From maloy Wed May 21 23:42:54 2003 From: Bill Maloy Subject: 17 seconds that changed my world Newsgroups: news.admin.net-abuse.email Organization: Summary: Keywords: User-Agent: tin/1.4.5-20010409 ("One More Nightmare") (UNIX) (Linux/2.4.20-13.7smp (i686)) Status: R Executive Summary: Dorkslayers is dead. Please strike it from the record, remove from all query lists, etc., etc. You'll get nothing but timeout/unreachable messages if you don't. No, I'm not going to do the wildcard-DNS thing, but the loopback addresses of the abused Open Proxies of the world may soon be wondering WTF is going on. Monday, 19 May 2003, shortly after 3:00 PM: A nan-ae post refers me to nypost.com, but Netscape times out while attempting to connect. Uh oh. (clickety click click). Hmm, inbound port on the router is saturated, again. Probably another DOS attack. 17 seconds of packet data is captured and processed in order to identify the flooder(s). Oh crap. 6400+ source addresses. What now?! Monday, 19 May 2003, 3:30 PM: Email from the last remaining dorkslayers.com off-site secondary arrives, asking to be removed. "When ns2 goes out like it is now then my puny DSL can't keep up and it's not feasible as of now to move the dorkslayers zone to the cabinet with the real pipes." Ok, so this is the end. I'll block what I can and try to hold on for a while. [limp, limp, limp] Tuesday, 20 May 2003, 7:00 PM: Inbound router port now completely saturated, and remains so throughout the night. Blocking the 30 most active sources at the upstream router has zero effect on the flood. No choice left but to block all DNS traffic (legitimate and otherwise) and begin a transition to a different set of nameservers. Thank you, John and Ask, for volunteering to help with the secondarying for as long as you did. Sure, it would have been nice if a few of the higher-traffic sites listed below had also volunteered to contribute some bandwidth and some CPU cycles, but I didn't much feel like begging, and I knew I could always punt. Game over. Thanks also to the folks who implemented local caches of Dorkslayers zones prior to putting them into production. (You know who you are). So here, without further ado, are the 100 most active sites requesting dorkslayers DNS lookups between 15:17:24.942504 and 15:17:41.469669 on Monday afternoon, contributing to the flood of traffic that helped knock my secondary DNS server off-line, flooded my private-line circuit, and made a certain developer not want to play any more. And I don't blame him one bit. So who uses dorkslayers? Well, for the indefinite future, nobody. But for 17 seconds on Monday afternoon, the following "top 100" sites did. Not listed: 6308 others. (queries/ip-address/domain) 34 209.225.111.205 wi.net 34 216.70.9.67 superiorbroadband.com 35 171.64.14.82 stanford.edu 35 208.57.109.158 mpowercom.net 35 216.220.35.30 q9.com 35 216.38.168.6 bit-net.com 35 63.71.85.133 patriothomes.com 35 65.17.128.65 wcoil.com 36 206.127.30.12 texas.net 36 63.203.27.35 pacbell.net 37 171.64.7.99 stanford.edu 37 206.65.72.3 cajun.net 37 207.148.192.11 bullseyetelecom.net 38 207.229.65.10 cortland.com 38 64.235.237.141 no rDNS 38 64.250.192.65 pldi.net 39 171.64.14.68 stanford.edu 39 171.64.14.85 stanford.edu 39 207.19.167.2 defnet.com 39 207.34.73.7 radiant.net 39 216.129.224.17 vnet-inc.com 39 216.223.192.35 inch.com 39 216.231.41.2 speakeasy.org 40 128.110.124.120 utah.edu 40 146.145.112.135 no rDNS 40 168.159.48.58 no rDNS 40 199.165.152.166 swmed.edu 40 199.246.2.115 kos.net 40 207.218.192.28 ev1.net 40 208.201.224.166 sonic.net 40 209.159.192.6 bhfc.net 40 209.161.16.169 k12.id.us 40 64.5.64.21 soltec.net 41 151.164.1.7 swbell.net 42 140.142.32.133 washington.edu 42 205.133.113.129 donet.com 42 24.104.0.35 blazenet.net 42 66.111.4.4 fastmail.fm 43 169.229.128.150 berkeley.edu 43 171.64.14.38 stanford.edu 43 200.211.188.169 no rDNS 43 206.103.112.7 kdsi.net 43 216.129.224.1 vnet-inc.com 44 12.127.16.68 att.net 44 207.148.192.12 bullseyetelecom.net 44 216.129.53.50 no rDNS 44 66.100.224.8 corridor.net 45 129.188.136.100 mot.com 45 130.88.13.7 man.ac.uk 45 140.142.33.8 washington.edu 46 128.6.224.114 rutgers.edu 46 208.247.34.99 omega.com 46 209.150.209.19 orbits.net 47 207.14.97.1 worldaccessnet.com 48 168.159.48.49 emc.com 48 207.218.192.72 ev1.net 49 18.7.21.65 mit.edu 49 199.101.6.250 basco.com 49 205.229.54.254 no rDNS 49 216.174.194.41 atgi.net 50 136.182.1.10 mot.com 50 63.241.206.199 no rDNS 51 64.40.192.10 netset.com 51 66.133.128.143 frontiernet.net 52 12.127.16.67 att.net 52 66.109.128.3 no RDNS 53 216.220.36.30 q9.com 55 207.41.200.10 sprintlink.net 56 206.196.254.2 smisteelproducts.com 56 63.251.53.194 dsl-isp.net 56 64.32.152.250 no rDNS 57 12.23.44.89 no rDNS 57 130.184.7.103 uark.edu 57 171.64.14.81 stanford.edu 58 137.39.110.184 ops.us.uu.net 59 131.89.128.11 pge.com 59 206.108.253.70 onlink.net 60 199.71.120.66 hcl.com 60 208.201.224.167 sonic.net 63 213.150.10.2 smxs.net 67 171.64.14.84 stanford.edu 68 195.92.195.225 theplanet.net 69 171.64.14.45 stanford.edu 70 131.89.128.10 pge.com 75 128.95.112.2 washington.edu 75 204.177.232.9 arn.net 75 205.206.32.4 the-wire.com 79 165.230.129.11 rutgers.edu 80 216.68.85.49 providentbank.com 83 128.95.120.2 washington.edu 83 208.178.204.34 trinet-e.com 93 159.54.158.100 gannett.com 101 65.121.176.3 npsis.com 104 207.178.128.20 iswest.net 109 198.170.184.101 phonoscope.com 128 130.125.6.100 antares.unine.ch 136 208.212.35.5 mid-mo.net 155 206.117.161.80 samspade.org 283 128.95.120.10 washington.edu 329 128.95.112.10 washington.edu And for those scoring at home, the query count was Washington 857 Stanford 386 I'm sure there's some irony in there, somewhere. Yes, I have more extensive packet logs, but I've yet to perform detailed processing of the 35 million lines captured from Tuesday evening / Wednesday morning. And if the jerk that coded those DNSBL lookups into your proxy abusing piece-of-crap ratware is reading this, "I can make it my mission in life to track you down." The owner here is feeling litigious, and it could be that I'm going to have a bit of time on my hands. -- Bill Maloy (brm4)