Topic: DDOS Attacks. What you can do to help stop them! - page 2. (Read 4384 times)

You are missing the point, you are sending emails to a source that has either sent nothing at all or is an open recursive DNS server MOST of the time.

As a person who offers DDOS protection services, you have a vested interest in not seeing actions like this having much effect. It's called a Conflict of Interest.

People need to understand the value of receiving third party email regarding problems on their network. I've been an admin for years, and some of the most effective tools for identifying servers that have been, to some degree, compromised are third-party notifications.

/Salute to KhaOS and Serraz for trying to do something positive, and then spreading it to the community.

I consider it SPAM, and I offer ddos protection services.
...
As as a person who offers DDOS protection services and deals with a ton of these false positives every day, I know a thing or two about this.

Spamming innocent people?
We reported a problem to the network/system admin of the affected server?
From all emails sent, the common thing I see among all answers is: "Thank you for informing us about the problem".

And in the end, at least we try to do something. I would like to see your suggestions then...

You do realize 99% of ddos attacks are spoofed right, and the ones that aren't are usually reflection attacks.. ie, DNS amplification attacks.
Sending emails like that is just spamming a ton of innocent people most of the time.

Great please post your script here also to share with everyone

As long as the attackers' bandwidth exceeds the server's it would most probably down.

Definitely is good plan forward, if enough people use scripts such as yours it, it would reduce the over all number of compromised networks in the long run, which these DDOS attackers make use of. Not necessarily a cure, but certainly make them weak enough to be easier to deal with.

I don't run a pool, but I do run a few servers, so I'll probably rewrite this to make it work along side one of my other scripts which usually just blocks these IP address' in the 1st layer firewall.

I often use report emails autogeneration. Sometimes this even could destroy the botnet, but usually makes it weaker.

Booters cost like $5/month and the pools need corporate grade protection to counter them; it's not cheap (2-4k/month for TCP applications like Stratum). If we manage to knock off 50% of the nodes, the booter price might go to $10/month or something so it's still a losing battle. These aren't the sophisticated attacks that mtgox has to deal with, but a simple UDP flood. Most hosts that offer DDoS protection, from my shopping experience, max out at 10Gbit/1-5MPPS, and I consistently saw attacks stronger than that with CNC (peak was 22Gbit, 75% of the attacks were over 10).

Some prices for dedicated DDoS protection I found: (not shared like awknet or VPS)
Staminus     $1k/month for 10Gbit/1MPPS (not strong enough)
BlackLotus $675/month for 10Gbit/6MPPS
Some other  $1k/month + $4k setup for similar

The solution I've come up with is to just use a suite of reverse proxies:
buyvm/etc VPS (10Gbit/5MPPS)
Minecraft-oriented VPS/Dedicated (Varies)
Cloud Load Balancer

For example, I used an amazon elastic load balancer and some micro instances for forwarding. By using the ELB, amazon soaks up the packet floods and does some filtering. I also use cloudflare free, but there's a risk. If your site gets a http-layer attack, and you're not on the 200/m plan, cloudflare will change your DNS record and effectively direct the traffic to your server. The pro is a packet flood goes to the CDN node, and that's not associated with any single domain, so it blocks those (you can route longpolling through cloudflare since it's HTTP traffic)