Does anyone have any experience of tracing a denial of service attack?
A user on Orange home broadband hit a web site I wrote for my local football team with hundreds of thousands of requests in a short period last week. Pleasingly the bits of the web site which I wrote stood firm but I had a Gallery PHP application installed which started maxing out the CPU on my shared host so the hosting company disabled my account while I looked into it.
Anyway I found out the user's broadband address from the server access logs (blahblahblah.orangehomedsl.co.uk). I don't know very much about this sort of stuff so I guess I'd be interested to know whether this is actually useful (i.e. presumably someone could fake it but if so I'd expect some sort of proxy server and not what looks like a normal broadband connection?)
I emailed the Orange abuse department who told me they can't do anything without the IP address. This strikes me as unhelpful as I would have thought they could work out who was using the connection in question as I have told them the exact time the attack occurred (and it was over a period of hours). So if anyone can tell me they are talking nonsense and a constructive reason as to why, I can go back to them with abuse of my own.
I have asked the host if they can supply the IP but suspect they probably don't have anything more than I have got from the apache access log which has the address in this long format. I've asked them to change the format of the logs so the IP can be captured in the future but obviously this doesn't help with this case.
TIA for any suggestions.
A user on Orange home broadband hit a web site I wrote for my local football team with hundreds of thousands of requests in a short period last week. Pleasingly the bits of the web site which I wrote stood firm but I had a Gallery PHP application installed which started maxing out the CPU on my shared host so the hosting company disabled my account while I looked into it.
Anyway I found out the user's broadband address from the server access logs (blahblahblah.orangehomedsl.co.uk). I don't know very much about this sort of stuff so I guess I'd be interested to know whether this is actually useful (i.e. presumably someone could fake it but if so I'd expect some sort of proxy server and not what looks like a normal broadband connection?)
I emailed the Orange abuse department who told me they can't do anything without the IP address. This strikes me as unhelpful as I would have thought they could work out who was using the connection in question as I have told them the exact time the attack occurred (and it was over a period of hours). So if anyone can tell me they are talking nonsense and a constructive reason as to why, I can go back to them with abuse of my own.
I have asked the host if they can supply the IP but suspect they probably don't have anything more than I have got from the apache access log which has the address in this long format. I've asked them to change the format of the logs so the IP can be captured in the future but obviously this doesn't help with this case.
TIA for any suggestions.
Comment