Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 23 May 1999 14:24:14 -0700
From:      "Michael Bryan" <fbsd-security@ursine.com>
To:        freebsd-security@freebsd.org
Subject:   Re: Denial of service attack from "imagelock.com"
Message-ID:  <199905231424140440.0E81E3D5@quaggy.ursine.com>
In-Reply-To: <4.2.0.37.19990523131810.04669d30@localhost>
References:  <4.2.0.37.19990522105949.0465d4a0@localhost> <4.2.0.37.19990522105949.0465d4a0@localhost> <4.2.0.37.19990523131810.04669d30@localhost>

next in thread | previous in thread | raw e-mail | index | archive | help


On 5/23/99 at 1:23 PM Brett Glass wrote:
>I don't know whether or not this would help. But complaining to their
>ISP probably would.

Or to them directly.  After I saw this thread, I went and checked our
logs, finding similar full-scale scans of our web servers.  I wrote
a letter to 'info@imagelock.com', asking that they cease and desist of
all scans of web servers in our network.  Within an hour I had a
response from 'belanger@imagelock.com'.  He indicated that he had
added our domain to the "do not scan" list they maintain.  So he
was at least responsive, and on a Sunday to boot.

Of course, I then pointed out to him that what I wanted was for our
entire network range to be fully bypassed by their scans, not just
our main domain.  We have several hosted domains, and I don't want
to have to keep his list updated everytime we add/delete a domain.
I haven't heard back yet, but I would hope that they are capable of
blocking by IP address in addition to domain name.

I think it would behoove anybody who's been hit by them to fire back
with a request that they cease and desist.  Then monitor to make sure
they honor that.  If they don't, complain to AboveNet, who will almost
certainly let ImageLock know they have to clean up their act.

At the very least, perhaps this will get them to clean up their software
so that it does not hit anybody so intensely.

Some things I noted about their scans in our log files:

1) They -are- requesting a robots.txt file before every scan wave.
Whether or not they utilize this, I cannot tell, as we don't have
a robots.txt file in use at this time.

2) Once they start a wave, it apparently gets farmed out to several
different servers.  It is possible for various files to be requested
multiple times during a wave, from several different servers.

3) They don't always seem to respond to Redirects (HTTP code 301).
We had a  number of URLs that point to directories, but don't have
the trailing "/", which results in the 301 error to the client when
they come back for it.  On some waves, these appear to have been
added to the queue for grabbing later in the same day, but on other
waves no subsequent lookups were done.

4) It looks like they're coming in for a new full scan once every
one to three days, based on the entries in our logs.


All that being said, I don't think this thread should continue on this
mailing list, since it has nothing to do with FreeBSD.  It has been
valuable and informative, though --- perhaps this can be continued on
a different (more appropriate) list if desired?


Michael Bryan
fbsd-security@ursine.com



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199905231424140440.0E81E3D5>