[Dshield] Got 'em

Chateauneuf dupape at bellatlantic.net
Mon Mar 3 18:29:41 GMT 2003


Somebody asked last week about the value of DShield. The following was only 
possible because the aggregate numbers collected by DS made it clear that 
this was not just some kid spamming my address and a few others for fun. By 
having the data for the entire block it became evident that this was a 
systematic effort. Furthermore, I was able to provide these numbers to 
others which gave the complaints a great deal more credibility.

I'm not obsessed with BlueTelegraph but this is a case where we can really 
do something. This is a domestic company that (based on the ports being 
scanned) is probably looking for proxies to relay SPAM. So we not only get 
rid of an attacker but also a possible large-scale spam generator.

Anyway, I had some time available last week. I got Cogent to drop the name 
server and change some other things which caused BT to change IPs. 
Furthermore, whatever Cogent did caused these IPs to resolve to their real 
owner which is Aventis Pharma and they took aggressive action as did Verio 
which was passing all the traffic. We may actually be rid of them. 
Apparently, Blue Telegraph was able to basically hijack this bandwidth.

If Aventis is smart, this may result in criminal charges.

Again, this was a couple of hours of effort on my part but NONE of this 
could have been done without DShield and Johannes thousands of hours of 
dedication to the community. 


More information about the list mailing list