Contacting the other Victims of the Distributed Denial of Service (DDos) Attack

Next: Converting a Website to a Web Application

Previous: How To Stop a Denial Of Service Attack

Back to Table of Contents

At this point, you should have a list of email addresses belonging to the other victims of the attack. and also a list of IP addresses for the attacking machines. If not, please read the previous sections.

First, let's contact the ISPs and Website owners of the machines that are being used to launch a Denial of Service Attack.

Using the information we have gathered in previous sections, craft an email that looks something like this:

    To: <put in all the email addresses you gathered previously -- be sure to include abuse@ addresses>
    Subject: Denial of Service from 174.122.60.235
    Message:
    Hi,

    My website, gregthatcher.com, is currently under attack from one of your IP addresses, 174.122.60.235.  
    I suspect that the attacker is using a program called ApacheBench to attack my site from 
    multiple sites (Distributed Denial of Service Attack).

    Please investigate this, and stop this attack.  I believe that if you search the machine that this attack 
    is coming from for an executable called “ab”, you will be able to find out which of your accounts is 
    being used for this attack.

    I believe the attacker is running a command like this:
    ab -n 1000 -c 1000 http://www.gregthatcher.com/

    Thanks,
    Greg

    

Most of the time, you should expect an automated response which might look something like this:

    This email is to let you know that we have received your message and will be replying to it within 24 hours. 
    
    Your tracking # is 4739706.

    We would also like to take this moment to point out our new very extensive Wiki (Documentation Site) 
    
    at http://wiki.dreamhost.com/ 
    
    Many of the questions we get can be answered with a quick visit!

    It is okay to send email to this address for support inquiries. 
    
    We prefer you use email only for replies to messages from us about ongoing support cases. 
    
    If you want to open a new case, we ask that you use the form at 
    
    https://panel.dreamhost.com/?tab=support&subtab=msg 
    
    so that we can better automatically tie your message to your account with us!

    Thanks again for contacting DreamHost, and we'll be attempting to do our best to 
    
    resolve your issue in the most timely and professional manner we can!

    --
    DreamHost Customer Support Team
    "We host your dreams"
    http://www.dreamhost.com/
    support@dreamhost.com
    fax: 1-714-671-9098
    

If the email contains any kind of "ticket" or "tracking number", be sure to include this number in all of your future emails. Most of these companies use a Support System (e.g. ZenDesk, my personal favorite), and these systems require these "ticket numbers" to keep track of all the emails going back and forth as the ISP attempts to resolve your problem.

Oftentimes, you will see the attack stop shortly after you report. However, it still may take some days or hours before you receive a response.

Here is the kind of response you hope for:

    Hello,

    Please supply us with the logs regarding this abuse in plain text or in a text document. 
    Without this, we cannot process your complaint.
    Please note, our ticketing system cannot handle other extensions then text.


    Kind regards,

    Jottie T
    LeaseWeb - Security
    

The best thing to do here would be to upload your log files (zipped, preferably) to an ftp or website (not the one which is under attack), and then send a link. If you can't do this, just copy and paste some of the web log entries (we looked at these in a previous section) into an email. If you can't do this, try to send them a netstat output. Note that the Abuse departments of these ISPs often receive many false reports of hacker activity. If they ask you for proof of the attack, you should be willing and ready to send them some logs.

If the ISP has their act together (as LeaseWeb obviously did), you can expect a response like this after a few days or hours:

    Dear Greg,

    Our reseller has isolated and secured the issue. This shouldn't occur anymore.

    He apologises for any inconveniences caused.

    Kind regards,

    Jottie T
    LeaseWeb - Security

    

Unfortunately, you are much more likely to receive a response like this (don't spend to much time deciphering it -- its mostly jibberish):

    The IP in question belongs to a shared HTTP server that contains hundreds of 
    customers from the general public whom host thousands of unique websites. At 
    this time I do not see any python scripts or other attacker scripts running. 
    As well I do not see any current connections to IP 96.31.33.24 , which I 
    assume to be your IP based upon a reverse lookup of gregthatcher.com . 
    As the IP is that of a server, there likely isn't a reason that legitimate web 
    traffic would come from it, so blocking the IP may be a short term solution. 
    If you continued to see any activity of concern from our network, 
    please reply with a log snippet or 2 to aid in our stopping further abuse. 

    Glen, 
    --  
    - DreamHost Abuse/Security Team   
    - Terms of Service: http://www.dreamhost.com/tos.html   
    - Anti-Spam Policy: http://www.dreamhost.com/spam.html   
    - Abuse Center: http://abuse.dreamhost.com/ 

    

I have previously described what I wanted the other ISPs to do when we discussed how to stop a DDoS attack. In my case, I decided to thwart the attack using the techniques I described in the last section. A month later, I am still seeing (using netstat) attacks using ApacheWeb emanating from DreamHost servers, but these attacks no longer cause my website to shut down because of the measures I have taken.

You should understand that when you open a "ticket" with these ISPs, you are usually initially communicating with a low-level employee. It is often a good idea to request that the ticket be "escalated" to a more experienced Network Administrator or System Administrator.

Now, let's contact our own ISP and ask for their help in thwarting the DDos.

Most ISPs offer a "support portal" on their website where you can login and submit a ticket for help. Here is a sample email:

    Subject: Denial of Service Attack
    Message:
    Hi,

    My website, gregthatcher.com, is currently suffering a Denial of Service attack from the following 
    IP addresses: 67.219.58.161, 216.36.57.157, 69.163.239.247, 174.122.60.235, 85.17.199.93, 200.98.197.42
    I suspect that the attacker is using a program called ApacheBench to attack my site from multiple 
    sites (Distributed Denial of Service Attack).

    Please investigate this, and stop this attack.  In particular, please block these IP addresses at 
    the router or firewall so that these machines can no longer attack my website.

    I believe the attacker is running a command like this:
    ab -n 1000 -c 1000 http://www.gregthatcher.com/

    Thanks,
    Greg
    

Once again, we are just hoping that they perform the actions I described previously. Also, since you are paying for hosting with this ISP, I suggest that you escalate the ticket as soon as you receive a non-automated response. Here is the response I received after I requested that DiscountASP.net (the ISP who used to host my site) escalate my ticket:

    Hello,

    Your ticket is being escalated to our systems administrator.  They will contact you as soon as possible.

    Please let us know if you have any further questions.

    Thank you,

    Raymond

    DiscountASP.NET is a Microsoft Gold Hosting Partner Team Foundation Server Hosting | ASP.NET Web Hosting

    blog.discountasp.net | dasptv.com | community.discountasp.net | labs.discountasp.net

    Stay up to date! 
    Follow us on Twitter: http://twitter.DiscountASP.NET, 
    become a fan on Facebook: http://facebook.DiscountASP.NET 
    and join our circles on Google plus: http://googleplus.DiscountASP.NET

    

DiscountAsp.Net initially tried to help me with this problem. Sadly, I received this message from them after a few days:

    Hello Greg,

    As you are no doubt aware, the attack on your site continues. Unfortunately, whoever is behind 
    that is now directing their efforts not only at your site, but at our name servers. So we can no 
    longer host the site. We have to remove your DNS entry in order to relieve the problem. 
    I'm sorry, but we don't have much choice in the matter.

    I understand that you've been with us for a long time, and I appreciate that, but we have 50,000 other 
    customers to protect as well, so as I said, we can't really continue to deal with this on your behalf.

    Please let me know if you have any further questions.

    Thank you,

    Michael Phillips

    DiscountASP.NET is a Microsoft Gold Hosting Partner Team Foundation Server Hosting | ASP.NET Web Hosting

    blog.discountasp.net | dasptv.com | community.discountasp.net | labs.discountasp.net

    Stay up to date! Follow us on Twitter: http://twitter.DiscountASP.NET, 
    become a fan on Facebook: http://facebook.DiscountASP.NET and 
    join our circles on Google plus: http://googleplus.DiscountASP.NET. 


    

Apparently, this was his way of telling me that he had suspended my account.

Account Suspended

This response was extremely disappointing. If you've been reading along from the beginning, it should be very clear that there are several quick, easy ways to stop this kind of attack. I had previously been using and recommending DiscountASP.net for many years. Although their support usually wasn't that great, they offered a great service at very affordable prices. The only problem I had with them was the fact they limited the memory usage of each website (because it is a shared hosting service), and I had to do a considerable amount of programming to keep my website's memory usage low (I no longer have to do this with Azure).

Fortunately for me, I had done some research on Azure, and suspected that Azure would let me implement these anti-hacker measures myself. It turns out I was right, and I'll show you how I did that next.


Next: Converting a Website to a Web Application

Previous: How To Stop a Denial Of Service Attack

Back to Table of Contents

Problems, Comments, Suggestions? Click here to contact Greg Thatcher

Please read my Disclaimer





Copyright (c) 2013 Thatcher Development Software, LLC. All rights reserved. No claim to original U.S. Gov't works.