8

Sorry, I don't know where to open this subject.

This is not the first time we have faced with a massive DDOS attack from one of servers in RedStation.com and even after we had contacted with their abuse department with it's log there is no cooperation and they don't even like to bother themselves about it. and we don't know how to stop such activity.

Do you know how to file complaint against this datacenter? we could not be patient anymore and see they are not care about such things on their network ? it seems like they are heaven for attackers now since they close their eyes to gain more money.

I guess some global organization is missing in this matter to investigate such activity and make sure providers are responsible for their services.

Here is some of it's log:

2686M 75G DROP all -- * * 31.3-RedStation 0.0.0.0/0
rt: 16167
0.002007 31.3-RedStation -> my-server-ip UDP Source port: 36391 Destination port: 16167
0.002011 31.3-RedStation -> my-server-ip UDP Source port: 38367 Destination port: 16312
0.002014 31.3-RedStation -> my-server-ip UDP Source port: 39585 Destination port: 12081
0.002018 31.3-RedStation -> my-server-ip UDP Source port: 39585 Destination port: 12081
0.002021 31.3-RedStation -> my-server-ip UDP Source port: 38367 Destination port: 16312
0.002025 31.3-RedStation -> my-server-ip UDP Source port: 39585 Destination port: 12081
0.002033 31.3-RedStation -> my-server-ip UDP Source port: 36391 Destination port: 16167
0.002037 31.3-RedStation -> my-server-ip UDP Source port: 38367 Destination port: 16312
0.002040 31.3-RedStation -> my-server-ip UDP Source port: 38367 Destination port: 16312
0.002044 31.3-RedStation -> my-server-ip UDP Source port: 38367 Destination port: 16312
0.002047 31.3-RedStation -> my-server-ip UDP Source port: 39585 Destination

Any response would be appreciated

Ehsan
  • 247
  • 2
  • 5
  • 8
    If they absolutely will not respond, your best option is to call your ISP or DC provider and have their IP range blocked upstream so you don't end up with all that traffic. – Chris S Dec 16 '12 at 17:10
  • 1
    I asked from my ISP to block them, but they told that they wouldn't block IP range until the attack takes a few days. – Ehsan Dec 16 '12 at 17:16
  • 13
    If your ISP won't address your problem, you might want to start thinking about finding a new ISP. – David Schwartz Dec 16 '12 at 17:21
  • 2
    Try the FBI internet crime centre? – Tom O'Connor Dec 16 '12 at 17:24
  • I have to agree with David. There's *lots* of places that a DDOS could come from and an ISP that won't work with its customers to protect them is useless for serious hosting. – Rob Moir Dec 16 '12 at 18:18
  • Excuse my ignorance, but isn't the best short term solution to configure your firewall to act specifically on packets their netblock? – Gaia Dec 16 '12 at 23:44
  • 2
    @Gaia Certainly that helps, but you're still wasting cpu and bandwidth to deal with the malicious traffic on your [potentially metered] end. – jscott Dec 17 '12 at 00:16
  • http://www.redstation.com/contact.html. It says they will not accept any legal conversations by email/fax. You are going to have do it the hard way: 0800 622 6655 . Sales office. – ArrowInTree Dec 17 '12 at 04:53
  • I sent these redstation.com jokers an email at sales...and got polite disingeuse answer...I will leave at that... – ArrowInTree Dec 17 '12 at 22:37

3 Answers3

16

Generally your options are (in the order you should try them):

  1. Your ISP
    Your ISP should be willing to block (and deal with) DoS attacks on your behalf. At minimum they should be willing to block the traffic to your port/system with a firewall (though they may charge you for that privilege).
    Your comments indicated that your ISP's attitude is "If it's not sustained for several days we won't do anything", so like David said, it's time to look for an ISP that isn't brain-damaged, and maybe let your account rep know WHY you're leaving.

    Really Good ISPs (enterprise grade) will have DoS mitigation policies. They often contract with someone like Arbor Networks to help deal with such things.

  2. The Remote ISP
    You can really try this at the same time as #1 - talk to their abuse contact (obtained from whois, and/or try avenues of contact listed on their website (because some companies don't keep whois up to date like they're supposed to).
    You already tried this, and the remote ISP is being useless.

  3. Involve The Lawyers
    Have your attorney draft a letter to the offending ISP identifying the source of the attacks, detailing your attempts to contact them (and their inaction), and instructing them to address the issue under threat of legal action.
    This is really only effective if (a) the ISP is in the same general jurisdiction as you are, and (b) They care about legal threats.

  4. Involve The Cops
    Tom mentioned the FBI Internet Crime Center. These guys are very helpful, if your case is important enough to warrant their action.
    DoS attack on critical infrastructure, banks, etc? -- Quick action.
    DoS attack on your CounterStrike Server? -- You'll be told to piss off, probably not that politely.

5. Vigilante Justice
I absolutely DO NOT recommend this approach. Basically you get a bunch of your friends together to pound the heck out of the system(s) attacking you.
This opens YOU up to the same kind of retaliation (and the possibility of steps 1-4 above being applied to YOU, which may get you a knock on the door from law enforcement).

Community
  • 1
voretaq7
  • 79,879
  • 17
  • 130
  • 214
6

Could try the directors - http://companycheck.co.uk/company/03590745#people

Could also try their upstream providers - http://bgp.he.net/AS35662#_graph4

AS1299 - TeliaNet Global Network - abuse@telia.com

AS3549 - Level 3 - abuse@level3.com

AS2914 - NTT - abuse@ntt.net

AS3257 - Tinet - abuse@tinet.net

Epaphus
  • 1,021
  • 6
  • 8
  • My experience is that upstream providers really only want to hear complaints from other ISPs (your mileage may vary of course, but they don't have a huge incentive to harass their customer on your behalf unless you're ALSO peering or buying transit) - Ultimately what you'd hope for in this case is a mass black-listing, but those events are [rare enough that they make the NY Times when they happen](http://www.nytimes.com/external/idg/2010/03/17/17idg-after-weeklong-fight-rogue-isp-troyak-struggles-for-51697.html) – voretaq7 Dec 17 '12 at 20:09
5

Try (Internet storm center) http://isc.sans.edu or http://darkreading.com.

Ok, based on your requests:

ISC has a REST API: https://isc.sans.edu/api/

ip Returns a summary of the information our database holds for a particular IP address (similar to /ipinfo.html).
Parameters: IP Address
http://isc.sans.edu/api/ip/70.91.145.10

ArrowInTree
  • 164
  • 7
  • 2
    Whilst this may theoretically answer the question, [it would be preferable](http://meta.stackexchange.com/q/8259) to include the essential parts of the answer here, and provide the link for reference. – Mark Henderson Dec 16 '12 at 21:10