DDoS

How do you discover the size of a UDP packet? I used ethereal and router logs and saw I was being DDoSed from all different ports, when DDoS's are done are they all the same packet size, and can be filtered. Adding all the drones IP's in iptables is tedious work...Oh yea he lives in the UK, where I dont think botnets are illegal. I toke screen shots of all his Xdcc bots what can i do to report him..not something to get his domain canceled but to legally take action.

I've had a decent amount of experience with kiddies, I assume you use IRC quite often and are probably already familiar with them yourself :D (something of an understatement I guess, since you've already been attacked by one!)

Ethereal should be reporting the packet size on UDP packets, just select one of them and take a look at the top in the frame view where it says "Frame ## (### bytes on wire, ### bytes captured)." I think your best bet is to just loop through the entire list of IPs that sent any amount of UDP traffic over a certain amount to decide on who to block, assuming you don't have other network services this might blacklist for others. Also, make sure there isn't a common port that they all attack.. most DDoS attacks I've received are targetted at a random, but single port.

I will go out on a limb and expose some possible ignorance here, but I don't think blocking UDP packets will work. Yes, a large flood can shut down most consumer-grade hardware routers (the actual system resources are overloaded before the connection), but other than that, I think it is up to your connection's bandwidth to see if you stay up. Such attacks are generally diverted at a higher level. The only real precaution I'd think you could take is blocking ICMP pings.

I suggest you look through the packet logs for a person that might help you. By this, I mean look for perhaps an EDU or a host that is clearly only a private organization's connection. Contact them, preferrably by phone, and get the botnet exe. After that, you can run it within your own controlled environment to discover the location of the botnet. From there, you'll need to contact the server(s) hosting the botnet, but make it clear you wish to take legal action against the individual, so that they may send you whatever logs they have of his connections.

If you'd like, I'd be glad to help you with this matter. Botnet hunting is something of a hobby I've come up with, and I have a few custom tools for passive monitoring of the botnets and capturing on a honeypot system.

edit: you can find me on IRC at irc.neon-net.com #neon - I am "IronFist"

Why is he now banned? I've looked through his posts, etc., and see nothing ban-worthy other than his sig, but I suppose such a statement isn't that bad, is it?

ouch, what was in his sig?

http://vbforums.com/member.php?userid=57435

Sorry to be asking admins, but I was looking forward to him hopefully replying :|

that wont be happening i guess..but the way to resolve this is to change your ip with a proxy

I don't suggest he evade a ban, although I am still curious as to what it is for :P

not what i meant, i meant change ip so he wont get DDos'd