From owner-freebsd-security Thu Dec 6 11: 0:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from pogo.caustic.org (caustic.org [64.163.147.186]) by hub.freebsd.org (Postfix) with ESMTP id EC83137B405 for ; Thu, 6 Dec 2001 11:00:30 -0800 (PST) Received: from localhost (jan@localhost) by pogo.caustic.org (8.11.6/8.11.6) with ESMTP id fB6J0Ql16210; Thu, 6 Dec 2001 11:00:26 -0800 (PST) (envelope-from jan@caustic.org) Date: Thu, 6 Dec 2001 11:00:26 -0800 (PST) From: "f.johan.beisser" X-X-Sender: To: Ronan Lucio Cc: Subject: Re: Attacks DDoS In-Reply-To: <045101c17e87$7c9922e0$2aa8a8c0@melim.com.br> Message-ID: <20011206105611.J16958-100000@localhost> X-Ignore: This statement isn't supposed to be read by you X-TO-THE-FBI-CIA-AND-NSA: HI! HOW YA DOIN? MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 6 Dec 2001, Ronan Lucio wrote: > Hi All, > > Does anybody know if is there a way to find out where a DDoS attack > come from? yes. you can start by analysing the incoming packets, and start contacting the owners of that network. the problem is that this can lead to several hundred contacts, over a very large amount of networks and contacts. assuming they co-operate, they can then track down who's issuing the commands to the various zombie/slave machines. sadly, outside of this, there's not much you can do about a DDoS, considering the first D stands for distributed.. it's designed to be hard to track down, and hard to stop. -------/ f. johan beisser /--------------------------------------+ "John Ashcroft is really just the reanimated corpse of J. Edgar Hoover." -- Tim Triche To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message