From owner-freebsd-questions Sun Jan 5 16: 4: 6 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 72EE137B401 for ; Sun, 5 Jan 2003 16:04:05 -0800 (PST) Received: from cartman.wirerats.com (cartman.wirerats.com [64.49.220.238]) by mx1.FreeBSD.org (Postfix) with ESMTP id B211143EB2 for ; Sun, 5 Jan 2003 16:04:04 -0800 (PST) (envelope-from sean@rackoperations.com) Received: (qmail 18946 invoked from network); 5 Jan 2003 18:04:04 -0600 Received: from pppdslg217.slkc.uswest.net (HELO engineering) (sean@rackoperations.com@63.225.57.218) by cartman.wirerats.com (qmail 1.03 + ejcp) with SMTP; 5 Jan 2003 18:04:04 -0600 From: "Sean J. Countryman" To: "FreeBSD Questions" , "Michael" Subject: RE: DOS ATTACK. Any Suggestions? Date: Sun, 5 Jan 2003 17:04:03 -0700 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <2720.192.168.1.10.1041807203.squirrel@email.unixhideout.com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Importance: Normal Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > As soon as my site gets big and i have a >lot of users in irc, some little jealous network comes along and destroys >what i worked on. The last time this happened my ISP shut ME off because >it took out one of their facilities. I think this is your core problem... In all my years working tech support, I've seen that the vast majority of people being DOSed fall into three categories, Child Porn, Spammers, and IRC. If you run IRC, you will be DOSed by some snot nosed script kiddie. You are 100% correct in your assessment of their mentality, they basically find the only place where they can be "the man" is behind a keyboard, the sad thing is most of them don't have the slightest idea about the code behind their tools, they just know how to run them. The only way to get rid of a DOS attack is to either ride it out until they get bored, or contact your host and ask their network engineers to null route the source IP's that are sending to you. You could use IPFW to block those network packets at your kernel level, but by then the packets have already came down the wire to your server and have already affected you. If the network techs can null route the DOS upstream of you, then you should be able to remain online. Good Luck. One last thing, I had some fool trying to DOS me once from his own IP address. I simply portscanned him with Nmap and suddenly he just blinked off line. I guess it scared him sufficiently to go to sleep. - Sean To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message