ok guys, it happened again :-(
I'll give you a short summary in english:
I got an email from strato saying that my server was the target of another DOS attack. They sent me a link to their fair usage document where they say are rules against which I am acting (by letting myself getting attacked !)
They will cut my server of the net to prevent damage to their networks...
I can still access my server through a remote recovery console and I should resolve my problems.
If I have any explanations as to why I am being attacked I shall notify them and they tell me to do anything possible to prevent myself from further attacks.
They gave me time to resolve the problems until the 17.02.2006 - what problems?
What the heck can I do if I am getting attacked?
I was still able to access the server through ssh for maybe an hour and neither the logs neither netstat was showing me an unusual amount of incoming connections, neither were there syn attacks to be seen at the first glance. Neither my graphical output of statistics showed anything...
Now I think that if there was an attack there had to be at least some traces of this attack in my logfiles.
I am going to write them a similar email asking for details about the type of the attack, the duration and log excerpts - I mean they must base their accusations upon something.
AND I think I have to change providers although I am usually a very steady customer but this is too much.
any suggestions or ideas?
sorry I have to give you more info: the mail reached my with a huge severall hours delay, after I talked to them on the phone they gave me the exact time of the attack and I found some traces. I am currently examining the logfiles.
not much inside the usual syslog files, any other place where I can grab some info? If not can anyone explain how to setup some firewall rules to log attacks of any kind ? just some hints or so would be great.