| View previous topic :: View next topic |
| Author |
Message |
Paul
Admin
Joined: Feb 22, 2002
Posts: 27332
|
 Posted: Wed Mar 26, 2008 12:56 pm Post subject: March 26: Genesis of an attack on CastleCops |
|
|
Looks like we're at the beginning of a new denial of service attack against www.castlecops.com. I'm currently investigating and mitigating. As this seems to be the start of an attack, there is the potential for it to increase.
|
|
| Back to top |
|
 |
Paul
Admin
Joined: Feb 22, 2002
Posts: 27332
|
| Posted: Wed Mar 26, 2008 1:56 pm Post subject: |
|
|
OK top offenders initiating this new attack:
189.189.17.87
195.241.64.216
69.159.192.24
83.8.254.170
81.33.224.48
84.254.213.81
201.10.102.119
213.151.104.227
86.146.120.252
204.191.123.203
82.159.117.125
83.14.255.130
86.212.212.1
88.246.24.26
89.136.138.60
60.48.56.120
88.16.202.183
88.231.225.212
116.71.28.219
89.123.134.6
90.209.60.157
85.18.136.103
91.7.120.195
193.251.92.39
77.253.253.55
85.98.93.111
83.189.3.235
61.11.46.70
87.120.237.125
70.155.43.253
78.175.142.24
85.102.154.118
Some of the recent ones under mitigation:
70.176.3.197
75.146.75.29
83.12.79.203
69.159.192.24
201.11.187.100
81.26.141.38
76.4.226.188
88.227.43.250
200.82.89.110
Interestingly, these came in very quickly:
84.22.53.8
84.22.53.9
84.22.53.10
84.22.53.4
84.22.53.5
84.22.53.6
84.22.53.7
84.22.53.11
Following the same signature and then disappeared. I haven't posted all the IPs.
|
|
| Back to top |
|
|
tembow
Blue Angel
Premium Member
Joined: Oct 10, 2005
Posts: 2420
|
| Posted: Wed Mar 26, 2008 8:38 pm Post subject: |
|
|
I can use the botnet reporter as a DDOS reporter.
All I need is the IPs with timestamps,and the Time Zone, in a format like this
200.82.89.110 yy-mm-dd hh:mm:ss
|
|
| Back to top |
|
|
Paul
Admin
Joined: Feb 22, 2002
Posts: 27332
|
| Posted: Thu Mar 27, 2008 1:34 pm Post subject: |
|
|
Curious what the email looks like?
|
|
| Back to top |
|
|
ernstl
Trooper
Joined: Mar 17, 2008
Posts: 11
Location: USA
|
| Posted: Thu Mar 27, 2008 3:13 pm Post subject: Re: March 26: Genesis of an attack on CastleCops |
|
|
| Paul wrote: | | Looks like we're at the beginning of a new denial of service attack against www.castlecops.com. I'm currently investigating and mitigating. As this seems to be the start of an attack, there is the potential for it to increase. |
We have been rattling a lot of cages lately and to me, this DDOS shows we are on the right track.
Ernstl
|
|
| Back to top |
|
|
mrrockford
News Admin
AVPE Host
Joined: Apr 24, 2004
Posts: 2876
|
|
| Back to top |
|
|
mrrockford
News Admin
AVPE Host
Joined: Apr 24, 2004
Posts: 2876
|
| Posted: Thu Mar 27, 2008 5:14 pm Post subject: |
|
|
Howdy,
Mitigation must be working, I have almost no lag getting around right now.
161ppm 3.303s (0.414s)
1PM Central - 161ppm 0.954s (0.107s)
_________________
"Anyone who considers protocol unimportant has never dealt with a cat."
L. Long
|
|
| Back to top |
|
|
0vermind
Cadet
Joined: Oct 15, 2007
Posts: 4
Location: USA
|
| Posted: Thu Mar 27, 2008 7:40 pm Post subject: |
|
|
Hey it's not all bad!
I mean look at it this way:
If your being attacked that really just means that you are such a big threat that people try to take you down.
That means that your doing a good job!!
Even better they exposed them selfs. ALWAYS when I get a hold of an IP Address that committed crime I report it and call up the ISP did that to a user and I think they got terminated.
It's always fun to beat the idiot cybercriminals!
-Mike
|
|
| Back to top |
|
|
tembow
Blue Angel
Premium Member
Joined: Oct 10, 2005
Posts: 2420
|
| Posted: Thu Mar 27, 2008 7:42 pm Post subject: |
|
|
| Paul wrote: | | Curious what the email looks like? |
It has a fixed template header and trailer, with the ASN-specific data in the middle. Here is an example taken from the botnet reporter for one ISP on Jan 28.. The system gathers multiple ASNs under the same ISP where applicable. In this case, there are two for the same addressee (12271 and 20001).
General format is
{insert fixed format header here re the DDOS}
In the following list, the timestamps are in time zone GMT+00. Please adjust them to your local time zone. Locate the customer connected at that IP address at those times, and take the appropriate action. All of these incidents were in the last 3 days.
Here are the IP addresses of each machine which is infected, the time stamps when first and last seen, the number of times it was observed, your Autonomous System Number, and the reverse lookup on the IP address if available.
--------------------------------------
| Code: |
IP ADDRESS FIRST SEEN GMT+00 LAST SEEN GMT+00 TIMES ASN PTR LOOKUP
208.120.227.178 2008/01/28 23:20:33 2008/01/29 22:27:20 10 12271 user-387hoti.cable.mindspring.com.
208.120.76.209 2008/01/28 23:17:23 2008/01/29 00:24:54 23 12271 user-387gj6h.cable.mindspring.com.
64.131.146.121 2008/01/28 10:33:26 2008/01/30 05:48:57 231 12271 user-10874jp.cable.mindspring.com.
64.131.174.232 2008/01/28 16:33:08 2008/01/29 11:09:03 30 12271 user-1087bn8.cable.mindspring.com.
76.15.58.5 2008/01/28 12:36:25 2008/01/28 19:31:58 23 12271 user-160ueg5.cable.mindspring.com.
64.203.41.231 2008/01/28 10:41:17 2008/01/30 06:23:20 126 20001 user-10cmaf7.cable.mindspring.com.
|
--------------------------------------
{insert fixed trailer here}
If you want me to run it, you can supply your own header / trailer. All I need is the simplified log (IP + Timestamp) and the Time zone
|
|
| Back to top |
|
|
PCBruiser
SRT Team Lead
Forums Admin
Joined: May 11, 2005
Posts: 11409
|
| Posted: Thu Mar 27, 2008 7:51 pm Post subject: |
|
|
@Paul, I posted something for you in AH.
_________________
Don't read? Can't learn!
|
|
| Back to top |
|
|
StopDDoS
Trooper
Joined: Oct 02, 2007
Posts: 31
Location: USA
|
| Posted: Thu Mar 27, 2008 9:23 pm Post subject: |
|
|
If you want any help give us a call 
more IPs would be good.
www.stopddos.org
|
|
| Back to top |
|
|
AlphaCentauri
SIRT Handler
Premium Member
Joined: Nov 20, 2003
Posts: 2301
|
| Posted: Thu Mar 27, 2008 9:35 pm Post subject: |
|
|
Thanks for all you do, Paul, I know what an effort you must be putting in to allow us to keep our access to the site. And the people who benefit most will never know why there was a dead link in that email that asked them to update their banking information or download an ecard from an admirer -- but we know.
|
|
| Back to top |
|
|
newangels
Private
Joined: Sep 06, 2007
Posts: 47
|
| Posted: Thu Mar 27, 2008 9:44 pm Post subject: |
|
|
Well they can try, it must mean Castlecops is doing a fabulous job and they are running scared, keep up the great work guys, there are more of us than there are of them.
|
|
| Back to top |
|
|
Paul
Admin
Joined: Feb 22, 2002
Posts: 27332
|
| Posted: Fri Mar 28, 2008 3:52 pm Post subject: |
|
|
The attack continues... hopefully false positive blocks are kept to a minimum.
|
|
| Back to top |
|
|
brewt
SIRT Handler
Premium Member
Joined: May 29, 2007
Posts: 710
Location: USA
|
| Posted: Fri Mar 28, 2008 4:00 pm Post subject: |
|
|
Site is very responsive.
Thanks for the hard work.
|
|
| Back to top |
|
|
|
|
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
