From owner-freebsd-security Sun May 23 13:22: 2 1999 Delivered-To: freebsd-security@freebsd.org Received: from pro.icp.ac.ru (pro.icp.ac.ru [193.233.43.46]) by hub.freebsd.org (Postfix) with ESMTP id E3DB514F48 for ; Sun, 23 May 1999 13:21:50 -0700 (PDT) (envelope-from ratebor@cityline.ru) Received: from vedi.pc.icp.ac.ru (vedi.pc.icp.ac.ru [192.168.253.19]) by pro.icp.ac.ru (8.9.2/8.8.7) with SMTP id AAA30168; Mon, 24 May 1999 00:23:00 +0400 (MSD) (envelope-from ratebor@cityline.ru) Date: Mon, 24 May 1999 00:22:57 +0400 From: Dmitriy Bokiy X-Mailer: The Bat! (v1.32) UNREG / CD5BF9353B3B7091 Reply-To: Dmitriy Bokiy X-Priority: 3 (Normal) Message-ID: <715.990524@cityline.ru> To: Brett Glass Cc: security@FreeBSD.ORG Subject: Re: Denial of service attack from "imagelock.com" In-reply-To: <4.2.0.37.19990522105949.0465d4a0@localhost> References: <4.2.0.37.19990522105949.0465d4a0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Saturday, May 22, 1999, 21:05:28 Brett Glass wrote: > This morning, someone at the domain "imagelock.com" apparently launched a > denial of service attack against a Web server I administer. The abuser was > repeatedly downloading large image files simultaneously. While the log > entries say that the user agent was "Mozilla > /3.01C-PBWF", this was clearly spoofed; no Netscape user could possibly > browse that fast. > Because that server has a limited amount of Internet bandwidth, and because > it also handles several dial-up connections and Web sites, many people were > being severely impacted by this abuse. When we attempted to trace the > attack to the source, we noted that the abuser was attempting to prevent > the determination of his or her address by enabling reverse but not forward > name resolution. We locked them out of the Web server, but not before they > brought several e-commerce Web sites to a crawl. They probably used an off-line browser(or several of them). This stuff CAN do simultaneous downloading of web pages, images or whatever and is rather configurable. It can be configured to identify itself as MSIE, Netscape, anonymous or you choose. There are also parameters like maximum number of simultaneous threads (usual default is 10)and so-called Netiquette options(obey or not Robot Exclusion Standard, delay between threads etc.). > Who are these people? So my theory is they are who they honestly said they are. Just breaking some Netiquette rules and must be inspired(or forced)not do that anymore. --Dmitriy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message