Hi,
Depending on the capabilities of your router-firewall, you may be able to do ingress filtering, meaning that the firewall will check if the packets are coming from the network they claim they originate from, in other words that the origin address in the packets is not spoofed. The document RFC 2667 Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing, issued in 1998 and available from [
www.faqs.org], recommends that ISPs should be doing ingress filtering.
If the attacker is controlling an army of bots or zombies, the attacks could be coming from anywhere and blocking a subnet in .htaccess would not be very effective.
If the IP addresses in your sample are the actual addresses, the source of the DOS packets may not actually be Japan. For example 210.213.145.151 according to a 'whois' query on a Linux box is in the Philippines. Regarding 230.212.145.122, 'whois' says "This block is reserved for special purposes. Comment: Please see RFC 3171 for additional information." That address may actually be used for some sort of network control purposes.
The spoofed IP address could be the address of the actual targeted company or institution where the response packets are directed to go.
There is a module for Apache, mod_evasive, designed to protect Apache from DOS attacks. More information at [
www.zdziarski.com] but I could not see a Windows version of it.
It looks as if your firewall would benefit from a good Intrusion Detection component.
Regards,
toivo
Sydney, Australia