DDoS

[digip]

I have some funky stuff on my logs. I get an IP address that starts with the same first three octets, but the last octet just climb in numerical order.

ex:

123.123.123.1

123.123.123.2

123.123.123.3

123.123.123.4

123.123.123.5

etc,etc

Could this be some kind of DoS attack? All from the same ISP, located in California. The user agent says its "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" for some of them and then "Jakarta Commons-HttpClient/3.0.1" for others from the same IP address. It changes, but I think that is most likely either some kind of bot or someone messing with their network.

The timestamp on the requests also says they are all at the same time with only a few seconds apart from each other, flooding my site. I haven't seen any downtime on the site becasue of it, but I only noticed this after looking at the size of my logs. Its been doing this for the past few days now.

[Sparda]

Does your internet still work?

[stingwray]

If there not coming in at any sort of rate which is affecting your performance then its not a DoS.

Looks like to me someone is playing with spoofing their IP address.

DoS attacks are extremely easy to identify, if its malicious though then identifying legitimate traffic is near impossible.

[digip]

Does your internet still work?

It's not my pc, its my website. The sit eis still functional, but I was wondering why the flood of IP addresses all at the same time. Some sort of spider or search bot maybe?

[Sparda]

It's not my pc, its my website. The sit eis still functional, but I was wondering why the flood of IP addresses all at the same time. Some sort of spider or search bot maybe?

If it's still working it's not a DoS attack.

[DingleBerries]

Who host your site?

[aeturnus]

If it's still working it's not a DoS attack.

Well, it's possibly a failed attack, especially since the OP said that each packet is a few seconds apart.

Are you getting more than the SYN? It's likely something more than someone playing with spoofing his IP if you're getting more than the SYN. If it's bothering you, you could always report it to the ISP.

[h3%5kr3w]

hmm... I'm thinking maybe not just spoofing their ip, but maybe trying to gain access via a spoof scan? ie. trying to get onto the local network by trying to identify themselves as an address from the inside? either way, this is definitely an amature trying to do something. I have personally never heard of a search bot doing something like this.

OH yeah and while A Ddos attack may not hinder you from connecting to the site, if it were a ddos, lagg would be prevalent, and on the server side of things, it would show into the logs with syn acks probably somewhere in the ballpark of at very least 10 to 20 a second from the same ip. Also if you have server equiptment or routers with led screens on them, they may or may not show that there is a ddos happening.

Ex: (from rev3's ddos attacks coming from mediadefender)

[Famicoman]

I was reading your thread and just wanted to say I have experienced similar behavior. I have an ip range 64.41.145.* that accesses a site I run and disguises itself as Internet Explorer 6. Doing some googling I found that it is a private company that scans websites for customers to see if it contains any of their copyrighted content.

I assume your server is getting a similar scan. You should be able to edit your .htaccess and redirect all the offending ips to something like google.com so they can't scan your site.

It isn't a ddos.

Because you all didn't get my pm, but might want to know

[digip]

Yeah, all forbidden addresses will now go to manhole.com