|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical RE: DDOS anecdotes
-----Original Message----- From: Tim Devries [mailto:[email protected]] Sent: June 23, 2001 1:55 PM To: 'Vivien M.'; [email protected] Subject: RE: DDOS anecdotes > Can you elaborate further? Certainly, I can elaborate further. (although not in HTML... plain text is so much more elegant) >From Mr. Gibson's page: "<Gibson> It looks like he's lost his dynDNS <^b0ss^> you know what serve he keeps them all on <^b0ss^> yup <Gibson> yeah, I have his server, but I think he's off the air <Gibson> for now and won't be bothering me again any time soon. <^b0ss^> we had alot of bots on ips.mine.nu <^b0ss^> but they took it down <^b0ss^> for illegal use" ""Wicked" and his IRC Bots communicate by logging onto an IRC server located at the domain "wkdbots.***.**" (I have blanked the upper portion of the domain to allow me to provide all other details.) This domain name is hosted by a dynamic DNS service, allowing Wicked to change the location of the IRC server, as needed, by pointing the "wkdbots" domain at a different IP address. This highlights one of the several weaknesses of the IRC Bots system: A single discovered Bot reveals the IRC meeting place of the entire Bot fleet. The subsequent loss of access to their shared domain cripples the Bot network by denying its access to its central communications hub. " We thus have the reference to dynamic DNS services twice here. Now, I ought to mention that mine.nu is one of our domains (although ips.mine.nu was indeed removed for AUP violations as Mr. Gibson points out). So, there's the first reference to us. The second is the "wkdbots.***.**". It just so happens that we provide services in a domain that's ***.**, and coincidentally enough, there was a wkdbots.***.** in that domain. So, I think it's fairly clear that Mr. Gibson was talking about us here (some of our users were also able to make the wkdbots.***.** link and emailed us pointing us to Mr. Gibson's site). What happened? Well... He never contacted us about the wkdbots.***.**, for one thing... even though we have a rather efficient abuse department, unlike so many of the large companies Mr. Gibson is so eager to criticize. Once we heard about Mr. Gibson's troubles (yay slashdot), and noticed the two references to us, we immediately contacted Mr. Gibson to see if there was anything we could help with, or if there was anything he wanted us to do. The reply came about a week later, and while I'd prefer not to post it to NANOG, let's just say that it was effectively a form letter saying "thanks for contacting me about the DDoS attacks. I've decided I'm just going to move on, and have a nice life". Suffice it to say that we were quite upset. Mr. Gibson didn't seem to have any problems criticizing EarthLink, @Home, etc for not being responsible, but Mr. Gibson a) never contacted us, despite the fact that abusive usage of our services seemed to play a large role in the attacks he was a victim of, and b) rejected our offer to help. That, along with questionable claims on his site about magic packets that can penetrate through NATs and similar devices, means that I have very little confidence in Mr. Gibson from a technical perspective, although as I said before I'd sincerely like to congratulate him on his FUD-spreading skills. Oh, and FWIW, wkdbots.***.** was removed promptly anyways... it now points to a nice useless RFC 1918 IP. Should we mention that the two wicked and b0ss people contacted us, too, wanting their hostnames/accoutns back? Vivien -- Vivien M. [email protected] Assistant System Administrator Dynamic DNS Network Services http://www.dyndns.org/
|