From owner-freebsd-security Sat May 22 10: 5:37 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id 4210314D93 for ; Sat, 22 May 1999 10:05:35 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id LAA18214 for ; Sat, 22 May 1999 11:05:32 -0600 (MDT) Message-Id: <4.2.0.37.19990522105949.0465d4a0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.37 (Beta) Date: Sat, 22 May 1999 11:05:28 -0600 To: security@FreeBSD.ORG From: Brett Glass Subject: Denial of service attack from "imagelock.com" Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This morning, someone at the domain "imagelock.com" apparently launched a denial of service attack against a Web server I administer. The abuser was repeatedly downloading large image files simultaneously. While the log entries say that the user agent was "Mozilla /3.01C-PBWF", this was clearly spoofed; no Netscape user could possibly browse that fast. Because that server has a limited amount of Internet bandwidth, and because it also handles several dial-up connections and Web sites, many people were being severely impacted by this abuse. When we attempted to trace the attack to the source, we noted that the abuser was attempting to prevent the determination of his or her address by enabling reverse but not forward name resolution. We locked them out of the Web server, but not before they brought several e-commerce Web sites to a crawl. Who are these people? Sincerely, Brett Glass, System Administrator To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message