From owner-freebsd-security Sun May 23 14:24: 8 1999 Delivered-To: freebsd-security@freebsd.org Received: from quaggy.ursine.com (lambda.blueneptune.com [209.133.45.179]) by hub.freebsd.org (Postfix) with ESMTP id 0B77514DE9 for ; Sun, 23 May 1999 14:24:05 -0700 (PDT) (envelope-from fbsd-security@ursine.com) Received: from michael (lambda.ursine.com [209.133.45.69]) by quaggy.ursine.com (8.9.2/8.9.2) with ESMTP id OAA26165 for ; Sun, 23 May 1999 14:24:05 -0700 (PDT) (envelope-from fbsd-security@ursine.com) Message-ID: <199905231424140440.0E81E3D5@quaggy.ursine.com> In-Reply-To: <4.2.0.37.19990523131810.04669d30@localhost> References: <4.2.0.37.19990522105949.0465d4a0@localhost> <4.2.0.37.19990522105949.0465d4a0@localhost> <4.2.0.37.19990523131810.04669d30@localhost> X-Mailer: Calypso Version 3.00.00.13 (2) Date: Sun, 23 May 1999 14:24:14 -0700 From: "Michael Bryan" To: freebsd-security@freebsd.org Subject: Re: Denial of service attack from "imagelock.com" Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 5/23/99 at 1:23 PM Brett Glass wrote: >I don't know whether or not this would help. But complaining to their >ISP probably would. Or to them directly. After I saw this thread, I went and checked our logs, finding similar full-scale scans of our web servers. I wrote a letter to 'info@imagelock.com', asking that they cease and desist of all scans of web servers in our network. Within an hour I had a response from 'belanger@imagelock.com'. He indicated that he had added our domain to the "do not scan" list they maintain. So he was at least responsive, and on a Sunday to boot. Of course, I then pointed out to him that what I wanted was for our entire network range to be fully bypassed by their scans, not just our main domain. We have several hosted domains, and I don't want to have to keep his list updated everytime we add/delete a domain. I haven't heard back yet, but I would hope that they are capable of blocking by IP address in addition to domain name. I think it would behoove anybody who's been hit by them to fire back with a request that they cease and desist. Then monitor to make sure they honor that. If they don't, complain to AboveNet, who will almost certainly let ImageLock know they have to clean up their act. At the very least, perhaps this will get them to clean up their software so that it does not hit anybody so intensely. Some things I noted about their scans in our log files: 1) They -are- requesting a robots.txt file before every scan wave. Whether or not they utilize this, I cannot tell, as we don't have a robots.txt file in use at this time. 2) Once they start a wave, it apparently gets farmed out to several different servers. It is possible for various files to be requested multiple times during a wave, from several different servers. 3) They don't always seem to respond to Redirects (HTTP code 301). We had a number of URLs that point to directories, but don't have the trailing "/", which results in the 301 error to the client when they come back for it. On some waves, these appear to have been added to the queue for grabbing later in the same day, but on other waves no subsequent lookups were done. 4) It looks like they're coming in for a new full scan once every one to three days, based on the entries in our logs. All that being said, I don't think this thread should continue on this mailing list, since it has nothing to do with FreeBSD. It has been valuable and informative, though --- perhaps this can be continued on a different (more appropriate) list if desired? Michael Bryan fbsd-security@ursine.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message