Date: Sun, 23 May 1999 17:36:09 -0600 From: Brett Glass <brett@lariat.org> To: "Michael Bryan" <fbsd-security@ursine.com>, freebsd-security@FreeBSD.ORG Subject: Re: Denial of service attack from "imagelock.com" Message-ID: <4.2.0.37.19990523172757.04698960@localhost> In-Reply-To: <199905231424140440.0E81E3D5@quaggy.ursine.com> References: <4.2.0.37.19990523131810.04669d30@localhost> <4.2.0.37.19990522105949.0465d4a0@localhost> <4.2.0.37.19990522105949.0465d4a0@localhost> <4.2.0.37.19990523131810.04669d30@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
At 02:24 PM 5/23/99 -0700, Michael Bryan wrote: >Or to them directly. After I saw this thread, I went and checked our >logs, finding similar full-scale scans of our web servers. No surprise, really. If you use Altavista to search for their name, you'll find exposed Web server access logs which show that they do it to many, many servers throughout the Web. All without asking. > I wrote >a letter to 'info@imagelock.com', asking that they cease and desist of >all scans of web servers in our network. Within an hour I had a >response from 'belanger@imagelock.com'. He indicated that he had >added our domain to the "do not scan" list they maintain. So he >was at least responsive, and on a Sunday to boot. You probably received the same boilerplate letter I did. (Yes, it is a form letter.) Did it look something like this? >We have put your domain on our don't visit list. Please call me >directly at 415 392 3444, should our spider visit your site again. > >See WWW.IMAGELOCK.com for information on who we are. > >In general we have between 10 seconds and 3 minutes between request. > >If for some reason we had request grouped closer than 10 seconds, then >we must have hit some type of glitch. > >Our spider emulates a netscape browser 3.0. > >Again, please accept our applogies for any problems we may have caused. > >Ken I have so far received two messages from them with pieces of boilerplate text like the above arranged in different ways. >Of course, I then pointed out to him that what I wanted was for our >entire network range to be fully bypassed by their scans, not just >our main domain. So did I. Guess what? I received another boilerplate message similar to the first. >I think it would behoove anybody who's been hit by them to fire back >with a request that they cease and desist. Then monitor to make sure >they honor that. If they don't, complain to AboveNet, who will almost >certainly let ImageLock know they have to clean up their act. > >At the very least, perhaps this will get them to clean up their software >so that it does not hit anybody so intensely. > >Some things I noted about their scans in our log files: > >1) They -are- requesting a robots.txt file before every scan wave. >Whether or not they utilize this, I cannot tell, as we don't have >a robots.txt file in use at this time. True, but we don't want to shut out the LEGITIMATE robots. We want to block the attacks. >2) Once they start a wave, it apparently gets farmed out to several >different servers. It is possible for various files to be requested >multiple times during a wave, from several different servers. We saw this. Hundreds of requests in a few minutes. >3) They don't always seem to respond to Redirects (HTTP code 301). >We had a number of URLs that point to directories, but don't have >the trailing "/", which results in the 301 error to the client when >they come back for it. On some waves, these appear to have been >added to the queue for grabbing later in the same day, but on other >waves no subsequent lookups were done. We didn't see them responding to redirects at all. >4) It looks like they're coming in for a new full scan once every >one to three days, based on the entries in our logs. > > >All that being said, I don't think this thread should continue on this >mailing list, since it has nothing to do with FreeBSD. It has been >valuable and informative, though --- perhaps this can be continued on >a different (more appropriate) list if desired? I wasn't sure what list would be more appropriate! It *is* a security issue, because it is in effect a denial of service attack. --Brett Glass To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.2.0.37.19990523172757.04698960>