Date: Sat, 22 May 1999 10:14:26 -0700 (PDT) From: Matthew Dillon <dillon@apollo.backplane.com> To: Brett Glass <brett@lariat.org> Cc: security@FreeBSD.ORG Subject: Re: Denial of service attack from "imagelock.com" Message-ID: <199905221714.KAA74179@apollo.backplane.com> References: <4.2.0.37.19990522105949.0465d4a0@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
:This morning, someone at the domain "imagelock.com" apparently launched a
:denial of service attack against a Web server I administer. The abuser was
:repeatedly downloading large image files simultaneously. While the log
:entries say that the user agent was "Mozilla
:/3.01C-PBWF", this was clearly spoofed; no Netscape user could possibly
:browse that fast.
:
:Because that server has a limited amount of Internet bandwidth, and because
:it also handles several dial-up connections and Web sites, many people were
:being severely impacted by this abuse. When we attempted to trace the
:attack to the source, we noted that the abuser was attempting to prevent
:the determination of his or her address by enabling reverse but not forward
:name resolution. We locked them out of the Web server, but not before they
:brought several e-commerce Web sites to a crawl.
If they are actually making TCP connections, then their IP address is
likely to be valid. This means you should be able to traceroute the
IP address to see what the last hop network is. You can then complain
to that network - I'd call up their NOC.
:Who are these people?
The information provided is not sufficient for us to make that
determination. Perhaps if you provided the IP address(es) the attack
is coming from?
:Sincerely,
:Brett Glass, System Administrator
-Matt
Matthew Dillon
<dillon@backplane.com>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199905221714.KAA74179>