| Author |
 Topic Search  Topic Options
|
sofsoldier 
Newbie
Joined: 20 April 2005
Location: United States
Status: Offline
Points: 26
|
 Post Options
 Thanks(0)
 Quote  Reply
 Topic: My first DOS attack??
Posted: 05 May 2005 at 2:01pm |
|
Hello every one,
My website (see link in signature) is experiencing what I think is a DOS attack, but goes against the definition.
I have a counter on my sight that also logs the originating IP address.
For the past 2 days, I have been geting hits every 2 seconds from the
same IP address to the home page only. The definition of a DOS is
switching IP addresses so the webserver cannot respond.
My web server is handling this fine, and since its the same IP address
I blocked the address with my router and IIS 6, so that should fix that
- but the router log has this guy still trying.
Is this a DOS attack? And since I am now blocking this IP address
within the router and the webserver, do I need to worry about this guy?
Obviously I will need to filter as other different IP addresses do the
same. Hopefully he will loose interest in my site now that he is
blocked.
|
 |
xeerex
Senior Member
Joined: 19 November 2002
Location: United States
Status: Offline
Points: 601
|
Post Options
Thanks(0)
Quote Reply
Posted: 05 May 2005 at 2:26pm |
Fortunately, it appears that it is not a DDOS which is "distributed
denial of service". In that case simply blocking the IP addresses at
the router would not really as the consumption of bandwidth from the
incoming requests would overwhelm your connection and most likely
disrupt service until the flood of traffice subsides or you can add
more resources (ie bandwidth and hardware).
Hopefully, the user will go away. If not, see who the ISP is for the
offender and see if they can help out. Remember though, the IP addy
could be spoofed so you may have to use some other tools to dig a
little further.
Useful information:
http://en.wikipedia.org/wiki/Denial-of-service_attack
/.'ed
http://en.wikipedia.org/wiki/Slashdot_effect
|
|
|
|
huwnet
Senior Member
Joined: 30 May 2003
Location: England
Status: Offline
Points: 1375
|
Post Options
Thanks(0)
Quote Reply
Posted: 05 May 2005 at 3:36pm |
|
I would forward all enquiries to abuse@ THEISP.TLD
I forward all spam to the ISP after tracing the IP!
|
|
dpyers
Senior Member
Joined: 12 May 2003
Status: Offline
Points: 3937
|
Post Options
Thanks(0)
Quote Reply
Posted: 05 May 2005 at 10:04pm |
As xeerex noted, a denial of service attack is going to flood your router with requests.
Repetitve requests are not necessarily a sign of mailicious intent. Ive seen situations where a browser crash on a client machine left a tcp/ip rewuest running in the background. Also seen routers get hung up on a malformed packet and keep trying to pass it along.
You may also be getting hit to see if the site is up.
|
Lead me not into temptation... I know the short cut, follow me.
|
|
xeerex
Senior Member
Joined: 19 November 2002
Location: United States
Status: Offline
Points: 601
|
Post Options
Thanks(0)
Quote Reply
Posted: 05 May 2005 at 11:40pm |
 wrote:
Ive seen situations where a browser crash on a client machine left a tcp/ip rewuest running in the background. |
Good point.
Maybe the guy/gal is running FireFox with the "Reload Every" extension
and just wants to not miss any new content on your homepage? 
As an interesting point, I had noticed that my site was getting
hammered on a frequent repetitive basis. Upon further review, I
remembered that I had an RSS feed mod'ed to my forum. Somebody was
running an RSS reader with the timer set at very short intervals.
Edited by xeerex - 05 May 2005 at 11:42pm
|
|
|
|
ctscott
Senior Member
Joined: 27 May 2003
Location: United States
Status: Offline
Points: 246
|
Post Options
Thanks(0)
Quote Reply
Posted: 06 May 2005 at 9:04am |
|
the same thing happed to me on a site i'm responsible for. the IP was from china. i emailed them and kindly asked them to stop. i had receipt requested turned on and i got back that they read it. most of their first names were english....go figure. anyway, it kept on for another few days so i just modified the homepage to check the ip address coming in. if it was their ip i redirected the request back to their own ip....every time they visited me they visited themselves. it stop soon after that.
|
|
|
|
dpyers
Senior Member
Joined: 12 May 2003
Status: Offline
Points: 3937
|
Post Options
Thanks(0)
Quote Reply
Posted: 06 May 2005 at 10:38am |
ctscott wrote:
...if it was their ip i redirected the request back to their own ip....every time they visited me they visited themselves. it stop soon after that. |
Elegant 
|
Lead me not into temptation... I know the short cut, follow me.
|
|
sofsoldier
Newbie
Joined: 20 April 2005
Location: United States
Status: Offline
Points: 26
|
Post Options
Thanks(0)
Quote Reply
Posted: 06 May 2005 at 12:01pm |
|
"if it was their ip i redirected the request back to their own ip....every time they visited me they visited themselves."
I like that - how did you do this?
|
|
