I've been dealing with a hack on a site. I ended up wiping it and starting again - this was no loss as it was a small site and all content was backed up - took a couple of hours to get going again.
I notice that the attackers were using many IP addresses that weren't theirs, so my question is how do they do this?
They might not have spoofed IPs. There are many botnets that are used for blanket attacks across the entire Internet. So while the IPs are not the hacker's home IP, they are real, unspoofed IPs.
They could also have been spoofed IPs. The process is simple. The "return address" in a network packet is about the same as a return address on a paper envelope. You could write anything there. So, some IP spoofing attacks enter random IPs or they enter the IP of the target that they want a ton of spurious traffic to hit (i.e. the "real" target)
The problem with a spoofed "return address" is that all traffic your server sends back goes to the "not-attacker" IP. So if the attacker wants any type of response from your server, like trying to log in, SQLi, etc. they can't spoof the return IP. It would be like sending a blackmail letter but someone else gets the money.
