North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Tracking a DDOS

  • From: Roger Marquis
  • Date: Sun Jan 19 20:37:20 2003

One of our clients sustained a severe SMTP DDOS attack on New Years'
Day.  The DDOS was caused by a bulk mailing which had forged their
domain name in the return address.  The attack was staged over
several days from dial-up lines at fast.net (Bethlehem, PA).  We
contacted fast.net shortly after the massmail began but it continued
unabated for two additional days.  Some of the source IPs were
eventually listed by MAPS and Wirehub and they're still listed to
this date.

5 minutes after our call to fast.net's support desk we tracked a
portscan from one of their netblocks (206.245.164.0-206.245.164.255,
Internet Unlimited, at nearly the same address in Bethlehem, PA).
A quick check of the reverse DNS revealed nearly exclusive use by
porn, throw-away, and otherwise spam domains.

Though we're still tabulating damages and collecting evidence it
appears the DDOS was hosted by and allowed to continue unabated by
fast.net (aka iuinc.com) after they had knowledge of the problem,
knowledge of its source, and knowledge of its effects.

Since fast.net/iuinc.com has not replied to our email or phone calls
we're looking for anyone with information on this company, its
owners or operators, and any history of network or SMTP abuse.  All
help will be appreciated and kept confidential.

Thanks in advance,
-- 
Roger Marquis
Roble Systems Consulting
http://www.roble.com/