> About /Gen comment. We do not have any op of flood problem, the problem is > the DDoS one and since you admit that a user cannot directly act upon this, > at least when we contacted responsible ISP, those computers wheren't use > anymore to flood us. Yes this could seem pointless since attackers will find > new one... I know... but ifnobody complains to ISP, if this does not became > suffisently annoying, ISP will not take seriously the problem, law suit will > not force them to be carefull about security, etc. Anyway, maybe i am the > only one, but in my little world, since there isn't real securiy in TCP/IP > and that i know it, i decided a long time ago to inform by one mail each and > every ISP that are being used for DDoS or illegal activities that they were. > Hoping (maybe i'm simply stupid but i don't see an other way to make > internet work) that someday this movement will have some level of impact. My > sole point is that Undernet is now trying to help their users and that's > nice, but they are misguided by bloking any trace option on abuser. (My > humble and respectfull opinion)
3 cases can occur : 1. YOU are the target of a DDOS : in this particular case you have the ip's of the offending hosts (unless they were spoofing). Firewall logs are considered more reliable than irc logs. 2. Someone else is the target of a DDOS (shell company): Again firewall logs are preferred. It's up to the company in question to do the reporting. 3. You find a number of drones in a channel : In this particular case you have 2 options : a. they are +x You notify abuse@ and let them deal with this chan. Chans such as these !are! handled by opers. I've seen opers clean such channels before. Most of them even notify the isp's if it's a regular occurance. b. they are *not* +x Well then you HAVE their ips. Problem solved. Personally i see no need for a user to report ddos at this time. Before +x this was different but now *anyone* can hide their host. If your host gets out regardless of this you will get ddos'ed and then you'll have firewall logs (either you or your shell company). Either way it's up to the person who's being attacked to do the reporting. If that is you, you should have no need for irc logs nor for the hosts of those people on IRC. If you're trying to figure out who's doing it and want to report him : good luck. DDOS is not high on the list of priorities of most law enforcement agencies. Your best bet is contacting the isp's of the drones being used in the DDOS (you can extract the ip's from your firewall logs).. At best you'll be able to convince the isp to remove the owners account (after which he'll just open a new one elsewhere). IMO personal opinion any time spent on trying to get to the attacker is time wasted.Your time/effort is best spent on trying to locate/stop the machines being used in the DDOS attacks. If you take out 1 script kiddie , 10 will take his place. Best bet is to remove their "tools". I won't reply to the quote of chris cowther but as i said above Law enforcement would prefer firewall logs over IRC logs. Atleast firewall logs have "usefull" info which can be checked. /Gen