Wednesday, August 29, 2007

DDOS again - August 18, 2007

DDoS again - August 18, 2007

Posted August 18th, 2007 by DucksInTwoRows

The site went live again on August 14.
Sat there quietly, almost no hits. Which means mainly search engines and some rss-readers.
Except for that, almost nothing. Several hours between hits.

Then another ddos started again a couple of hours ago (according to the log: 18/Aug/2007:11:16:11 -0700).

As I said, almost no hits.
Just a few minutes before the attack started, there was a hit from this IP: 83.174.246.78:

inetnum: 83.174.240.0 - 83.174.255.255
netname: DSL-POOL
descr: Bashinformsvyaz Company, RUMS, DSL POOL
country: RU
admin-c: IHK1-RIPE
tech-c: AAR21-RIPE
status: ASSIGNED PA
mnt-by: RUMS-MNT
source: RIPE # Filtered

person: Ilgiz H Kalmetev
address: Lenin street, 30, RUMS
address: RUSSIA, 450000, Ufa city
phone: +7 3472 001331
nic-hdl: IHK1-RIPE
e-mail: ilgiz@bashtelecom.ru
source: RIPE # Filtered

person: Alexei A. Roumyantsev
address: JSC Bashinformsvyaz
address: Lenin street, 30, RUMS
address: RUSSIA, 450000, Ufa city
phone: +7 3472 001198
nic-hdl: AAR21-RIPE
e-mail: lesha@ufamts.ru
source: RIPE # Filtered

% Information related to '83.174.240.0/20AS28812'

route: 83.174.240.0/20
descr: RU, Ufa, JSC Bashinformsvyaz, RUMS
origin: AS28812
mnt-by: RUMS-MNT
source: RIPE # Filtered

Looked like this, only the first part of the line in the log, filehits and UA omitted:

83.174.246.78 - - [18/Aug/2007:11:10:18 -0700]
83.174.246.78 - - [18/Aug/2007:11:10:19 -0700]
83.174.246.78 - - [18/Aug/2007:11:10:19 -0700]
83.174.246.78 - - [18/Aug/2007:11:10:19 -0700]
83.174.246.78 - - [18/Aug/2007:11:10:20 -0700]
83.174.246.78 - - [18/Aug/2007:11:10:20 -0700]
83.174.246.78 - - [18/Aug/2007:11:10:22 -0700]
83.174.246.78 - - [18/Aug/2007:11:10:25 -0700]
83.174.246.78 - - [18/Aug/2007:11:10:26 -0700]
83.174.246.78 - - [18/Aug/2007:11:10:26 -0700]
83.174.246.78 - - [18/Aug/2007:11:10:26 -0700]
83.174.246.78 - - [18/Aug/2007:11:10:27 -0700]
83.174.246.78 - - [18/Aug/2007:11:10:27 -0700]
83.174.246.78 - - [18/Aug/2007:11:10:27 -0700]
83.174.246.78 - - [18/Aug/2007:11:10:27 -0700]
83.174.246.78 - - [18/Aug/2007:11:10:28 -0700]
83.174.246.78 - - [18/Aug/2007:11:10:30 -0700]
83.174.246.78 - - [18/Aug/2007:11:10:29 -0700]
83.174.246.78 - - [18/Aug/2007:11:14:03 -0700]
83.174.246.78 - - [18/Aug/2007:11:15:27 -0700]
83.174.246.78 - - [18/Aug/2007:11:15:28 -0700]
83.174.246.78 - - [18/Aug/2007:11:16:06 -0700]
88.236.16.74 - - [18/Aug/2007:11:16:11 -0700]

For those interested in details, the User Agent was:
""Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.12) Gecko/20070531 Firefox/1.5.0.12 Flock/0.7.14""

So, he comes in at around 11:10, peeps a little a few minutes later, and then the attacks starts.
Coincidense?
Project HoneyPot has seen that ip before.
It is a "DSL-POOL", but I don't know if that IP is dynamic or static.

That last IP (88.236.16.74) is the first one in the attack.
Some of the others:
58.78.157.109
58.111.188.199
59.9.153.115
59.95.166.183
61.0.121.94
61.229.138.30
62.77.65.2
62.101.165.191
62.135.70.64
66.177.151.223
74.100.191.232
76.26.232.8
78.56.52.95
80.82.38.78
80.188.34.243
80.252.53.154
81.2.60.220
81.30.51.157
81.33.104.24
81.38.63.203
81.95.236.97
82.166.224.133
82.208.72.175
83.5.28.120
83.13.202.187
83.21.7.219
83.69.111.228
84.18.110.56
84.77.149.114
86.120.46.119
87.219.247.200
87.251.96.42
88.232.98.119
88.234.161.5
88.236.16.74
88.236.18.51
88.245.19.159
88.251.110.145
89.102.230.220
124.121.182.246
125.27.158.26
125.232.112.28
165.21.154.8
165.21.154.9
165.21.154.10
165.21.154.12
165.21.154.15
165.21.154.68
165.21.154.69
165.21.154.70
165.21.154.71
165.21.154.72
165.21.154.73
165.21.154.74
165.21.154.76
165.21.154.77
165.21.154.108
165.21.154.109
165.21.154.110
165.21.154.111
165.21.154.112
165.21.154.113
165.21.154.114
165.21.154.115
165.21.154.117
165.21.155.8
165.21.155.10
165.21.155.13
165.21.155.15
165.21.155.108
165.21.155.109
165.21.155.110
165.21.155.111
165.21.155.112
165.21.155.113
165.21.155.114
165.21.155.115
165.21.155.116
165.21.155.117
189.144.99.205
189.194.67.64
190.42.41.108
195.58.241.26
195.72.251.176
195.161.213.203
200.43.232.136
200.85.47.250
201.21.121.53
201.69.117.170
201.103.68.111
201.132.156.183
201.132.210.118
201.141.195.172
201.160.116.162
201.160.168.202
203.113.40.73
203.118.97.248
203.172.60.252
207.248.45.11
211.26.23.1
212.116.219.20
217.185.5.41
219.78.136.59
222.127.223.71
222.254.28.5

Another small detail:
Only a few seconds after the attack started, there were a few hits from alertra.com.
The IPs are partially consistent with those listed at their site.
One of their services: "Get Notified When Your Site Goes Down!".
They have a free 30 day trial.
I don't think anyone at spam-court has signed up for that trial.
It is likely that the ddoser himself or the guy(s) that hired him has signed up for a trial (I doubt they have a paid service).

This time the attack lasted for about 15 hours.
We expect it to go down again, so if you find something interesting here, you should grab it before that happens.

This should be said:
Dreamhost is a fantastic host. Thank you!

Posted by Spam-Court at 6:19 PM

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

About Me

Take a web site down with a DDoS and you get multiple spin-offs, and the information you tried to suppress proliferates. In fact, everyone wants to see what the fuss was about, and it becomes even more widely known. Karma. Get used to it.