Re: DDoS Question

• From: Martin Hannigan
• Date: Thu Sep 27 23:16:52 2007

• Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=Ir4iGnz54ouD0UJKcW4W8g0OMxBTw0yuH6uJ6LEdCtU=; b=SazxCYEPVqbxcQkYS5DD2Rzb8GxwIq4ItKNOr++vf00bHv1saIhhT/xjPnoKNomHvtiuHD6gfNPNb/wM7bJwTEQO7g0/32FPOQUfVlFcjhaJh74iMA3n5k5SYulFu7IZj1/C9ypbUJr7NmSonstIec09P5NZQ+NdaLqwzdk3J9o=
• Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=NvM1D4fKIqul65J1vpthxUfjfr5Sf0MHqFaBVLbG+Sf7dYn40hsv6e6HicDN1fIPVuZVlQhduFQHFEj2xHMmQ7LrKaSkU4YW/Bk8bRO7ugCqfC8CPCG1kmqjbjkiJksBtPfAN48sDevt2sJoE8odCdgRp7iqW3jZ8qpcIPkrBOE=

On 9/27/07, Raymond L. Corbin <[email protected]> wrote:
> Did you check the source IP in the headers? My logs show that they are
> coming from a buncha residential IP addresses so its prolly a bot
> network doing it. Most of the messages going through our servers with
> that have the domain lifeleaksfromyo.com in it which is causing the
> messages to fail in our servers. You can always try the rbl that lists a
> lot of residential IP's in it...i think it's the PBL from spamhaus. That
> would help limit it, and blocking emails with the domain
> lifeleaksfromyo.com.... Other then that I'm out of ideas. What spam
> appliance are you using?


Raymond, all:

Thanks for all the responses, public and private. I did, and am,
watching the sources. It's uninteresting in terms of capability to act
since it's spread out pretty widely and it's obviously difficult to
tell what will and will not cause collateral damage.

I'll capture some source traffic and put it out on the web for all the
researches that replied looking for sample data. I think I can
probably pcap something that won't violate any privacy laws where this
is. In the meantime, here's some sources that are in the top tier of
connections:

3215    | 86.195.231.168   | AS3215 France Telecom - Orange
3269    | 87.19.141.208    | ASN-IBSNAZ TELECOM ITALIA
3320    | 84.148.13.150    | DTAG Deutsche Telekom AG
3320    | 84.148.13.150    | DTAG Deutsche Telekom AG
3320    | 84.148.13.150    | DTAG Deutsche Telekom AG
3320    | 84.148.13.150    | DTAG Deutsche Telekom AG
6746    | 89.136.159.120   | ASTRAL ASTRAL Telecom SA, Romania
7132    | 67.120.22.10     | SBIS-AS - AT&T Internet Services
9121    | 78.180.16.161    | TTNET TTnet Autonomous System
9121    | 85.108.127.90    | TTNET TTnet Autonomous System
9121    | 85.108.127.90    | TTNET TTnet Autonomous System
9121    | 85.108.127.90    | TTNET TTnet Autonomous System
10796   | 71.79.216.254    | SCRR-10796 - Road Runner HoldCo LLC
10796   | 71.79.216.254    | SCRR-10796 - Road Runner HoldCo LLC
19262   | 71.254.34.123    | VZGNI-TRANSIT - Verizon Internet Services Inc.
22773   | 64.58.163.237    | CCINET-2 - Cox Communications Inc.
25041   | 91.125.42.251    | BRIGHTVIEW-UK-AS Brightview Internet Services AS
35911   | 24.212.10.244    | BNQ-1 - Telebec
35911   | 24.212.10.244    | BNQ-1 - Telebec

• References:
  • DDoS Question Martin Hannigan
  • RE: DDoS Question Raymond L. Corbin

• Prev by Date: Re: WG Action: Conclusion of IP Version 6 (ipv6)
• Next by Date: Re: DDoS Question
• Date Index
• Thread Index
• Author Index
• Historical