(This is a reference to http://www.linuxquestions.org/questi...44#post2698444 )

Hello folks, as the topic say Im searching a way to trace down the attacker, who is still attacking my website with some kind of DoS-attack.
I was never able to block the attacks in any way, so I decided that I will try to keep him blocked out of the system, but for that task I need his ip-address.


Does any of you have a clue/script that easily would reveal the attacker?

Are you running Apache by chance? Either way, either in apache server-logs, OR in your iptables logs (whatever you are using that logs connections/traffic) you should be able to identify, or atleast narrow down, the IP address(es) of the offending party, based on the connection time vs attack time.
Then use perl traceroute.pl and whois.sc (called 'domain tools' now) to identify what ISP & country the attacker is coming from.
Copy the information, and forward it to the offenders ISP, explaining the situation.
You personally will likely not be able to pin it down to ONE COMPUTER, but rather an ISP address pool and associated servers, and country.
In my limited experience, it can be VERY tiresome to try to block one single attacker from afar by using one IP address; instead, it is sometimes necessary to block an entire IP pool, or an entire country.

What should I do if the attacker uses proxy? - And how do I find out if he does / does not

I don't know about that, good question. But, by using traceroute, you can generally get the name/IP of any/all hops along the path from your server to the endpoint. Even a proxy server has an IP address.
With anonymous proxies, or hijacked proxies, you probably will not be able to identify proxies as proxies, but can still identify the server locale and IP.
For example, if someone is using another legitimate server/service illegally or fraudulently as a proxy, let's say a server at UCLA university, then that's what you will see---UCLA server.
As far as indepth discovery of each and every server, and whether they are actual proxies or not, is pretty much for the authorities to figure out. You would provide whatever information and IP information you have, to the ISP's who administer the IP's, and it's really up to them to do anything about it. It is, after all, illegal to abuse internet servers/services for purposes like this, but the average victim like yourself doesn't have the resources to pursue it themselves.
As mentioned, it's pretty difficult to get a whole lot of useful information with which to take effective action.
Also, as in the thread you linked to, one would think there would be a VERY effective method using iptables and syncookies, or some other technology, to pretty much eliminate DoS attacks.

Okay now, you see if have a big problem finding the correct ip.

I need a tool that can scan my log, searching for ip's that has connected a lot of times in a row, or something like that.

Is that something you have/know where to get?

Unfortunately I do not know exactly how you would do this. The last server admin I helped with this issue was on a very NON-busy server. My own website was defaced, and by the filetimes of the modifications to files in my root directory, crossreferenced with the Apache logs, we were able to pin it down to one IP address out of Amsterdam relatively easily. On a bigger or more busy system, the problem obviously is harder.
But you are on the right track to start with. If it is a Syn-flood sort of thing, you would have to find in the logs a large quantity of packets of whatever type (syn's with no ack/syn's I guess) which arrived in short order, just before the time of the overload.
Using something like 'fwlogwatch' combined with iptables, you can dynamically alter the iptables rules when an attack commences, but how to do this is beyond the scope of my knowledge/ability. You could use 'fwlogwatch' to scan the logs though, as it is very configurable, and reads a variety of standard log types, including Apache logs. I run it by crond, not because I have any MAJOR concerns, I don't even run a server, but I use it to look for crap or suspicious traffic on my LAN, which (lol) I never get
You can find 'fwlogwatch' on sourceforge, or softpedia, and/or using Google, if you're interested.

Alas, you may not finger the actual perp, in fact you usually don't. ISPs are frequently spoofed. The best bet is you actually do find a compromised server somewhere that is the offending party. But then it's not actually the ISP that's the problem, except to the extent their servers are insecure. It would still be a third party doing the dirty work.

If you see addresses originating from China, there is a slightly better outside chance you're looking at the correct IP, of a server that's hijacked. I recall reading that security and basic configuration of servers is a bit of a black art over there. But I have yet to find such to be the case, no doubt near everything like this is spoofed from the outset.

Better is set an iptables rule to drop packets from the offending IP. Smoothwall uses iptables, and gives you a very convenient GUI to handle such things. I highly recommend everyone get behind a smoothwall.

I routinely see odd traffic on my servers, wireshark shows the offending IP in a heartbeat, and iptables rules drop the suckers just as soon as I can get the rule written. (which again is done easily with the GUI provided by smoothwall)

Shorewall, guarddog and similar allow you to manipulate iptables on the host you're using. Not much familiar with these, just touched guarddog for the first time this week. Perhaps someone with more experience with these tools can chime in and tell us all if dropping a specific IP is doable with them.

cat

Spend a few pounds and get a hardware router or firewall box like I said in your original post. If you waste all your time tracking down every script kiddie you won't have time to ask any more questions on the forums. Do you want to spend the rest of your life adding IP rules for every idiot who tries to hack you? Just get a router and be done with it.

Have you even looked at your Apache logs? The IP is pretty obvious in there.

If this is a DDoS attack (and it is, if the attacker has 1/2 a clue), then the IP's listed in whatever logs on the victim's machine will contain only hijacked machines that are being used as "go-betweens" to cause all of the damage. To find the real ip, you need to a) track down those machines and request access to them, b) get access to the machines, c) pray the attacker overlooked something (rootkit doesn't properly hide itself, a sniffer like tcpdump or wireshark catches a live interaction between the attacker and the compromised machine), d) repeat steps a - c until you get back to either the attacker's machine, or (in some cases) a password protected "bot channel" on some obscure IRC network.

This is why most DDoS attacks against individuals are never resolved, and against major governments or corporations are *rarely* resolved.

edit - I'd have to agree with Randux here...dump a few dollars/pounds/yen/whatever and get a decent router/firewall, or another machine running Smoothwall or IpCop (as catworld stated), or "roll your own" with OpenBSD and pf. Don't waste time trying to hunt the dude down...you'll hit brick walls and the like until you run out of time or money or interest.

I was only suggesting that it might be a DoS of limited scope... some script kiddies are stupid enough to run things off their own computers, and there might be a single Class C that is blockable. You never know.