At this point, you should have a list of IP addresses and also understand who the other victims of attack are. If not, please read the previous two sections.

First, let's get some contact info for the ISPs. In a web browser, go to http://www.melissadata.com/lookups/iplocation.asp. Enter the first IP address from your list, and you should see results like this:

Continue to enter in IP addresses, and keep a list of IP addresses and Domains like this:

IP Address	Domain (from Melissa)
67.219.58.161	SOFTCOM.COM
216.36.57.157	SOFTCOM.COM
69.163.239.247	NEWDREAM.NET
174.122.60.235	SOFTLAYER.COM
85.17.199.93	LEASEWEB.COM
200.98.197.42	CGI.BR

The domain name given above may be for the ISP, or it may be for the actual website owner. In any case, let's see if we can find some more domains associated with these IP addresses by using nslookup. Open a cmd prompt, and type nslookup [ip address] like this:

If nslookup doesn't give you results for a particular IP address, don't worry about it -- we're just trying to get some additional contact info. Just be sure to write down any domains that you see like this:

IP Address	Domain from Melissa	Domain from nslookup
67.219.58.161	SOFTCOM.COM	silva-server.com
216.36.57.157	SOFTCOM.COM	N/A
69.163.239.247	NEWDREAM.NET	bucharest.dreamhost.com
174.122.60.235	SOFTLAYER.COM	nex.next-jobathome.com
85.17.199.93	LEASEWEB.COM	www13.totaalholding.nl
200.98.197.42	CGI.BR	whl0023.whservidor.com

So now you have a list of Fully Qualified Domain Names (FQDNs). For example, we have bucharest.dreamhost.com. Let's make a guess that the following emails work for this domain (if some of them bounce, who cares?):

abuse@bucharest.dreamhost.com

support@bucharest.dreamhost.com

abuse@dreamhost.com

support@dreamhost.com

Next, open your web browser and visit all of the domains listed above. If they have a website, look to see if there is a "Contact" or "Support" page, and write down these email addresses. In my case, I visited these websites (note that in some cases, I am visiting both the original domain as well as a sub-domain):

SOFTCOM.COM

silva-server.com

NEWDREAM.NET

bucharest.dreamhost.com

SOFTLAYER.COM

nex.next-jobathome.com

next-jobathome.com

LEASEWEB.COM

www13.totaalholding.nl

CGI.BR

whl0023.whservidor.com

Finally, I end up with the following list of email addresses:

IP Address	Domain from Melissa	Domain from nslookup	Email Addresses
67.219.58.161	SOFTCOM.COM	silva-server.com	abuse@SOFTCOM.COM, support@softcom.com, webmaster@silva-server.com
216.36.57.157	SOFTCOM.COM	N/A	abuse@SOFTCOM.COM, support@softcom.com
69.163.239.247	NEWDREAM.NET	bucharest.dreamhost.com	abuse@dreamhost.com, support@dreamhost.com
174.122.60.235	SOFTLAYER.COM	nex.next-jobathome.com	support@softlayer.com, abuse@softlayer.com, abuse@next-jobathome.com
85.17.199.93	LEASEWEB.COM	www13.totaalholding.nl	abuse@leaseweb.com, support@leaseweb.com, webmaster@totaalholding.nl
200.98.197.42	CGI.BR	whl0023.whservidor.com	info@cgi.br, abuse@whservidor.com, webmaster@whservidor.com

As you can see, there is some "art" involved in finding these email addresses. You absolutely want to use the domain information from Melissa. Using nslookup and visiting the websites to find email addresses is more "extra for experts". In any case, once you have a list of email addresses, we are ready to notify these people. But first, let's learn about what all concerned parties need to do to stop the attack, and then I'll give you some advice on the best ways to communicate with all the various ISPs and website owners.

If you want to gather even more addresses, you might try my Whois Lookup Tool. This tool will (attempt to) show you the contact information for the owners of the domains you have found above. You only want to enter the second-level domains names. In this case, you would enter the following domains, one by one, into the Whois Tool: CGI.BR, dreamhost.com, LEASEWEB.COM, NEWDREAM.NET, next-jobathome.com, silva-server.com, SOFTCOM.COM, SOFTLAYER.COM, totaalholding.nl, and whservidor.com Note that some domains will list contact email addresses, but some don't because the owners of the domain have opted to hide their contact information (usually, for a fee).

Finally, you can use my Fingerprint tool to find out what operating system these machines are running. Simply enter in the domain names you found above using nslookup into the Fingerprint tool to find out what they are running. In my case, I found these:

IP Address	Domain from Melissa	Domain from nslookup	Web server and OS	Email Addresses
67.219.58.161	SOFTCOM.COM	silva-server.com	Apache/2.2.21 (Unix)	abuse@SOFTCOM.COM, support@softcom.com, webmaster@silva-server.com
216.36.57.157	SOFTCOM.COM	N/A	N/A	abuse@SOFTCOM.COM, support@softcom.com
69.163.239.247	NEWDREAM.NET	bucharest.dreamhost.com	N/A	abuse@dreamhost.com, support@dreamhost.com
174.122.60.235	SOFTLAYER.COM	nex.next-jobathome.com	Apache/2.2.16 (Unix)	support@softlayer.com, abuse@softlayer.com, abuse@next-jobathome.com
85.17.199.93	LEASEWEB.com	www13.totaalholding.nl	Apache/2.2.22 (Unix)	abuse@leaseweb.com, support@leaseweb.com, webmaster@totaalholding.nl
200.98.197.42	CGI.BR	whl0023.whservidor.com	Apache	info@cgi.br, abuse@whservidor.com, webmaster@whservidor.com

As you can see, it looks like the machines used in this Distributed Denial of Service are all running Unix and Apache; the attacker may have been using a known exploit against Apache or Unix in order to use these machines as he pleases. Also, a quick check against the Apache website shows that the current version of Apache is 2.4.1. Since these websites are running older versions, its likely that they are missing a number of security updates for their webservers (and probably also their Operating Systems); of course, if these ISPs (or the customers of the ISPs) are not installing the latest hotfixes, patches, and versions of software, they are leaving themselves (and you) vulnerable to attack.   Later, when we contact the ISPs, it may help us craft a better email if we know what systems they are running.