[Intrusions] We are experiencing a DDoS attacking one of our domains - mpecllc.com

Ken Connelly Ken.Connelly at uni.edu
Mon Jan 17 17:58:17 GMT 2005 

This must have gotten lost in the moderator's queue...  What ended up 
happening here?

- ken

David McCall wrote:

>At last count I have isolated 21,000 unique IP addresses that are pounding our dns and web servers
>for robots.txt and entry.php.......
>
>This domain is effectively down because of this issue.  We had to move it to a sand box server and 
>this was ineffective after 24 hours.  If I enable the domain and turn on the web site the initial
>attack is 200-400 attacks per second, consisting of a GET for robots.txt or entry.php, neither of 
>which exist on the site.
>
>I've notified mci.com and verio.net abuse depts.  
>
>I've filed a report with FBI and wanted to make you all aware of what is going on:
>
>IFCC COMPLAINT REFERRAL REPORT 
>Complaint Number: I05011113017305 
>The following information was provided by the victim and will be forwarded to the appropriate law 
>enforcement or regulatory agency. 
>Computer Intrusion/Hacking 
>Date of Complaint: 1/11/2005 1:01:35 PM 
>Victim Information 
>Business Name: Eschelon Telecom 
>Name: David Chester McCall 
>DOB: 11/21/1954 
>Gender: M 
>Phone #: 707-284-5695 
>Email: david at atgi.net 
>Address: 19 Old Courthouse Square 
>Santa Rosa, CA 95404 
>Live in city limits: No 
>County: Sonoma 
>Country: USA 
>Do you have pertinent documents in paper form? No 
>Please indicate who your local law enforcement agency is: 
>http://ci.santa-rosa.ca.us/default.aspx?PageId=119 
>Please List the easiest way and most convenient time to contact you: 
>david at atgi.net 
>707-477-7466 cell phone 
>707-792-0482 home 
>Information about the Business that victimized you. 
>Name: 
>Gender: U 
>Phone #: 
>Current Email: 
>Address: 
>Country: USA 
>
>Contact between you and the Person/company that victimized you. 
>Type of Contact: Web Page 
>Date of Contact: 01/05/2005 
>Contact Information: 
>DDoS attack on one of our hosted domains: www.mpecllc.com 
>Brief log exerpt below: 
>www.mpecllc.com 68.70.227.25 - - [10/Jan/2005:11:10:49 - 
>0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible; 
>MSIE 6.0; Windows NT 5.1)" 
>www.mpecllc.com 24.247.2.226 - - [10/Jan/2005:11:10:49 - 
>0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible; 
>MSIE 6.0; Windows NT 5.1)" 
>www.mpecllc.com 68.253.255.21 - - [10/Jan/2005:11:10:49 - 
>0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible; 
>MSIE 6.0; Windows NT 5.1)" 
>www.mpecllc.com 68.80.225.249 - - [10/Jan/2005:11:10:49 - 
>0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible; 
>MSIE 6.0; Windows NT 5.1)" 
>www.mpecllc.com 128.227.58.20 - - [10/Jan/2005:11:10:50 - 
>0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible; 
>MSIE 6.0; Windows NT 5.1)" 
>www.mpecllc.com 24.211.249.43 - - [10/Jan/2005:11:10:50 - 
>0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible; 
>MSIE 6.0; Windows NT 5.1)" 
>www.mpecllc.com 70.178.8.21 - - [10/Jan/2005:11:10:50 - 
>0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible; 
>MSIE 6.0; Windows NT 5.1)" 
>www.mpecllc.com 4.29.92.66 - - [10/Jan/2005:11:10:50 - 
>0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible; 
>MSIE 6.0; Windows NT 5.1)" 
>www.mpecllc.com 207.81.81.85 - - [10/Jan/2005:11:10:50 - 
>0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible; 
>MSIE 6.0; Windows NT 5.1)" 
>www.mpecllc.com 68.36.53.42 - - [10/Jan/2005:11:10:50 - 
>0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible; 
>MSIE 6.0; Windows NT 5.1)" 
>www.mpecllc.com 63.198.19.106 - - [10/Jan/2005:11:10:50 - 
>0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible; 
>MSIE 6.0; Windows NT 5.1)" 
>www.mpecllc.com 65.196.186.6 - - [10/Jan/2005:11:10:50 - 
>0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible; 
>MSIE 6.0; Windows NT 5.1)" 
>
>www.mpecllc.com 69.211.75.13 - - [10/Jan/2005:11:10:50 - 
>0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible; 
>MSIE 6.0; Windows NT 5.1)" 
>www.mpecllc.com 65.40.1.55 - - [10/Jan/2005:11:10:50 - 
>0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible; 
>MSIE 6.0; Windows NT 5.1)" 
>www.mpecllc.com 141.157.196.180 - - [10/Jan/2005:11:10:50 - 
>0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible; 
>MSIE 6.0; Windows NT 5.1)" 
>www.mpecllc.com 216.170.177.114 - - [10/Jan/2005:11:10:50 - 
>0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible; 
>MSIE 6.0; Windows NT 5.1)" 
>www.mpecllc.com 24.250.111.104 - - [10/Jan/2005:11:10:50 - 
>0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible; 
>MSIE 6.0; Windows NT 5.1)" 
>www.mpecllc.com 66.69.186.184 - - [10/Jan/2005:11:10:50 - 
>0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible; 
>MSIE 6.0; Windows NT 5.1)" 
>Additional Information: 
>We have had to disable this customer site as the attack eventually 
>brings down the server. However this attack continues and can be 
>viewed by the DNS queries from our name servers (brief listing below): 
>Jan 11 09:27:03 e4500a named[280]: XX /24.25.195.1/mpecllc.com/A/IN 
>Jan 11 09:27:09 e4500a named[280]: XX /66.186.224.158/mpecllc.com/A/IN 
>Jan 11 09:27:12 e4500a named[280]: XX /68.1.208.23/mpecllc.com/A/IN 
>Jan 11 09:27:20 e4500a named[280]: XX /66.129.37.38/mpecllc.com/A/IN 
>Jan 11 09:27:23 e4500a named[280]: XX /68.73.225.60/mpecllc.com/A/IN 
>Jan 11 09:27:26 e4500a named[280]: XX /167.206.3.247/mpecllc.com/A/IN 
>Jan 11 09:27:43 e4500a named[280]: XX /209.204.64.3/mpecllc.com/A/IN 
>Jan 11 09:27:25 e4500B named[20019]: XX /68.35.192.6/mpecllc.com/A/IN 
>Jan 11 09:27:26 e4500B named[20019]: 
>XX /167.206.3.248/mpecllc.com/A/IN 
>Jan 11 09:27:27 e4500B named[20019]: XX /68.73.225.60/mpecllc.com/A/IN 
>Jan 11 09:27:28 e4500B named[20019]: 
>XX /213.129.10.130/mpecllc.com/A/IN 
>Jan 11 09:27:30 e4500B named[20019]: XX /65.32.1.79/mpecllc.com/A/IN 
>Jan 11 09:27:34 e4500B named[20019]: 
>XX /209.244.4.189/mpecllc.com/A/IN 
>Jan 11 09:27:40 e4500B named[20019]: 
>XX /167.206.3.184/mpecllc.com/A/IN 
>Jan 11 09:27:45 e4500B named[20019]: XX /24.140.1.132/mpecllc.com/A/IN 
>Jan 11 09:27:58 e4500B named[20019]: 
>XX /204.127.202.35/mpecllc.com/A/IN 
>
>Jan 11 09:28:10 e4500B named[20019]: 
>XX /206.135.241.66/mpecllc.com/A/IN 
>Jan 11 09:27:30 queue named[26183]: [ID 295310 daemon.info] 
>XX /137.39.110.165/mpecllc.com/A/IN 
>Jan 11 09:27:32 queue named[26183]: [ID 295310 daemon.info] 
>XX /208.204.150.212/mpecllc.com/A/IN 
>Jan 11 09:27:33 queue named[26183]: [ID 295310 daemon.info] 
>XX+/152.1.1.206/mpecllc.com/A/IN 
>Jan 11 09:27:37 queue named[26183]: [ID 295310 daemon.info] 
>XX /152.38.30.122/mpecllc.com/A/IN 
>Jan 11 09:27:44 queue named[26183]: [ID 295310 daemon.info] 
>XX /63.64.9.19/mpecllc.com/A/IN 
>Jan 11 09:27:47 queue named[26183]: [ID 295310 daemon.info] 
>XX /207.65.122.221/mpecllc.com/A/IN 
>Jan 11 09:27:52 queue named[26183]: [ID 295310 daemon.info] 
>XX /24.92.32.23/mpecllc.com/AAAA/IN 
>Jan 11 09:27:55 queue named[26183]: [ID 295310 daemon.info] 
>XX /209.86.63.205/mpecllc.com/A/IN 
>Jan 11 09:28:03 queue named[26183]: [ID 295310 daemon.info] 
>XX /216.162.16.130/mpecllc.com/A/IN 
>Jan 11 09:28:05 queue named[26183]: [ID 295310 daemon.info] 
>XX /206.64.117.231/mpecllc.com/A/IN 
>Jan 11 09:28:05 queue named[26183]: [ID 295310 daemon.info] 
>XX /216.162.16.131/mpecllc.com/A/IN 
>Jan 11 09:28:07 queue named[26183]: [ID 295310 daemon.info] 
>XX /68.57.192.6/mpecllc.com/A/IN 
>Jan 11 09:28:09 queue named[26183]: [ID 295310 daemon.info] 
>XX /68.168.192.5/mpecllc.com/A/IN 
>Jan 11 09:28:17 queue named[26183]: [ID 295310 daemon.info] 
>XX /152.3.250.1/mpecllc.com/A/IN 
>Jan 11 09:28:21 queue named[26183]: [ID 295310 daemon.info] 
>XX /24.28.99.62/mpecllc.com/A/IN 
>Jan 11 09:28:25 queue named[26183]: [ID 295310 daemon.info] 
>XX /137.159.198.137/mpecllc.com/A/IN 
>Jan 11 09:28:31 queue2 named[29380]: [ID 295310 daemon.info] 
>XX /12.38.46.250/mpecllc.com/A/IN 
>Jan 11 09:28:31 queue2 named[29380]: [ID 295310 daemon.info] 
>XX /209.244.4.51/mpecllc.com/A/IN 
>Jan 11 09:28:31 queue2 named[29380]: [ID 295310 daemon.info] 
>XX /63.243.88.30/mpecllc.com/A/IN 
>Jan 11 09:28:32 queue2 named[29380]: [ID 295310 daemon.info] 
>XX /69.152.0.5/mpecllc.com/A/IN 
>Jan 11 09:28:36 queue2 named[29380]: [ID 295310 daemon.info] 
>XX /64.78.119.1/mpecllc.com/A/IN 
>
>Jan 11 09:28:37 queue2 named[29380]: [ID 295310 daemon.info] 
>XX /192.216.106.50/mpecllc.com/A/IN 
>Jan 11 09:28:37 queue2 named[29380]: [ID 295310 daemon.info] 
>XX /32.97.118.68/mpecllc.com/A/IN 
>Jan 11 09:28:39 queue2 named[29380]: [ID 295310 daemon.info] 
>XX /206.230.181.2/mpecllc.com/A/IN 
>Jan 11 09:28:40 queue2 named[29380]: [ID 295310 daemon.info] 
>XX /205.188.118.22/mpecllc.com/A/IN 
>Jan 11 09:28:43 queue2 named[29380]: [ID 295310 daemon.info] 
>XX /64.7.232.10/mpecllc.com/A/IN 
>Jan 11 09:28:46 queue2 named[29380]: [ID 295310 daemon.info] 
>XX /216.226.178.11/mpecllc.com/A/IN 
>Jan 11 09:28:51 queue2 named[29380]: [ID 295310 daemon.info] 
>XX /129.219.13.81/mpecllc.com/A/IN 
>Jan 11 09:28:31 webserv named[24989]: [ID 295310 daemon.info] 
>XX /24.247.24.41/mpecllc.com/A/IN 
>Jan 11 09:28:35 webserv named[24989]: [ID 295310 daemon.info] 
>XX /151.164.1.3/mpecllc.com/A/IN 
>Jan 11 09:28:37 webserv named[24989]: [ID 295310 daemon.info] 
>XX /216.144.187.199/mpecllc.com/A/IN 
>Jan 11 09:28:38 webserv named[24989]: [ID 295310 daemon.info] 
>XX /12.34.129.27/mpecllc.com/A/IN 
>Jan 11 09:28:38 webserv named[24989]: [ID 295310 daemon.info] 
>XX /205.152.132.23/mpecllc.com/A/IN 
>Jan 11 09:28:42 webserv named[24989]: [ID 295310 daemon.info] 
>XX /66.133.128.138/mpecllc.com/A/IN 
>Jan 11 09:28:42 webserv named[24989]: [ID 295310 daemon.info] 
>XX /204.127.198.60/mpecllc.com/A/IN 
>Jan 11 09:28:56 webserv named[24989]: [ID 295310 daemon.info] 
>XX /24.29.99.16/mpecllc.com/A/IN 
>Jan 11 09:28:56 webserv named[24989]: [ID 295310 daemon.info] 
>XX /167.206.3.249/mpecllc.com/A/IN 
>Jan 11 09:28:56 webserv named[24989]: [ID 295310 daemon.info] 
>XX /216.110.87.10/mpecllc.com/A/IN 
>Jan 11 09:28:58 webserv named[24989]: [ID 295310 daemon.info] 
>XX+/66.189.130.21/mpecllc.com/A/IN 
>Jan 11 09:28:59 webserv named[24989]: [ID 295310 daemon.info] 
>XX /216.47.193.14/mpecllc.com/A/IN 
>Jan 11 09:29:03 webserv named[24989]: [ID 295310 daemon.info] 
>XX /66.189.130.5/mpecllc.com/A/IN 
>Jan 11 09:29:07 webserv named[24989]: [ID 295310 daemon.info] 
>XX /129.22.4.3/mpecllc.com/A/IN 
>Jan 11 09:29:07 webserv named[24989]: [ID 295310 daemon.info] 
>XX+/206.47.244.102/mpecllc.com/A/IN 
>Jan 11 09:29:07 webserv named[24989]: [ID 295310 daemon.info] 
>XX /199.18.39.5/mpecllc.com/A/IN 
>
>I have no immediate power to isolate where this is coming from but I can make you all aware of 
>what it is doing exactly.  mpecllc.com is now pointed to a 127.  IP address but this has not
>stopped the queries on our name servers, as you can see above.
>
>thanks ahead of time for any help you can offer..
>
>regards
>
>   Domain Name Services - AdvancedTelcomInc
>     David C. McCall - david at atgi.net 
>_______________________________________________
>Intrusions mailing list
>Intrusions at lists.sans.org
>http://www.dshield.org/mailman/listinfo/intrusions
>  
>

More information about the Intrusions mailing list