Since the IP range seems to belong to shawcable.net (24.67.253.203)I would send an E-mail to them. The scanning back has worked for me as well BUT be carefull or you might be labled the bad one. Normaly I always poke back just to see who they are and e-mail the host if it becomes a problem. Also if you are using DSL with a CISCO 675 / 678 there are tools and patchs that can filter out most DDOS attacks.
Here's some reading. You'll notice he's running some interesting Services and will find the http site is blocked. If you dig some more you'll find other interesting things as well. And no I am not and do not condone hacking just investigating<g> Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) No tcp,udp, or ICMP scantype specified, assuming SYN Stealth scan. Use -sP if you really don't want to portscan (and just want to see what hosts are up). Host px1ht.ok.shawcable.net (24.67.253.203) appears to be up ... good. Initiating SYN Stealth Scan against px1ht.ok.shawcable.net (24.67.253.203) Adding open port 80/tcp Adding open port 514/tcp Adding open port 554/tcp Adding open port 23/tcp Adding open port 8080/tcp Adding open port 3128/tcp Adding open port 53/tcp Bumping up senddelay by 10000 (to 10000), due to excessive drops Bumping up senddelay by 20000 (to 30000), due to excessive drops Bumping up senddelay by 30000 (to 60000), due to excessive drops The SYN Stealth Scan took 225 seconds to scan 1601 ports. Interesting ports on px1ht.ok.shawcable.net (24.67.253.203): (The 1577 ports scanned but not shown below are in state: closed) Port State Service 23/tcp open telnet 53/tcp open domain 71/tcp filtered netrjs-1 74/tcp filtered netrjs-4 80/tcp open http 112/tcp filtered mcidas 314/tcp filtered opalis-robot 341/tcp filtered unknown 514/tcp open shell 535/tcp filtered iiop 551/tcp filtered cybercash 554/tcp open rtsp 574/tcp filtered ftp-agent 597/tcp filtered ptcnameservice 632/tcp filtered unknown 643/tcp filtered unknown 683/tcp filtered unknown 785/tcp filtered unknown 819/tcp filtered unknown 950/tcp filtered oftep-rpc 1380/tcp filtered telesis-licman 1652/tcp filtered xnmp 3128/tcp open squid-http 8080/tcp open http-proxy -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Sean J. Countryman Sent: Sunday, January 05, 2003 5:04 PM To: FreeBSD Questions; Michael Subject: RE: DOS ATTACK. Any Suggestions? > As soon as my site gets big and i have a >lot of users in irc, some little jealous network comes along and >destroys what i worked on. The last time this happened my ISP shut ME >off because it took out one of their facilities. I think this is your core problem... In all my years working tech support, I've seen that the vast majority of people being DOSed fall into three categories, Child Porn, Spammers, and IRC. If you run IRC, you will be DOSed by some snot nosed script kiddie. You are 100% correct in your assessment of their mentality, they basically find the only place where they can be "the man" is behind a keyboard, the sad thing is most of them don't have the slightest idea about the code behind their tools, they just know how to run them. The only way to get rid of a DOS attack is to either ride it out until they get bored, or contact your host and ask their network engineers to null route the source IP's that are sending to you. You could use IPFW to block those network packets at your kernel level, but by then the packets have already came down the wire to your server and have already affected you. If the network techs can null route the DOS upstream of you, then you should be able to remain online. Good Luck. One last thing, I had some fool trying to DOS me once from his own IP address. I simply portscanned him with Nmap and suddenly he just blinked off line. I guess it scared him sufficiently to go to sleep. - Sean To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
