How to find DoS attacker's contact data?
November 28, 2006 8:32 AM Subscribe
Some guy is DoS-attacking my mail server. Can I determine his name from his server's static IP?
I have my own little Windows Server 2003 hosted virtual dedicated server machine, i.e. I run my own web and mail servers (using IIS and MailEnable, respectively).
In the last few days my pop3 service crashed a few times a day. I read the log files and determined that some person with a static IP address is sending long, wierd packets to port 110 (POP3/APOP) causing the service to terminate unexpectedly.
In my picture this leaves little doubt that this is a denial of service attack, though I suspect the other server's operator is not aware of the attack (attacking my little personal server wouldn't benefit anyone, so I do not suspect malice).
I called the other guy's ISP and they told me to hand in paperwork so they could give my his contact data, which I can understand, since they are not supposed to hand out customer info nilly-willy. So I am going to send them a fax requesting the contact data.
But this is probably going to take some time and I want to resolve this problem fast, so I ask the hive mind: Given an IP address, how can I find out the owner of the server without his ISP's support? Reverse DNS lookup only yields a DNS name of the form server123-32-123-43.hostername.de, but I suspect the server can be found under additional domains for which I then might be able to get the contact info out of the DNS. Is it possible to find all records for a given IP?
Different approaches are also appreciated, of course.
I have my own little Windows Server 2003 hosted virtual dedicated server machine, i.e. I run my own web and mail servers (using IIS and MailEnable, respectively).
In the last few days my pop3 service crashed a few times a day. I read the log files and determined that some person with a static IP address is sending long, wierd packets to port 110 (POP3/APOP) causing the service to terminate unexpectedly.
In my picture this leaves little doubt that this is a denial of service attack, though I suspect the other server's operator is not aware of the attack (attacking my little personal server wouldn't benefit anyone, so I do not suspect malice).
I called the other guy's ISP and they told me to hand in paperwork so they could give my his contact data, which I can understand, since they are not supposed to hand out customer info nilly-willy. So I am going to send them a fax requesting the contact data.
But this is probably going to take some time and I want to resolve this problem fast, so I ask the hive mind: Given an IP address, how can I find out the owner of the server without his ISP's support? Reverse DNS lookup only yields a DNS name of the form server123-32-123-43.hostername.de, but I suspect the server can be found under additional domains for which I then might be able to get the contact info out of the DNS. Is it possible to find all records for a given IP?
Different approaches are also appreciated, of course.
Response by poster: The ISP I am dealing with here is a rather big company, so I cannot just call the appropriate person and resolve the issue directly. There will likely be paperwork involved, probably being sent back and forth. So I suppose this stuff would take time. Also, I am operating on the hypothesis that the server's owner isn't aware of what's happening and that he would and could gladly and quickly resolve the issue on his server on his own. Actually, I suspect some kind of worm.
And I want to use this as a learning opportunity, even though, as you correctly note, it is not my strict responsibility to care for other people's servers.
So, to phrase the question more broadly: Without resorting to illegal means, how much info can I gather about this server and its owner when the only thing I have is the IP address?
posted by Herr Fahrstuhl at 8:41 AM on November 28, 2006
And I want to use this as a learning opportunity, even though, as you correctly note, it is not my strict responsibility to care for other people's servers.
So, to phrase the question more broadly: Without resorting to illegal means, how much info can I gather about this server and its owner when the only thing I have is the IP address?
posted by Herr Fahrstuhl at 8:41 AM on November 28, 2006
Best answer: This question asks for pretty much the same thing; a way to get all the domain names for a given IP. webhosting.info has a free service, though it only returns all domains that have that IP as the root server. It does not return all hosts (aka "subdomains" that map to that IP). So depending on how current its information is, you may find a domain hosted on that IP which and be traced to an actual person, though whois information is often inaccurate or proxied nowadays. If it's proxied you can request the information from the service.
posted by George_Spiggott at 8:51 AM on November 28, 2006
posted by George_Spiggott at 8:51 AM on November 28, 2006
if the machine is running an smtp server (port 25), it will typically give away the primary domain in the banner.
unless the machine actually does something to give away its domain (such as running a webserver, email server, etc), you're pretty much out luck in terms of working it out on your own.
posted by slea at 8:58 AM on November 28, 2006
unless the machine actually does something to give away its domain (such as running a webserver, email server, etc), you're pretty much out luck in terms of working it out on your own.
posted by slea at 8:58 AM on November 28, 2006
Best answer: if you want to resolve this problem fast, then block the offending ip address. knowing the person's name buys you nothing. if they're not doing it on purpose, they won't know how to stop doing it anyway.
posted by facetious at 9:00 AM on November 28, 2006
posted by facetious at 9:00 AM on November 28, 2006
I'd just get my hosting firm to block the IP at their firewall and not put any more time into it unless it turns into a bigger attack.
posted by malevolent at 9:02 AM on November 28, 2006
posted by malevolent at 9:02 AM on November 28, 2006
Just block the IP entirely and be done with it. You can then spend your time more productively on other things.
posted by phearlez at 9:22 AM on November 28, 2006
posted by phearlez at 9:22 AM on November 28, 2006
some person with a static IP address is sending long, wierd packets to port 110 (POP3/APOP) causing the service to terminate unexpectedly. [...] Different approaches are also appreciated, of course.
How about not running a pop3 server that's so horribly insecure that it fails on a malformed packet? Or just not running pop3 at all, given that it is a plaintext protocol anyway (so your password is flapping out there in the breeze)?
posted by Rhomboid at 9:25 AM on November 28, 2006
How about not running a pop3 server that's so horribly insecure that it fails on a malformed packet? Or just not running pop3 at all, given that it is a plaintext protocol anyway (so your password is flapping out there in the breeze)?
posted by Rhomboid at 9:25 AM on November 28, 2006
What the others said about blocking the IP address. Also, our shared host has been under a ddos attack for the last 24 hours, so don't be surprised if there is more fun.
posted by SteveInMaine at 9:43 AM on November 28, 2006
posted by SteveInMaine at 9:43 AM on November 28, 2006
Response by poster: Thank you all, I went for blocking the IP.
posted by Herr Fahrstuhl at 5:40 AM on November 29, 2006
posted by Herr Fahrstuhl at 5:40 AM on November 29, 2006
This thread is closed to new comments.
posted by winston at 8:36 AM on November 28, 2006