), tell them who is your ISP and contact
information, and tell them ISP has been uncooperative at resolution. Ask them
can they please help -- at a minimum, can they contact the ISP and get them to
start null routing DDOS traffic.Just out of curiosity, do you have any traffic capture? If so, what type of
attack is it? SYN flood, Apache instance starvation, etc.?You may want to do some packet capture for hand-over to law enforcement.
I know this sounds lame, but I also CONSTANTLY hear from InfraGuard that they
want to be informed of these types of attacks, and they will help when resources
permit.Don't expect miracles. But it is better than nothing.
Finally, document, document, document!!!
Jon
I hate to reply to my own email... but as soon as I hit "SEND", I realized I
left off something important...
You said you have Business Class DSL. Is this for a business? If so, have your
lawyer contact SBC. S/he should request to talk with the department manager for
small business services. That, too, may help get action. Be sure to provide
him/her with written documentation on everything you can regarding the attack.
The more information that s/he has, the better to beat up on SBC with.
Finally, what does your TOS/SLA say about DDoS? Most have something to say about
ISP liability in the mitigation of such attacks.
GOOD LUCK!
Jon
- --
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC USA
o: 843-849-8214
c: 843-813-2924 (NEW!)
s: 843-564-4224
http://www.linkedin.com/in/jonrkibler
My PGP Fingerprint is:
BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253
All,
There are few if any ISP that will help you with something like this.
Law enforcement also does not have the resources to even begin to look
at a single DSL line being attacked unless you can show 7+ figures in
damage or some type of major threat to national infrastructure.
Your options are basically as follows:
1) Use csf . If properly tuned this should be sufficient to filter
minor attacks.
2) Invest in a decent firewall like a Juniper Netscreen and set
session limits. This won't stop an attack but it will limit the amount
of traffic you have to filter locally.
3) Ask SBC to null route the IP completely
4) Invest in an actual protection service.
Jeff
Jeffrey Lyon wrote:
All,
There are few if any ISP that will help you with something like this.
Law enforcement also does not have the resources to even begin to look
at a single DSL line being attacked unless you can show 7+ figures in
damage or some type of major threat to national infrastructure.Your options are basically as follows:
1) Use csf . If properly tuned this should be sufficient to filter
minor attacks.
2) Invest in a decent firewall like a Juniper Netscreen and set
session limits. This won't stop an attack but it will limit the amount
of traffic you have to filter locally.
3) Ask SBC to null route the IP completely
4) Invest in an actual protection service.
Last time I had to deal with a DDoS coming over a Sprint circuit
(multilink T1) they transferred me to someone in security and they
started null routing things. Initially they were treating it as trouble
because the BGP session kept resetting, but once we all figured out it
was a DDoS the resolution was quick and painless. Maybe my experience is
abnormal? I don't know.
~Seth
Seth Mattinen wrote:
Dan White wrote:
Have you spoken with your provider? They should be giving you options,
like changing your static address, or null routing the attackers
upstream, or perhaps blocking port 80 to you, to limit your ingress
traffic.For DSL? I've never had that kind of luck with SBC's (now AT&T) home
products, and I've been using their DSL since 2001. This is one instance
where paying the big bucks for at least a T1 can show some some return.
Even if it's "business DSL" it's still treated the same as "drooling
user DSL".Purely my personal experience.
~Seth
I guess complaining that your provider won't do anything to help you, and not calling them to find out otherwise is a self fulfilling prophecy.
- Dan
I spoke with SBC.
2 hours on the phone (all with US based support which was awesome) came down to e-mail abuse@sbcglobal.net.
I'll let everyone know how it goes.
Dan White wrote:
Seth Mattinen wrote:
Dan White wrote:
Have you spoken with your provider? They should be giving you options,
like changing your static address, or null routing the attackers
upstream, or perhaps blocking port 80 to you, to limit your ingress
traffic.For DSL? I've never had that kind of luck with SBC's (now AT&T) home
products, and I've been using their DSL since 2001. This is one instance
where paying the big bucks for at least a T1 can show some some return.
Even if it's "business DSL" it's still treated the same as "drooling
user DSL".Purely my personal experience.
~Seth
I guess complaining that your provider won't do anything to help you,
and not calling them to find out otherwise is a self fulfilling prophecy.
Can you read? Did I say that?
~Seth
Seth Mattinen wrote:
Dan White wrote:
Seth Mattinen wrote:
Dan White wrote:
Have you spoken with your provider? They should be giving you options,
like changing your static address, or null routing the attackers
upstream, or perhaps blocking port 80 to you, to limit your ingress
traffic.For DSL? I've never had that kind of luck with SBC's (now AT&T) home
products, and I've been using their DSL since 2001. This is one instance
where paying the big bucks for at least a T1 can show some some return.
Even if it's "business DSL" it's still treated the same as "drooling
user DSL".Purely my personal experience.
~Seth
I guess complaining that your provider won't do anything to help you,
and not calling them to find out otherwise is a self fulfilling prophecy.Can you read? Did I say that?
~Seth
Seth,
This was obviously not a response to you, but to the original poster.
- Dan
Dan White wrote:
Seth Mattinen wrote:
Dan White wrote:
Seth Mattinen wrote:
Dan White wrote:
Have you spoken with your provider? They should be giving you options,
like changing your static address, or null routing the attackers
upstream, or perhaps blocking port 80 to you, to limit your ingress
traffic.For DSL? I've never had that kind of luck with SBC's (now AT&T) home
products, and I've been using their DSL since 2001. This is one instance
where paying the big bucks for at least a T1 can show some some return.
Even if it's "business DSL" it's still treated the same as "drooling
user DSL".Purely my personal experience.
~Seth
I guess complaining that your provider won't do anything to help you,
and not calling them to find out otherwise is a self fulfilling prophecy.Can you read? Did I say that?
~Seth
Seth,
This was obviously not a response to you, but to the original poster.
Sorry, I read that as a response to my message.
~Seth