[Intrusions] DDoS attacking mpecllc.com - UPDATE

David McCall david at atgi.net
Mon Jan 24 13:55:27 GMT 2005 

# wc -l /etc/untrusted 
   47443 unique attacking IP's

Seems like this worm has made its way to the Pacific Rim...

1106574661.909    338 210.6.198.35 TCP_DENIED/403 432 GET http://mpecllc.com/robots.txt - NONE/- text/html
1106574664.805    924 210.6.198.35 TCP_DENIED/403 432 GET http://mpecllc.com/robots.txt - NONE/- text/html
1106574666.120    301 210.6.198.35 TCP_DENIED/403 432 GET http://mpecllc.com/robots.txt - NONE/- text/html
1106574668.155    695 210.6.198.35 TCP_DENIED/403 432 GET http://mpecllc.com/robots.txt - NONE/- text/html
1106574670.072    276 210.6.198.35 TCP_DENIED/403 432 GET http://mpecllc.com/robots.txt - NONE/- text/html
1106574671.917    177 210.6.198.35 TCP_DENIED/403 432 GET http://mpecllc.com/robots.txt - NONE/- text/html
1106574674.090    512 210.6.198.35 TCP_DENIED/403 432 GET http://mpecllc.com/robots.txt - NONE/- text/html
1106574676.460    190 210.6.198.35 TCP_DENIED/403 432 GET http://mpecllc.com/robots.txt - NONE/- text/html
1106574677.476      6 210.6.198.35 TCP_DENIED/403 432 GET http://mpecllc.com/robots.txt - NONE/- text/html
1106574679.291    389 210.6.198.35 TCP_DENIED/403 432 GET http://mpecllc.com/robots.txt - NONE/- text/html
1106574682.022    572 210.6.198.35 TCP_DENIED/403 432 GET http://mpecllc.com/robots.txt - NONE/- text/html
1106574684.436    547 210.6.198.35 TCP_DENIED/403 432 GET http://mpecllc.com/robots.txt - NONE/- text/html
1106574685.608      0 12.64.186.82 TCP_DENIED/403 427 GET http://mpecllc.com/robots.txt - NONE/- text/html
1106574686.574    159 210.6.198.35 TCP_DENIED/403 432 GET http://mpecllc.com/robots.txt - NONE/- text/html
1106574687.299    630 210.6.198.35 TCP_DENIED/403 432 GET http://mpecllc.com/robots.txt - NONE/- text/html
1106574689.237    248 210.6.198.35 TCP_DENIED/403 432 GET http://mpecllc.com/robots.txt - NONE/- text/html
1106574691.998     32 216.12.58.68 TCP_DENIED/403 427 GET http://mpecllc.com/robots.txt - NONE/- text/html
1106574692.100    100 210.6.198.35 TCP_DENIED/403 432 GET http://mpecllc.com/robots.txt - NONE/- text/html
1106574692.488     83 210.6.198.35 TCP_DENIED/403 432 GET http://mpecllc.com/robots.txt - NONE/- text/html
1106574695.038    569 210.6.198.35 TCP_DENIED/403 432 GET http://mpecllc.com/robots.txt - NONE/- text/html
1106574697.002     83 210.6.198.35 TCP_DENIED/403 432 GET http://mpecllc.com/robots.txt - NONE/- text/html
1106574699.575    726 210.6.198.35 TCP_DENIED/403 432 GET http://mpecllc.com/robots.txt - NONE/- text/html
1106574700.673     83 210.6.198.35 TCP_DENIED/403 432 GET http://mpecllc.com/robots.txt - NONE/- text/html
1106574703.128    303 210.6.198.35 TCP_DENIED/403 432 GET http://mpecllc.com/robots.txt - NONE/- text/html
1106574705.619    262 210.6.198.35 TCP_DENIED/403 432 GET http://mpecllc.com/robots.txt - NONE/- text/html
1106574707.411    502 210.6.198.35 TCP_DENIED/403 432 GET http://mpecllc.com/robots.txt - NONE/- text/html


Would be nice if this thing would slow down, but I'm having my doubts just by the increase over the weekend.

SQUID seems to be holding itself quite nicely in the face of this attack:

load averages:  0.20,  0.13,  0.09                                                                                         05:56:17
23 processes:  22 idle
CPU states:  0.2% user,  0.0% nice,  0.0% system,  0.6% interrupt, 99.2% idle
Memory: 54M/105M act/tot  Free: 17M  Swap: 1728K/369M used/tot

  PID USERNAME PRI NICE  SIZE   RES STATE    WAIT     TIME    CPU COMMAND
30525 _squid     2    0   47M   48M sleep    poll    34:28  0.00% squid

I've noted the size of the squid memory allocation has increased by
about 5MB over he weekend, so with 17MB free it appears like the list can
grow to about 120K uniq IP's before it might start swapping to disk.

more to come.

David C. McCall
UNIX Administrator
===================
EschelonTelecom
admin at atgi.net
david at atgi.net

More information about the Intrusions mailing list