[AusNOG] DDoS Attacks - Painful and Persistent.

[Nick Brown]

Roland Dobbins wrote:
> When you can spare the time/resources to do so, it would be a good  
> idea to examine this host and its outbound/crossbound traffic in order  
> to see if it's been compromised and is being used as a botnet C&C, to  
> host pirated content/warez, etc.  These can make it a target - the  
> miscreants often go after one another for financial and other reasons.
>   
To clarify the target has changed as follows over the 3 weeks, each time 
moving on as we blackhole the destination;

1. iBGP interface between two routers - Unsure why this target was 
selected, it is not visible in any traces the target would have completed
2. Interface on our side on PTP link between us an an upstream carrier - 
This can obviously be overcome by using private address space between 
your carrier and yourself
3. Our website IP - this is on a server that does very little except 
serve our website
4. Our website IP again, after the site was moved to an alternate IP on 
the same box, in a separate subnet.

We have no reason to believe that the attack is the result of either 
compromised routers or our web server (We have gone over the webserver 
with a fine comb) however at the same time are bracing ourselves as we 
do somewhat expect that in the event the DDoS stops permanently for 
whatever reason, we may see attacks and attempted exploits of other sorts.