Verizon FiOS → ddos

Has anyone ever dealt with this issue before? i have fios business with a static IP and it has been UDP flooded since yesterday night. I have the exact group of IP addresses doing it and i think it could be blocked on their end before it gets to me, but i don't know the best person to call or ask. any advice. thanks.

What I would do in this case is perform a WHOIS on each of the IP addresses to see which ISP owns them. Once you do that, contact the ISP's abuse department with the IPs and get them to stop the Denial of Service activity (you may need to save your router firewall logs for them to see). If you cannot do that, see if Verizon is able to block the data on their network before it reaches you.

Have you used anything lately on the connection that may have caused this however?

Thanks. Have been doing that so far. But one big problem is that they're all 3rd world country IP addresses, and a few were from china. I did send multiple emails to all of them and now I'm just battling a couple. At least the connection is working.

I called Verizon business support and the person on the phone understood the situation and seemed pretty knowledgeable - but really couldn't help me. The "network group" is supposed to call me soon about blocking the IP addresses before they come to me, but haven't heard a word on that.

That seems to be the most logical solution here, is that they block it before it gets to me. Just need to find the right person to talk to.

Also, I know exactly who is behind it or at least connected. It's someone from an IRC room.

Oh fun times on that... How did they get your IP address? Are you running servers or something? If the IRC server isn't doing a hostmask maybe time to connect to the IRC server via an ssh proxy or something.

I would hate to have to deal with this simply due to not being able to get a hold of the right people at verizon as you would need someone who can block the IPs at their border router.

might be a little troubling, but what we used to do is ask our provider to nullroute the ip we had, and assign us another one. in the future, you might want to invest in a virtual host for your IRC stuff if you're using an important business connection for that. just google irc vhost and you'll find an abundance of providers.

Well if there is only a lot of traffic coming from a couple of IPs then I doubt he would want to null route the IP he has as that means he would have to change it. If its just a couple IPs I am sure it can be blocked on the border router pretty easily.

Hi, thanks for the replies. It's just a verizon business connection at home. This person got it because I run web, ftp, and an IRC server, so they knew where to get me. It is all over a very childish personal problem with this person and I may even go to the authorities about this.

quote:

---

Well if there is only a lot of traffic coming from a couple of IPs then I doubt he would want to null route the IP he has as that means he would have to change it. If its just a couple IPs I am sure it can be blocked on the border router pretty easily.

---

There was a group of about 5 IP addresses. Definitely a little botnet and/or a "rent-a-botnet" if you will. I imagine it would be absolutely trivial for someone from Verizon to block those IPs.

What about the direct forum here - maybe people there be able to handle issues like this?

The issue is over for now because it was handled via "other means." Though I would still like any resource I could use for this issue if it happens again.

How many addresses are attacking you, and are they from the same netblock or scattered around?

Here's the list for anyone curious, not sure if posting is allowed here though so mods please remove if so.

200.157.211.204
61.191.188.164
202.28.24.43
213.132.197.149
85.18.11.66
200.234.220.101

All of the above were doing UDP floods, and did not respond to their abuse email, and two have not responded to my phone calls. Clearly a pretty dangerous little group here. The top two are especially horrible.

Do you have a picture from a firewall to post the logs?

Does it have any affect on internet speed..?

Yes, it does. Everything was lagging since the downstream was flooded. Based on what I saw from the incoming IPs because some dropped off and then came back sometimes, I'd wager it was a size of around 120Mbps-150Mbps attack. Not pretty.