> About /Gen comment. We do not have any op of flood problem, the problem is
> the DDoS one and since you admit that a user cannot directly act upon
this,
> at least when we contacted responsible ISP, those computers wheren't use
> anymore to flood us. Yes this could seem pointless since attackers will
find
> new one... I know... but ifnobody complains to ISP, if this does not
became
> suffisently annoying, ISP will not take seriously the problem, law suit
will
> not force them to be carefull about security, etc. Anyway, maybe i am the
> only one, but in my little world, since there isn't real securiy in TCP/IP
> and that i know it, i decided a long time ago to inform by one mail each
and
> every ISP that are being used for DDoS or illegal activities that they
were.
> Hoping (maybe i'm simply stupid but i don't see an other way to make
> internet work) that someday this movement will have some level of impact.
My
> sole point is that Undernet is now trying to help their users and that's
> nice, but they are misguided by bloking any trace option on abuser. (My
> humble and respectfull opinion)
3 cases can occur :
1. YOU are the target of a DDOS : in this particular case you have the ip's
of the offending hosts (unless they were spoofing). Firewall logs are
considered more reliable than irc logs.
2. Someone else is the target of a DDOS (shell company): Again firewall logs
are preferred. It's up to the company in question to do the reporting.
3. You find a number of drones in a channel : In this particular case you
have 2 options :
a. they are +x
You notify abuse@ and let them deal with this chan. Chans such as these
!are! handled by opers. I've seen opers clean such channels before. Most of
them even notify the isp's if it's a regular occurance.
b. they are *not* +x
Well then you HAVE their ips. Problem solved.
Personally i see no need for a user to report ddos at this time. Before +x
this was different but now *anyone* can hide their host. If your host gets
out regardless of this you will get ddos'ed and then you'll have firewall
logs (either you or your shell company). Either way it's up to the person
who's being attacked to do the reporting. If that is you, you should have no
need for irc logs nor for the hosts of those people on IRC. If you're trying
to figure out who's doing it and want to report him : good luck. DDOS is not
high on the list of priorities of most law enforcement agencies. Your best
bet is contacting the isp's of the drones being used in the DDOS (you can
extract the ip's from your firewall logs).. At best you'll be able to
convince the isp to remove the owners account (after which he'll just open a
new one elsewhere).
IMO personal opinion any time spent on trying to get to the attacker is time
wasted.Your time/effort is best spent on trying to locate/stop the machines
being used in the DDOS attacks. If you take out 1 script kiddie , 10 will
take his place. Best bet is to remove their "tools".
I won't reply to the quote of chris cowther but as i said above Law
enforcement would prefer firewall logs over IRC logs. Atleast firewall logs
have "usefull" info which can be checked.
/Gen
