My first DOS attack??
Printed From: Web Wiz Forums
Category: General Discussion
Forum Name: General Discussion
Forum Description: General discussion and chat on any topic.
URL: https://forums.webwiz.net/forum_posts.asp?TID=14957
Printed Date: 01 April 2026 at 1:00am
Software Version: Web Wiz Forums 12.08 - https://www.webwizforums.com
Topic: My first DOS attack??
Posted By: sofsoldier
Subject: My first DOS attack??
Date Posted: 05 May 2005 at 2:01pm
|
Hello every one, My website (see link in signature) is experiencing what I think is a DOS attack, but goes against the definition. I have a counter on my sight that also logs the originating IP address. For the past 2 days, I have been geting hits every 2 seconds from the same IP address to the home page only. The definition of a DOS is switching IP addresses so the webserver cannot respond. My web server is handling this fine, and since its the same IP address I blocked the address with my router and IIS 6, so that should fix that - but the router log has this guy still trying. Is this a DOS attack? And since I am now blocking this IP address within the router and the webserver, do I need to worry about this guy? Obviously I will need to filter as other different IP addresses do the same. Hopefully he will loose interest in my site now that he is blocked. ------------- __________________________ Ricky L. Murphy http://astronomyonline.org |
Replies:
Posted By: xeerex
Date Posted: 05 May 2005 at 2:26pm
|
Fortunately, it appears that it is not a DDOS which is "distributed
denial of service". In that case simply blocking the IP addresses at
the router would not really as the consumption of bandwidth from the
incoming requests would overwhelm your connection and most likely
disrupt service until the flood of traffice subsides or you can add
more resources (ie bandwidth and hardware). Hopefully, the user will go away. If not, see who the ISP is for the offender and see if they can help out. Remember though, the IP addy could be spoofed so you may have to use some other tools to dig a little further. Useful information: http://en.wikipedia.org/wiki/Denial-of-service_attack - http://en.wikipedia.org/wiki/Denial-of-service_attack /.'ed http://en.wikipedia.org/wiki/Slashdot_effect - http://en.wikipedia.org/wiki/Slashdot_effect ------------- http://webspacegeeks.com - Need Hosting, Domains, Dedicated Servers? http://www.smartergeek.com - web design | pc support | training | podcasts | video production |
Posted By: huwnet
Date Posted: 05 May 2005 at 3:36pm
|
I would forward all enquiries to abuse@ THEISP.TLD I forward all spam to the ISP after tracing the IP! |
Posted By: dpyers
Date Posted: 05 May 2005 at 10:04pm
|
As xeerex noted, a denial of service attack is going to flood your router with requests.
Repetitve requests are not necessarily a sign of mailicious intent. Ive seen situations where a browser crash on a client machine left a tcp/ip rewuest running in the background. Also seen routers get hung up on a malformed packet and keep trying to pass it along.
You may also be getting hit to see if the site is up. ------------- 
Lead me not into temptation... I know the short cut, follow me. |
Posted By: xeerex
Date Posted: 05 May 2005 at 11:40pm
Good point. Maybe the guy/gal is running FireFox with the "Reload Every" extension and just wants to not miss any new content on your homepage?  As an interesting point, I had noticed that my site was getting hammered on a frequent repetitive basis. Upon further review, I remembered that I had an RSS feed mod'ed to my forum. Somebody was running an RSS reader with the timer set at very short intervals. ------------- http://webspacegeeks.com - Need Hosting, Domains, Dedicated Servers? http://www.smartergeek.com - web design | pc support | training | podcasts | video production |
wrote:Posted By: ctscott
Date Posted: 06 May 2005 at 9:04am
|
the same thing happed to me on a site i'm responsible for. the IP was from china. i emailed them and kindly asked them to stop. i had receipt requested turned on and i got back that they read it. most of their first names were english....go figure. anyway, it kept on for another few days so i just modified the homepage to check the ip address coming in. if it was their ip i redirected the request back to their own ip....every time they visited me they visited themselves. it stop soon after that. ------------- ______________________ http://www.cfbtrivia.com" rel="nofollow - College Football Trivia |
Posted By: dpyers
Date Posted: 06 May 2005 at 10:38am
Elegant  -------------
Lead me not into temptation... I know the short cut, follow me. |
Posted By: sofsoldier
Date Posted: 06 May 2005 at 12:01pm
|
"if it was their ip i redirected the request back to their own ip....every time they visited me they visited themselves." I like that - how did you do this? ------------- __________________________ Ricky L. Murphy http://astronomyonline.org |
Posted By: JohnKn
Date Posted: 06 May 2005 at 12:20pm
|
Here's what I added to common.asp when I had a similar situation: If Instr(request.servervariables("REMOTE_ADDR"),"195.174.196") Then response.redirect("http://www.fbi.gov") Oddly enough it stopped very shortly after this. |
Posted By: sofsoldier
Date Posted: 06 May 2005 at 12:24pm
|
Thanks!
------------- __________________________ Ricky L. Murphy http://astronomyonline.org |
Posted By: the boss
Date Posted: 06 May 2005 at 12:57pm
|
ip redirection is better to be done on the router.. saves ur website from fake hits u can also redirect him to like 127.0.0.1 address.. the local loopback..so he will be caught in a never ending cycle of local loop back.. ------------- http://www.web2messenger.com/theboss"> 
|
Posted By: sofsoldier
Date Posted: 06 May 2005 at 1:11pm
|
My router is not that sophisticated. I like the loopback idea, but I want this guy away from my server. I already imbedded the redirect code to my site. I wonder if a redirect to the cia.gov or nsa.gov would be more scarry than the fbi site? Either way, thank you everyone! ------------- __________________________ Ricky L. Murphy http://astronomyonline.org |
Posted By: xeerex
Date Posted: 06 May 2005 at 1:17pm
Have you considered the fact that he may have an app running to ping
your site or scan your server? He may not even be using a browser, or
it could be a "zombie" machine that is phyically owned by an typically
ignorant and innocent Windows user. In a virtual sense, the machine may
be owned by someone else though...
------------- http://webspacegeeks.com - Need Hosting, Domains, Dedicated Servers? http://www.smartergeek.com - web design | pc support | training | podcasts | video production |
Posted By: dpyers
Date Posted: 06 May 2005 at 1:58pm
|
Redirect them to an Al Qaeda website. Let them get annoyed at him. -------------
Lead me not into temptation... I know the short cut, follow me. |