HELP: Our server is getting a DOS attack from an eircom DSL number. I need to find a way of contacting eircom NOC. Any ideas? Standard tech support numbers aren't helping!"
10 months, 3 weeks ago.
20 comments so far
best thing right now: take it off line, or if possible block Eircom IPs.
Just was busy trying to track down a number. I've managed to get a number for Ciaran O'Gara by just going through extension numbers at the NOC until I got a voice message.
We're getting hammered by one IP (which is 83.71.60.35) and we're trying to track down what URL it's trying to take down.
Hosting365 have said that they can't block it for us, and we're working on blocking this IP after doing a bit of research.
We've taken apache offline so that the server isn't getting completely hammered..
hosting365 can't take block it for you? that doesn't sound helpful. is it your server, or hosting365s? unless you can do a rule in .htaccess file to block that IP...
Fortunately our server admin is staying with us at the moment so we've got a little hive of activity trying to work out what is going on.
Warren (our admin) has been on to eircom.net trying to get a number from them and he really gave them some amount of his mind when they wouldn't help. Eventually he was being put through to a manager who hung up on him.
well that IP seems to have VNC active, so it could be a hacked machine running VNC...at a guess. I hope it goes ok. I am off out to the cinema, so i can't help. i'd look at the .htaccess rule to block it
@ciotog Aye, called those but it just goes through to a message minder.
I tried +353 1 7017100 and that goes through to the reception but there's no answer. I've been slowly going through each of the extension numbers assuming that i'll get through to someone in the building eventually..
Thanks for the help guys. Much appreciated having good heads out there to lend a helping hand.
Warren is going through the TCPdump now and working out a plan of action. He's pretty familiar with all this stuff having worked as Network Manager at BetDaq and previously "Network Security Expert" at HEANET.
I found this giant image of the eircom NOC but wasn't able to read any of the phone numbers!
Well, we've firewalled out that IP address and have some tcp-dumps to try and work out what exactly was being attacked. Fingers drossed we'll get better info soon and will work out what is going on.
Well, after we firewalled the offending IP everything was fine obviously.
However just now I got a call from one of our clients' tech support company. Apparently one of their client sites was unable to access mail and their site on our server.
Guess what - it's the offending IP address that was DOS'ing our server.
Unbelievable. Our server goes down as a result of one of our own clients.
20 comments so far
best thing right now: take it off line, or if possible block Eircom IPs.
10 months, 3 weeks ago by runningwithbulls
who is your hosting with? contact their tech support, and tell them.
One thing: how are you sure its being DOS'ed? Is it one IP all the time?
10 months, 3 weeks ago by runningwithbulls
From experience Eircom.net will not be too much help right now.
Best help you can get it from your hoster.
10 months, 3 weeks ago by runningwithbulls
Hey, thanks for the advice.
Just was busy trying to track down a number. I've managed to get a number for Ciaran O'Gara by just going through extension numbers at the NOC until I got a voice message.
We're getting hammered by one IP (which is 83.71.60.35) and we're trying to track down what URL it's trying to take down.
Hosting365 have said that they can't block it for us, and we're working on blocking this IP after doing a bit of research.
We've taken apache offline so that the server isn't getting completely hammered..
10 months, 3 weeks ago by alexleonard
hosting365 can't take block it for you? that doesn't sound helpful. is it your server, or hosting365s? unless you can do a rule in .htaccess file to block that IP...
10 months, 3 weeks ago by runningwithbulls
Fortunately our server admin is staying with us at the moment so we've got a little hive of activity trying to work out what is going on.
Warren (our admin) has been on to eircom.net trying to get a number from them and he really gave them some amount of his mind when they wouldn't help. Eventually he was being put through to a manager who hung up on him.
10 months, 3 weeks ago by alexleonard
hosting365 would have to log on to lots of routers and set up blocks for 1 IP address and warren feels this is fair enough.
We've taken a TCP dump of the attack (which is still going on) and we're just analysing now
10 months, 3 weeks ago by alexleonard
well that IP seems to have VNC active, so it could be a hacked machine running VNC...at a guess. I hope it goes ok. I am off out to the cinema, so i can't help. i'd look at the .htaccess rule to block it
10 months, 3 weeks ago by runningwithbulls
Eircom NOC won't take calls from the public so you're not going to get help from them.
10 months, 3 weeks ago by ciotog
http://www.clockwatchers.com/htaccess_block.html shows how to block an IP from .htaccess file.
10 months, 3 weeks ago by runningwithbulls
@alexleonard take the tcpdump, but ultimately you want the IP blocked from accessing your machine.
If the machine is a hosting 365 machine, then, tbh, I wouldn't care...since they aven't helped you.
backup your data, and then move later on.
that is bad show.
i'll be back later on. i hope you get it blocked.
10 months, 3 weeks ago by runningwithbulls
Have you tried calling the numbers listed on http://www.db.ripe.net/whois?formtype=simple&fullquerystring=&searchtext=83.71.60.35&dosearch=Search
10 months, 3 weeks ago by ciotog
Well it's our own collocation server. The attack was underway for a good few hours this afternoon before we noticed (I was working on music).
I was trying to access his VNC session there by guessing the password, but no joy ;)
We're going to try to block it at a packet level and see if we're kept safe by that.
10 months, 3 weeks ago by alexleonard
you could try the number on RIPE:
person: Brian Dillon
address: Eircom
address: Bianconi Avenue
address: Citywest, Dublin 24
address: Ireland
phone: +353 1 7017897
e-mail: briandillon@eircom.ie
but that is where the DSLAM are hosted, they really aren't going to care right now, like ciotog said, about a call from a non-hoster/isp person.
block the IP. rip pieces off Hosting 365, then contact eircom.net abuse during the week and send them the dump
10 months, 3 weeks ago by runningwithbulls
@ciotog Aye, called those but it just goes through to a message minder.
I tried +353 1 7017100 and that goes through to the reception but there's no answer. I've been slowly going through each of the extension numbers assuming that i'll get through to someone in the building eventually..
10 months, 3 weeks ago by alexleonard
@ciotog and @runningwithbulls
Thanks for the help guys. Much appreciated having good heads out there to lend a helping hand.
Warren is going through the TCPdump now and working out a plan of action. He's pretty familiar with all this stuff having worked as Network Manager at BetDaq and previously "Network Security Expert" at HEANET.
I found this giant image of the eircom NOC but wasn't able to read any of the phone numbers!
http://www.voipsupply.ie/blog/images/eircom_noc.jpg
10 months, 3 weeks ago by alexleonard
Hmm, found an abuse@eircom phone number, might give that a try after we do a bit more investigation
remarks: abuse e-mail: <abuse@eircom.net>, phone: +353-1-7010000
10 months, 3 weeks ago by alexleonard
Well, we've firewalled out that IP address and have some tcp-dumps to try and work out what exactly was being attacked. Fingers drossed we'll get better info soon and will work out what is going on.
10 months, 3 weeks ago by alexleonard
@alexleonard hows it going?
10 months, 3 weeks ago by runningwithbulls
Well, after we firewalled the offending IP everything was fine obviously.
However just now I got a call from one of our clients' tech support company. Apparently one of their client sites was unable to access mail and their site on our server.
Guess what - it's the offending IP address that was DOS'ing our server.
Unbelievable. Our server goes down as a result of one of our own clients.
10 months, 2 weeks ago by alexleonard