[Intrusions] We are experiencing a DDoS attacking one of ourdomains - mpecllc.com
David McCall
david at atgi.net
Mon Jan 17 21:04:53 GMT 2005
as of right now, here's a snippen from 1 of our 6 name servers:
Jan 17 13:01:54 e4500B named[28937]: XX /63.195.114.61/mpecllc.com/A/IN
Jan 17 13:02:00 e4500B named[28937]: XX /65.32.2.130/mpecllc.com/A/IN
Jan 17 13:02:09 e4500B named[28937]: XX /128.244.65.29/mpecllc.com/A/IN
Jan 17 13:02:10 e4500B named[28937]: XX /24.164.225.25/mpecllc.com/A/IN
Jan 17 13:02:15 e4500B named[28937]: XX /205.253.73.5/mpecllc.com/A/IN
Jan 17 13:02:23 e4500B named[28937]: XX /137.39.110.244/mpecllc.com/A/IN
Jan 17 13:02:23 e4500B named[28937]: XX /137.39.110.244/mpecllc.com/A/IN
Jan 17 13:02:24 e4500B named[28937]: XX /218.176.253.69/mpecllc.com/A/IN
Jan 17 13:02:27 e4500B named[28937]: XX /137.39.110.244/mpecllc.com/A/IN
Jan 17 13:02:40 e4500B named[28937]: XX /216.148.227.216/mpecllc.com/A/IN
Jan 17 13:02:44 e4500B named[28937]: XX /167.206.3.237/mpecllc.com/A/IN
Jan 17 13:02:45 e4500B named[28937]: XX /66.152.252.83/mpecllc.com/A/IN
Jan 17 13:02:51 e4500B named[28937]: XX /68.168.96.162/mpecllc.com/A/IN
Jan 17 13:02:53 e4500B named[28937]: XX /216.115.128.33/mpecllc.com/A/IN
Jan 17 13:03:06 e4500B named[28937]: XX /208.28.3.222/mpecllc.com/A/IN
and this is with the domin having been pointed to a 127. Ip address over
2 weeks ago...
:-\
-----Original Message-----
From: intrusions-bounces at lists.sans.org
[mailto:intrusions-bounces at lists.sans.org]On Behalf Of Ken Connelly
Sent: Monday, January 17, 2005 9:58 AM
To: Intrusions List (GCIA Practicals)
Subject: Re: [Intrusions] We are experiencing a DDoS attacking one of
ourdomains - mpecllc.com
This must have gotten lost in the moderator's queue... What ended up
happening here?
- ken
David McCall wrote:
>At last count I have isolated 21,000 unique IP addresses that are pounding our dns and web servers
>for robots.txt and entry.php.......
>
>This domain is effectively down because of this issue. We had to move it to a sand box server and
>this was ineffective after 24 hours. If I enable the domain and turn on the web site the initial
>attack is 200-400 attacks per second, consisting of a GET for robots.txt or entry.php, neither of
>which exist on the site.
>
>I've notified mci.com and verio.net abuse depts.
>
>I've filed a report with FBI and wanted to make you all aware of what is going on:
>
>IFCC COMPLAINT REFERRAL REPORT
>Complaint Number: I05011113017305
>The following information was provided by the victim and will be forwarded to the appropriate law
>enforcement or regulatory agency.
>Computer Intrusion/Hacking
>Date of Complaint: 1/11/2005 1:01:35 PM
>Victim Information
>Business Name: Eschelon Telecom
>Name: David Chester McCall
>DOB: 11/21/1954
>Gender: M
>Phone #: 707-284-5695
>Email: david at atgi.net
>Address: 19 Old Courthouse Square
>Santa Rosa, CA 95404
>Live in city limits: No
>County: Sonoma
>Country: USA
>Do you have pertinent documents in paper form? No
>Please indicate who your local law enforcement agency is:
>http://ci.santa-rosa.ca.us/default.aspx?PageId=119
>Please List the easiest way and most convenient time to contact you:
>david at atgi.net
>707-477-7466 cell phone
>707-792-0482 home
>Information about the Business that victimized you.
>Name:
>Gender: U
>Phone #:
>Current Email:
>Address:
>Country: USA
>
>Contact between you and the Person/company that victimized you.
>Type of Contact: Web Page
>Date of Contact: 01/05/2005
>Contact Information:
>DDoS attack on one of our hosted domains: www.mpecllc.com
>Brief log exerpt below:
>www.mpecllc.com 68.70.227.25 - - [10/Jan/2005:11:10:49 -
>0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible;
>MSIE 6.0; Windows NT 5.1)"
>www.mpecllc.com 24.247.2.226 - - [10/Jan/2005:11:10:49 -
>0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible;
>MSIE 6.0; Windows NT 5.1)"
>www.mpecllc.com 68.253.255.21 - - [10/Jan/2005:11:10:49 -
>0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible;
>MSIE 6.0; Windows NT 5.1)"
>www.mpecllc.com 68.80.225.249 - - [10/Jan/2005:11:10:49 -
>0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible;
>MSIE 6.0; Windows NT 5.1)"
>www.mpecllc.com 128.227.58.20 - - [10/Jan/2005:11:10:50 -
>0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible;
>MSIE 6.0; Windows NT 5.1)"
>www.mpecllc.com 24.211.249.43 - - [10/Jan/2005:11:10:50 -
>0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible;
>MSIE 6.0; Windows NT 5.1)"
>www.mpecllc.com 70.178.8.21 - - [10/Jan/2005:11:10:50 -
>0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible;
>MSIE 6.0; Windows NT 5.1)"
>www.mpecllc.com 4.29.92.66 - - [10/Jan/2005:11:10:50 -
>0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible;
>MSIE 6.0; Windows NT 5.1)"
>www.mpecllc.com 207.81.81.85 - - [10/Jan/2005:11:10:50 -
>0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible;
>MSIE 6.0; Windows NT 5.1)"
>www.mpecllc.com 68.36.53.42 - - [10/Jan/2005:11:10:50 -
>0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible;
>MSIE 6.0; Windows NT 5.1)"
>www.mpecllc.com 63.198.19.106 - - [10/Jan/2005:11:10:50 -
>0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible;
>MSIE 6.0; Windows NT 5.1)"
>www.mpecllc.com 65.196.186.6 - - [10/Jan/2005:11:10:50 -
>0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible;
>MSIE 6.0; Windows NT 5.1)"
>
>www.mpecllc.com 69.211.75.13 - - [10/Jan/2005:11:10:50 -
>0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible;
>MSIE 6.0; Windows NT 5.1)"
>www.mpecllc.com 65.40.1.55 - - [10/Jan/2005:11:10:50 -
>0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible;
>MSIE 6.0; Windows NT 5.1)"
>www.mpecllc.com 141.157.196.180 - - [10/Jan/2005:11:10:50 -
>0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible;
>MSIE 6.0; Windows NT 5.1)"
>www.mpecllc.com 216.170.177.114 - - [10/Jan/2005:11:10:50 -
>0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible;
>MSIE 6.0; Windows NT 5.1)"
>www.mpecllc.com 24.250.111.104 - - [10/Jan/2005:11:10:50 -
>0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible;
>MSIE 6.0; Windows NT 5.1)"
>www.mpecllc.com 66.69.186.184 - - [10/Jan/2005:11:10:50 -
>0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible;
>MSIE 6.0; Windows NT 5.1)"
>Additional Information:
>We have had to disable this customer site as the attack eventually
>brings down the server. However this attack continues and can be
>viewed by the DNS queries from our name servers (brief listing below):
>Jan 11 09:27:03 e4500a named[280]: XX /24.25.195.1/mpecllc.com/A/IN
>Jan 11 09:27:09 e4500a named[280]: XX /66.186.224.158/mpecllc.com/A/IN
>Jan 11 09:27:12 e4500a named[280]: XX /68.1.208.23/mpecllc.com/A/IN
>Jan 11 09:27:20 e4500a named[280]: XX /66.129.37.38/mpecllc.com/A/IN
>Jan 11 09:27:23 e4500a named[280]: XX /68.73.225.60/mpecllc.com/A/IN
>Jan 11 09:27:26 e4500a named[280]: XX /167.206.3.247/mpecllc.com/A/IN
>Jan 11 09:27:43 e4500a named[280]: XX /209.204.64.3/mpecllc.com/A/IN
>Jan 11 09:27:25 e4500B named[20019]: XX /68.35.192.6/mpecllc.com/A/IN
>Jan 11 09:27:26 e4500B named[20019]:
>XX /167.206.3.248/mpecllc.com/A/IN
>Jan 11 09:27:27 e4500B named[20019]: XX /68.73.225.60/mpecllc.com/A/IN
>Jan 11 09:27:28 e4500B named[20019]:
>XX /213.129.10.130/mpecllc.com/A/IN
>Jan 11 09:27:30 e4500B named[20019]: XX /65.32.1.79/mpecllc.com/A/IN
>Jan 11 09:27:34 e4500B named[20019]:
>XX /209.244.4.189/mpecllc.com/A/IN
>Jan 11 09:27:40 e4500B named[20019]:
>XX /167.206.3.184/mpecllc.com/A/IN
>Jan 11 09:27:45 e4500B named[20019]: XX /24.140.1.132/mpecllc.com/A/IN
>Jan 11 09:27:58 e4500B named[20019]:
>XX /204.127.202.35/mpecllc.com/A/IN
>
>Jan 11 09:28:10 e4500B named[20019]:
>XX /206.135.241.66/mpecllc.com/A/IN
>Jan 11 09:27:30 queue named[26183]: [ID 295310 daemon.info]
>XX /137.39.110.165/mpecllc.com/A/IN
>Jan 11 09:27:32 queue named[26183]: [ID 295310 daemon.info]
>XX /208.204.150.212/mpecllc.com/A/IN
>Jan 11 09:27:33 queue named[26183]: [ID 295310 daemon.info]
>XX+/152.1.1.206/mpecllc.com/A/IN
>Jan 11 09:27:37 queue named[26183]: [ID 295310 daemon.info]
>XX /152.38.30.122/mpecllc.com/A/IN
>Jan 11 09:27:44 queue named[26183]: [ID 295310 daemon.info]
>XX /63.64.9.19/mpecllc.com/A/IN
>Jan 11 09:27:47 queue named[26183]: [ID 295310 daemon.info]
>XX /207.65.122.221/mpecllc.com/A/IN
>Jan 11 09:27:52 queue named[26183]: [ID 295310 daemon.info]
>XX /24.92.32.23/mpecllc.com/AAAA/IN
>Jan 11 09:27:55 queue named[26183]: [ID 295310 daemon.info]
>XX /209.86.63.205/mpecllc.com/A/IN
>Jan 11 09:28:03 queue named[26183]: [ID 295310 daemon.info]
>XX /216.162.16.130/mpecllc.com/A/IN
>Jan 11 09:28:05 queue named[26183]: [ID 295310 daemon.info]
>XX /206.64.117.231/mpecllc.com/A/IN
>Jan 11 09:28:05 queue named[26183]: [ID 295310 daemon.info]
>XX /216.162.16.131/mpecllc.com/A/IN
>Jan 11 09:28:07 queue named[26183]: [ID 295310 daemon.info]
>XX /68.57.192.6/mpecllc.com/A/IN
>Jan 11 09:28:09 queue named[26183]: [ID 295310 daemon.info]
>XX /68.168.192.5/mpecllc.com/A/IN
>Jan 11 09:28:17 queue named[26183]: [ID 295310 daemon.info]
>XX /152.3.250.1/mpecllc.com/A/IN
>Jan 11 09:28:21 queue named[26183]: [ID 295310 daemon.info]
>XX /24.28.99.62/mpecllc.com/A/IN
>Jan 11 09:28:25 queue named[26183]: [ID 295310 daemon.info]
>XX /137.159.198.137/mpecllc.com/A/IN
>Jan 11 09:28:31 queue2 named[29380]: [ID 295310 daemon.info]
>XX /12.38.46.250/mpecllc.com/A/IN
>Jan 11 09:28:31 queue2 named[29380]: [ID 295310 daemon.info]
>XX /209.244.4.51/mpecllc.com/A/IN
>Jan 11 09:28:31 queue2 named[29380]: [ID 295310 daemon.info]
>XX /63.243.88.30/mpecllc.com/A/IN
>Jan 11 09:28:32 queue2 named[29380]: [ID 295310 daemon.info]
>XX /69.152.0.5/mpecllc.com/A/IN
>Jan 11 09:28:36 queue2 named[29380]: [ID 295310 daemon.info]
>XX /64.78.119.1/mpecllc.com/A/IN
>
>Jan 11 09:28:37 queue2 named[29380]: [ID 295310 daemon.info]
>XX /192.216.106.50/mpecllc.com/A/IN
>Jan 11 09:28:37 queue2 named[29380]: [ID 295310 daemon.info]
>XX /32.97.118.68/mpecllc.com/A/IN
>Jan 11 09:28:39 queue2 named[29380]: [ID 295310 daemon.info]
>XX /206.230.181.2/mpecllc.com/A/IN
>Jan 11 09:28:40 queue2 named[29380]: [ID 295310 daemon.info]
>XX /205.188.118.22/mpecllc.com/A/IN
>Jan 11 09:28:43 queue2 named[29380]: [ID 295310 daemon.info]
>XX /64.7.232.10/mpecllc.com/A/IN
>Jan 11 09:28:46 queue2 named[29380]: [ID 295310 daemon.info]
>XX /216.226.178.11/mpecllc.com/A/IN
>Jan 11 09:28:51 queue2 named[29380]: [ID 295310 daemon.info]
>XX /129.219.13.81/mpecllc.com/A/IN
>Jan 11 09:28:31 webserv named[24989]: [ID 295310 daemon.info]
>XX /24.247.24.41/mpecllc.com/A/IN
>Jan 11 09:28:35 webserv named[24989]: [ID 295310 daemon.info]
>XX /151.164.1.3/mpecllc.com/A/IN
>Jan 11 09:28:37 webserv named[24989]: [ID 295310 daemon.info]
>XX /216.144.187.199/mpecllc.com/A/IN
>Jan 11 09:28:38 webserv named[24989]: [ID 295310 daemon.info]
>XX /12.34.129.27/mpecllc.com/A/IN
>Jan 11 09:28:38 webserv named[24989]: [ID 295310 daemon.info]
>XX /205.152.132.23/mpecllc.com/A/IN
>Jan 11 09:28:42 webserv named[24989]: [ID 295310 daemon.info]
>XX /66.133.128.138/mpecllc.com/A/IN
>Jan 11 09:28:42 webserv named[24989]: [ID 295310 daemon.info]
>XX /204.127.198.60/mpecllc.com/A/IN
>Jan 11 09:28:56 webserv named[24989]: [ID 295310 daemon.info]
>XX /24.29.99.16/mpecllc.com/A/IN
>Jan 11 09:28:56 webserv named[24989]: [ID 295310 daemon.info]
>XX /167.206.3.249/mpecllc.com/A/IN
>Jan 11 09:28:56 webserv named[24989]: [ID 295310 daemon.info]
>XX /216.110.87.10/mpecllc.com/A/IN
>Jan 11 09:28:58 webserv named[24989]: [ID 295310 daemon.info]
>XX+/66.189.130.21/mpecllc.com/A/IN
>Jan 11 09:28:59 webserv named[24989]: [ID 295310 daemon.info]
>XX /216.47.193.14/mpecllc.com/A/IN
>Jan 11 09:29:03 webserv named[24989]: [ID 295310 daemon.info]
>XX /66.189.130.5/mpecllc.com/A/IN
>Jan 11 09:29:07 webserv named[24989]: [ID 295310 daemon.info]
>XX /129.22.4.3/mpecllc.com/A/IN
>Jan 11 09:29:07 webserv named[24989]: [ID 295310 daemon.info]
>XX+/206.47.244.102/mpecllc.com/A/IN
>Jan 11 09:29:07 webserv named[24989]: [ID 295310 daemon.info]
>XX /199.18.39.5/mpecllc.com/A/IN
>
>I have no immediate power to isolate where this is coming from but I can make you all aware of
>what it is doing exactly. mpecllc.com is now pointed to a 127. IP address but this has not
>stopped the queries on our name servers, as you can see above.
>
>thanks ahead of time for any help you can offer..
>
>regards
>
> Domain Name Services - AdvancedTelcomInc
> David C. McCall - david at atgi.net
>_______________________________________________
>Intrusions mailing list
>Intrusions at lists.sans.org
>http://www.dshield.org/mailman/listinfo/intrusions
>
>
_______________________________________________
Intrusions mailing list
Intrusions at lists.sans.org
http://www.dshield.org/mailman/listinfo/intrusions
!DSPAM:41ec2668236854488838969!
More information about the Intrusions
mailing list