I was just under attack on port 445. My firewall started scrolling like crazy. Tons of hits on port 445. All were discarded and nothing bad happened. I did a flood ping back to the source for 2 minutes, and it stopped.

I was wondering though, what is the best way to let someone know you are 'on to them' and cause the possible panic when they know they are busted. Any ideas?

hlrguy

trace their ip address to a name and send an email to their isp - although if they are smart they are probably spoofing someone else's ip.

i usually start about 5 ping processes and flood them :)

I am actively searching the web to see if traceroute, etc can resolve whether it is a spoofed IP or not. I did get responses back to all the pings though. Usually I don't as the person has their own firewall set up to drop them.

hlrguy

The thing is, its hard to get a response back if you are spoofing your IP. Maybe if he wanted to DoS you it would work, but if he wanted a response, he would need to hijack someone elses comp first (I think).

yeah. as far as i know that is correct kam. because if the attacked computer get packets from 111.111.11.1 then it will respond to that comp, not to some other one.

That's is what I figured when I got the ping response back. When I don't, it is usually better cause then I show up on their radar (Firewall). This is cool stuff.

hlrguy

Ok one thing you can do is goto http://www.dshield.org/ and do a search on your attacker. You can usally find out whether the ip has been reported before, if not report them :D . Also scan your attacker's system see what you come up with (ie http ftp mail etc etc) then scout for info from the servers, if system is running a web server then goto it and if it is a legit site then ip was spoofed if it isn't it's most likely the attacker's server or one of their friends that loans them a shell account. Firewall logs aren't all that great unless your firewall captures the packets but posting the logs would be great, maybe someone can pick out the vulnerability the attacker was trying. Most of the time it is some vulnerability picked up by a lamer at some site trying to be z3r0 c00l and impress 4c1d 8u5n. ;)