Determining the Source of an Attack

Sometimes you realize that your system is under a denial-of-service attack. This could be either malicious or simply someone rapidly downloading all the pages of your Web site with the Linux wget command. Symptoms include a large number of established connections when viewed with the netstat command or an excessive number of entries in your firewall or Web server logs.

Sometimes the attack isn't in the form of a constant bombardment that your server can't handle, but of the type that you can't handle, such as e-mail SPAM. ISPs are usually very sensitive to complaints about SPAM, but though you may have the IP address, a TRaceroute won't provide any contact information for the ISP.

Sometimes DNS lookups aren't enough to determine who owns an offending IP address. You need another tool.

One of the better ones to use is the whois command. Use it with an IP address or DNS domain as its sole argument and it will provide you with all the administrative information you need to start your hunt. Here is an example for the yahoo.com domain:

     [root@bigboy tmp]# whois yahoo.com
     ...
     ...
         Administrative Contact:
             Domain Administrator
             (NIC-1382062)
             Yahoo! Inc.
             701 First Avenue
             Sunnyvale
             CA
             94089
             US
             domainadmin@yahoo-inc.com
             +1.4083493300
             Fax- +1.4083493301
     ...
     ...
     [root@bigboy tmp]#