[Intrusions] DDoS - mpecllc.com and friends - final input to the discussion group

David McCall david at atgi.net
Wed Feb 2 21:05:32 GMT 2005 

This will be my final input on this on going DDoS....

At present the attack still continues:

1107377400.832      3 64.171.117.122 TCP_DENIED/403 427 GET http://mpecllc.com/robots.txt - NONE/- text/html
1107377400.837      0 146.145.80.41 TCP_DENIED/403 427 GET http://mpecllc.com/robots.txt - NONE/- text/html
1107377400.872      4 216.229.217.218 TCP_DENIED/403 427 GET http://mpecllc.com/robots.txt - NONE/- text/html
1107377400.939      0 164.83.235.70 TCP_DENIED/403 427 GET http://mpecllc.com/robots.txt - NONE/- text/html
1107377400.962      4 206.74.9.238 TCP_DENIED/403 427 GET http://mpecllc.com/robots.txt - NONE/- text/html
1107377400.964      2 69.231.211.237 TCP_DENIED/403 427 GET http://mpecllc.com/robots.txt - NONE/- text/html
1107377401.029     52 65.41.83.45 TCP_DENIED/403 427 GET http://mpecllc.com/robots.txt - NONE/- text/html
1107377401.064      2 216.229.204.171 TCP_DENIED/403 427 GET http://mpecllc.com/robots.txt - NONE/- text/html
1107377401.151     44 65.137.32.136 TCP_DENIED/403 427 GET http://mpecllc.com/robots.txt - NONE/- text/html
1107377401.235     14 68.94.171.51 TCP_DENIED/403 427 GET http://mpecllc.com/robots.txt - NONE/- text/html
1107377401.238      0 24.47.175.49 TCP_DENIED/403 427 GET http://mpecllc.com/robots.txt - NONE/- text/html
1107377401.320     14 68.163.56.84 TCP_DENIED/403 427 GET http://mpecllc.com/robots.txt - NONE/- text/html
1107377401.390      5 66.254.132.41 TCP_DENIED/403 427 GET http://mpecllc.com/robots.txt - NONE/- text/html
1107377401.399      7 172.168.140.144 TCP_DENIED/403 427 GET http://mpecllc.com/robots.txt - NONE/- text/html
1107377401.459      5 66.140.86.41 TCP_DENIED/403 427 GET http://mpecllc.com/robots.txt - NONE/- text/html
1107377401.487      4 4.8.220.174 TCP_DENIED/403 427 GET http://mpecllc.com/robots.txt - NONE/- text/html
1107377401.540     15 206.74.9.238 TCP_DENIED/403 427 GET http://mpecllc.com/robots.txt - NONE/- text/html
1107377401.581     20 4.152.255.59 TCP_DENIED/403 427 GET http://mpecllc.com/robots.txt - NONE/- text/html
1107377401.626     11 66.171.80.172 TCP_DENIED/403 427 GET http://mpecllc.com/robots.txt - NONE/- text/html
1107377401.719      6 69.60.35.3 TCP_DENIED/403 427 GET http://mpecllc.com/robots.txt - NONE/- text/html

And the list of IP addresses currently being blocked:

66887 /etc/untrusted

We've set up this bandaid by isolating the attacked domain in a sandbox server by itself and front-ended
this server with a x386 OpenBSD engine running SQUID as a proxy server.  All requests for robots.txt and
entry.php are tossed by the SQUID machine.  IP addresses are collected and placed into a blacklist file,
/etc/untrusted.  I guess we just keep this going for ever, unless something fairly  magickal happens....

This has been going on for a month.  The implications of the problem if this malware is tweaked just a
little bit to include a larger list of web site domain names is just a little unnerving, especially if
it is released from multiple locations around the globe.  

I've sent as much documentation to FBI, CIA, CERT, and this list hoping that perhaps you all might get
enough information to  make a preventative for yourself.  However, at present, I have doubts that everyone
will be simply happy with the bandaid remedy we've engineered.  

At any rate, I have to files if anyone is interested:

gzip'd sorted listing of the 66,887 blocked IP's				240KB

gzip'd chronological access.log that is about 2-3 weeks of data		8.3MB


If anyone on the list would like to see either or both of these I'll be happy to pass them
along to you.


Thanks again

 David C. McCall
UNIX Administrator
===================
  admin at atgi.net
  david at atgi.net

More information about the Intrusions mailing list