Author: Jerry Bell Date: To: Suresh Ramasubramanian CC: Michael Coxe, exim-users Subject: Re: [Exim] fwd fr NANOG: monkeys.dom UPL being DDOSed to death
One thing I've found, although I'm sure there are exceptions, is that these
things generally do not come from all that many hosts. A dozen or so well
connected compromised boxes and no egress filters on an ISP will allow those
few hosts to look like thousands and thousands of hosts. In the past I've
had to have my upstream block port 80 and literally just wait for the kids
to get bored and move on to some other new toy, usually 8 to 10 hours. I
don't know anything of what happened to monkeys.com specifically, just
relaying my experience with this kind of thing.
----- Original Message -----
From: "Suresh Ramasubramanian" <linux@???>
To: "Jerry Bell" <jerry@???>
Cc: "Michael Coxe" <michael@???>; <exim-users@???>
Sent: Wednesday, September 24, 2003 12:11 AM
Subject: Re: [Exim] fwd fr NANOG: monkeys.dom UPL being DDOSed to death
Jerry Bell [9/24/2003 9:30 AM] :
> escalated up to the tier 1 provider at some point. The ISP can do a few
> things - block traffic from a certain address range or to a certain range of > ports from coming down your circuit and trace traffic flows to their ingress > points at the ISP's network. Generally, you can get this kind of response
> by calling the normal help line, telling them you are under attack and need > to work with their security group.
Problems - the monkeys.com DDoS was from thousands of zombies / trojaned
boxes etc, and the hit was to port 80.
