From owner-freebsd-isp Tue Oct 15 5:11: 7 2002 Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1309E37B401 for ; Tue, 15 Oct 2002 05:11:06 -0700 (PDT) Received: from seattlefenix.net (seattleFenix.net [216.39.145.247]) by mx1.FreeBSD.org (Postfix) with ESMTP id A014543EC2 for ; Tue, 15 Oct 2002 05:11:05 -0700 (PDT) (envelope-from roo@seattlefenix.net) Received: by surreal.seattlefenix.net (Postfix, from userid 1001) id D531136B2E; Tue, 15 Oct 2002 04:02:23 -0700 (PDT) Date: Tue, 15 Oct 2002 04:02:23 -0700 From: Benjamin Krueger To: Arkadi Kosmynin Cc: freebsd-isp@FreeBSD.ORG Subject: Re: An attack? Does it happen to anybody else? Message-ID: <20021015110223.GA15252@surreal.seattlefenix.net> Reply-To: benjamin@seattleFenix.net References: <000f01c27434$903aa8c0$0200a8c0@anna> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <000f01c27434$903aa8c0$0200a8c0@anna> User-Agent: Mutt/1.4i X-PGP-Key: http://www.macguire.net/benjamin/public_key.asc Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * Arkadi Kosmynin (ank@ozinsight.com) [021015 03:21]: > Hi, > > > There were 3 incidents of high volume downloading from our site during the > past week. I can't understand what is going on and would appreciate any info > on the issue. > > I checked our logs: > > Folks from 195.210.137.130 downloaded ~140MB of the same file. > Folks from 212.160.201.118 ~ 350MB. > Folks from 213.17.138.154 ~ 590MB. > > This hurts us. What can I do about it? > > > Thanks, > > Arkadi. You neglect to mention what service (ftp, http?) this is affecting, what they were downloading, and whether the content is publicly available. Personally, I never recommend that one assume every painful action on the internet is malicious. Often folks end up acting hostile in return, only to find that the problem was simply misconfigured software or a misguided server administrator. If it hurts, stop it. Block the hosts at the firewall, contact the administrator of those machines or that network space, remove or move the files, use tcp wrappers to lock them out, implement rate limiting, hide the content behind a username and password, or cry. All are reasonable options, and all but one are productive. -- Benjamin Krueger ---------------------------------------------------------------- Send mail w/ subject 'send public key' or query for (0x251A4B18) Fingerprint = A642 F299 C1C1 C828 F186 A851 CFF0 7711 251A 4B18 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message