On 07/12/2007 09:52, Thomas Goirand wrote:

Has any of you had to deal with this type of attack? What is the way to
get the real IPs and finally found out where is the botnet and destroy it?



Hi Thomas.



While I haven't had any experience with dealing with this, I don't
think you can find out the offending IP directly.* I think you'd need
to speak to the your upstream ISP and they should be able to identify
the router that the packets are coming to their router from, then they
or you will need to talk to the ISP whose router that is, and trace
back from there, until you find the ISP whose router received the
request(s) from within their network.* Being a Botnet, you'd probably
have to do this for many different source ISPs.



Probably the easiest way to handle this for now is to prevent the flood
reaching your server by asking your ISP to block traffic on their main
router for the specific UDP ports that you are being attacked on where
packets are destined for your IP address(es).



Gavin



--



Gavin Westwood

Solutium



http://www.solutium.net - Going the extra mile to provide a fast,
helpful, reliable Web Hosting service.

On Fri, Dec 07, 2007 at 05:52:47PM +0800, Thomas Goirand wrote:
> Hi,
>
> Has any of you had to deal with this type of attack? What is the way to
> get the real IPs and finally found out where is the bootnet and destroy it?
>
Getting the source IPs can be tricky. If you have a good relationship
with your upstream ISP, they can probably help out. Destroying the
botnet is probably best left to law enforcement.

Regards,

-Roberto
--
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com