how to find the IP of someone DOSsing you?

[latrosicarius]

Is there a log file or something that shows all the IPs pinging you and stuff?

This is Win Server 2008

Thanks

[Caudovittatus]

Apologies, I know this is not exactly what you asked, but if you do happen to have a Linux machine available that you could put in place of the Windows server, I find that the syslogs are pretty good (I was getting hit pretty hard at one time - particularly with people trying to brute-force my SSH server). If you can set one up the logs are usually in /var/log/messages

On the Windows side, I guess you've already tried the event viewer? Not sure how much it would log on Server 2008 by default, but it must be possible to set it up to log pretty verbosely

[latrosicarius]

thanks, no, I have not looked in the eventlog. I will try to poke around in there tonight.

About the linux, right now the windows server does not have a router. It is plugged directly into the fiber "modem" thing, and it obtains its static IP addresses manually via the windows' TCP/IP properties for the ethernet card, based on the gateway and information that my ISP provided me.

I have an unused server, and I was thinking about putting something like IPcop or pFsense on it for a linux router, but that's a bit of a task for me b/c I know jack about linux.

[aidanjt]

pfSense is very easy to use. It has a web interface for daily administration. And the installation process is fairly intutive.

[TheAnimus]

pfSense is really rather gnarley! Its actually BSD based rather than linux, and is a fork of m0n0wall my favourate hardware firewall for student housing (so easy to set up QoS so that chris's gay 'pictographic research' does not effect your lag for gaming!).

It is VERY easy to install and get running (so long as the hardware is 'compatable')

[funkymunky]

Install Wireshark, you can see all the traffic on the wire then.

[peterb]

Your router logs may have a history of IP addresses that have connected to your network - have you looked at those? Also have a look at the security event log.

[latrosicarius]

i looked in the security log but it doesn't show any ip addresses.

I installed wireshark and i see a bunch of packets being sent to and from my server to various IPs.

Can someone tell me how to track down the person who is DOS attacking? For instance, is there a way to log the IP of anyone who makes over 100 connections in 5 seconds or something??

Thank you

[peterb]

Could be a DDOS attack from a botnet - very hard to travck down, however that would be a directed attack and unless you have something specific, it is unlikely that you would be the subject of one.

You can do a whois to find out who the IP address belongs to - normally that will be an ISP, so you can file an abuse report with them. Don't hold your breath for a reply - I only got one twice - one from a US army site, and once in reply to a phishing e mail I received - they took the phishing site down within minutes of my report.

Many of these attacks originate from China, Russia and former soviet block counties. Rumania seems to be a source for many of the ones I receive - SSH attacks in particular (50,000 on one memorable 24 hour period - but normally between 50 and 2,000 a night)

[latrosicarius]

it is unlikely that you would be the subject of one.

I have no doubt they are specifically targeting me. They are rival gaming clans, and I run the most popular game server of this particular type in the world.

Could be a DDOS attack from a botnet

I don't think that it would be a "distributed" (DDOS) attack from a botnet; just a regular DOS attack by some scumbag. Two reasons: (1) i just don't think it is likely that a crappy rip-off gaming clan would have the skills and conviction to illegally compromise a large group of computers. (2) I have been DDOSsed before by a real botnet and let me say: it does not just lag you; it fills your entire bandwidth and shuts you down.

Many of these attacks originate from China, Russia and former soviet block counties. Rumania seems to be a source for many of the ones I receive - SSH attacks in particular (50,000 on one memorable 24 hour period - but normally between 50 and 2,000 a night)

I have gotten some of those as well, but they are normally not attacks with the intention to deny service, but to brute-force a password to gain access to a server. Now that I changed to using non-standard ports, these foreign attacks have subsided for the most part. They had no particular interest in me, but were just attacking me because I was there.

My current problem, however is a few people who purposefully direct attacks at me because they see me as "competition" or whatnot.

I was hoping someone could give me link or quick how-to rundown for getting Wireshark to log any IP addresses that have an abnormally high amount of connections (such as X number in Y seconds). Thanks

[watercooled]

You should just be able to 'see' the attack in wireshark - look for any packet from the same IP (if you think it's a single machine DoS) which appears a lot. If possible, check the IPs connected to the game server so you can rule them out. Remember, wireshark must run either on the same machine that's being DoS'd or another machine across the network using a HUB, not a switch.
Hope this helps

Edit: another option would be to temporarily close the server so there is less to look through in wireshark. Ignore IPs that send only a few packets - a DoS will be a constant flow. But I doubt anyone with the knowledge of how to perform a DoS would bother doing it with a single machine - after all his upload speed is almost certainly lower than your download so wouldn't do much to your server. But, as I've said on another post my friend's brother was DDoS'd by someone on XBL - I found on some news sites/forums on the net that there are paid services that will DDoS someone off XBL if they are winning etc (why they bother doing it and risking 10ys prison I don't know)...

[latrosicarius]

Right, watercooled. I was just sitting there looking at the IPs, but there are problems with this approach:

(1) The attacks are not constant. They occur periodically, and I really have better things to do than just sit in remote desktop 24/7 waiting for them.

(2) This particular server box is a gameserver with probably 200+ people connected to it at any given time, each one is constantly moving around, jumping, shooting, typing, speaking on their microphones, etc etc. All of that data is sent through the server and relayed to all the other clients in the game. There are *so* many connections flying across the screen that my eyes simply cannot interpret it fast enough.

That's why I was hoping for some help to set up a log that will capture the malicious connections for me. And by malicious, I mean an IP which is making more connections than normal.

[Barry]

smsniff is also a good app for checking, it will show you the amount of data and type being sent

[peterb]

Sorry, didn't know you were running a game server, or likely to be targeted. Some form of log analyser (like awstats - not sure if that would work in your set up though) might help to determine something after the event. Google may be useful for something more suitable.

[pipTheGeek]

If you set a filter of tcp.flags == 2 in wireshark, then it will capture only the syn packets. This is the type of TCP packet that opens a connection. So you will have far less packets to sift though.
Sadly, if they are sending UDP (the sort of traffic a game server would normally recieve ) then it won't capture it. The only other way I can think of catching it is to leave the capture running for a while, then stop the capture and start analysing it. Do this by looking for the first source address, then filter the trace to decide if they are playing the game or attacking you. If they are playing the game then apply a different filter that will exclude that address and look for the next address, and so on until you have no log left, or find the culprit.

[chinny]

Another useful one in Wireshark is to leave it capturing and go to Statistics -> endpoints. Take your pick from ipv4/tcp/udp etc and it'll keep the stats updating for you so you can sort on packets etc.

Have found that very useful before myself.