Archived material Access restricted Article
Rantburg

Today's Front Page   View All of Fri 04/07/2006 View Thu 04/06/2006 View Wed 04/05/2006 View Tue 04/04/2006 View Mon 04/03/2006 View Sat 04/01/2006 View Fri 03/31/2006
1
2006-04-07 
Outrage Outage again...
Archived material is restricted to Rantburg regulars and members. If you need access email fred.pruitt=at=gmail.com with your nick to be added to the members list. There is no charge to join Rantburg as a member.
Posted by Fred 2006-04-07 00:00|| || Front Page|| [8 views since 2007-05-07]  Top

#1 I'm sorry that you constantly have to deal with these folks. Thanks for staying on top of it and keeping the 'burg open.
It's very much appreciated.
Jan
Posted by Jan 2006-04-07 00:53||   2006-04-07 00:53|| Front Page Top

#2 Nights like this, I think seriously of closing up shop. I used to have a life...
Posted by Fred 2006-04-07 00:54||   2006-04-07 00:54|| Front Page Top

#3  Little shitheads.

Anything we can do to help out, Fred?
Posted by Dan Darling">Dan Darling  2006-04-07 00:56|| http://www.regnumcrucis.blogspot.com]">[http://www.regnumcrucis.blogspot.com]  2006-04-07 00:56|| Front Page Top

#4 Not much. I've literally been fighting this battle for a couple years.
Posted by Fred 2006-04-07 01:07||   2006-04-07 01:07|| Front Page Top

#5 One place that site visits a lot (other than the ones on the o-club) is:
http://www.mayang.com/

This guy has his wedding photos on the site. He is a Malaysian Muslim (gathered from the burka and styles)

look at the large amount of traveling this guy does. Although they may be visiting him for "TEXTURE FILES". Textures would make great "PADS" for encryption...

September - October 2005
Will and Mayang went to Denmark, Norway and Sweden


June 2005
Will and Mayang went to the Glastonbury Festival


June 2005
Mayang visited France


April 2005
Mayang visited Portugal


October 2004
We visited Morocco and spent some time in the Sahara


August 2004
We visited Thailand, Cambodia (including Angkor Wat) and Vietnam.


June 2004
We visited Sarawak, East Malaysia. See the pictures.


June 2004
We visited Sabah and climbed Mount Kinabalu. See the pictures.


May 2004
Our texture web site is now very popular. Statistics show that over 2000 people each day visit to download textures!


August 2003
We visited England again. See the pictures.

I think somebody should be profiling those servers and doing social network analysis on those servers... (HINT TO NSA)


Posted by 3dc 2006-04-07 01:08||   2006-04-07 01:08|| Front Page Top

#6  In all seriousness, if there are any particularly notorious folks who keep popping up, drop me an e-mail and I'll see if there's anything I can do.
Posted by Dan Darling">Dan Darling  2006-04-07 01:10|| http://www.regnumcrucis.blogspot.com]">[http://www.regnumcrucis.blogspot.com]  2006-04-07 01:10|| Front Page Top

#7 Drop all requests from all German and French IP Blocks. To bad a few have to wreck it for everyone but that tough for the Germans and French.
Posted by SPoD 2006-04-07 01:14|| http://sockpuppetofdoom.blogspot.com/]">[http://sockpuppetofdoom.blogspot.com/]  2006-04-07 01:14|| Front Page Top

#8 Fred my brother in law builds servers with various operating systems for businesses and data folks. I'll call him tomorrow or drive over and ask him about IP port attacks and what can be done. 'puters and software are *NOT* my field of expertise.
..........
The hit counter shows the current IPs onbord, does anyone else get pinged at RB besides me?
Posted by RD 2006-04-07 01:26||   2006-04-07 01:26|| Front Page Top

#9 http://fixingtheweb.com/
to block countries and problem areas in linux

"ip-to-country" database file from ip-to-country.webhosting.info or the "geoip" database file from www.maxmind.com.
Posted by 3dc 2006-04-07 01:28||   2006-04-07 01:28|| Front Page Top

#10 of course you could attempt to convince all your users to use a real abnormal port like 8081 and block off all others.
Posted by 3dc 2006-04-07 01:35||   2006-04-07 01:35|| Front Page Top

#11 3dc still on board?

195.243.0.0/16
resolved to 195.243.0.0 - 195.243.255.255

195.243.0.0 - 195.243.255.255
org: ORG-DTA2-RIPE
netname: DE-TELEKOM-971222
descr: Provider Local Registry
country: DE
admin-c: DTAG-RIPE
tech-c: DTAG-RIPE
status: ALLOCATED PA
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: DTAG-NIC
mnt-routes: DTAG-RR
source: RIPE # Filtered
organisation: ORG-DTA2-RIPE
org-name: Deutsche Telekom AG
org-type: LIR
address: Ammerlaender Heerstrasse 138
address: D-26129
address: Oldenburg
address: Germany
Posted by RD">RD  2006-04-07 01:43||   2006-04-07 01:43|| Front Page Top

#12 Don't give the bastards the satisfaction, Fred.
Posted by Iblis">Iblis  2006-04-07 01:43||   2006-04-07 01:43|| Front Page Top

#13 domain: mayang.com
owner: william smith
organization: william owen smith
email: domainadmin@willsmith.org
address: the laurels
address: little bourton
city: banbury
state: oxon
postal-code: ox17 1rq
country: GB
phone: +44 1295 750000
admin-c: domainadmin@willsmith.org#0
tech-c: domainadmin@willsmith.org#0
billing-c: domainadmin@willsmith.org#0
nserver: b.ns.joker.com 159.25.97.69
nserver: c.ns.joker.com 207.44.185.10
nserver: a.ns.joker.com 194.176.0.2
status: lock
created: 2000-04-13 10:53:31 UTC
modified: 2005-06-17 18:20:07 UTC
expires: 2010-04-13 10:53:31 UTC

contact-hdl: domainadmin@willsmith.org#0
person: will smith
email: domainadmin@willsmith.org
address: the laurels
address: little bourton
city: banbury
state: --
country: GB
phone: +44 1295 750000

source: joker.com live whois service
query-time: 0.040898
db-updated: 2006-04-07 05:47:11
NOTE: By submitting a WHOIS query, you agree to abide by the following
NOTE: terms of use: You agree that you may use this data only for lawful
NOTE: purposes and that under no circumstances will you use this data to:
NOTE: (1) allow, enable, or otherwise support the transmission of mass
NOTE: unsolicited, commercial advertising or solicitations via direct mail,
NOTE: e-mail, telephone, or facsimile; or (2) enable high volume, automated,
NOTE: electronic processes that apply to Joker.com (or its computer systems).
NOTE: The compilation, repackaging, dissemination or other use of this data
NOTE: is expressly prohibited without the prior written consent of Joker.com.


Posted by RD">RD  2006-04-07 01:48||   2006-04-07 01:48|| Front Page Top

#14 62.156.0.0/15 resolved to


62.159.255.224 - 62.159.255.255
netname: MIMATIC-ZETTL-NET
descr: Zettl GmbH CNC Praezisiions- und Sonderwerkzeuge
country: DE
admin-c: TS20391-RIPE
tech-c: TS20391-RIPE
status: ASSIGNED PA
mnt-by: DTAG-NIC
source: RIPE # Filtered
person: Thomas Sraega
address: Zettl GmbH CNC Praezisiions- und Sonderwerkzeuge
address: Westendstr. 3
address: 87488 Betzigau
address: GERMANY
phone: +498315744456
fax-no: +498315744494
e-mail: edv@mimatic-zettl.de
nic-hdl: TS20391-RIPE
mnt-by: DTAG-NIC
source: RIPE # Filtered
% Information related to '62.156.0.0/14AS3320'
route: 62.156.0.0/14
descr: Deutsche Telekom AG, Internet service provider
origin: AS3320
member-of: AS3320:RS-PA-TELEKOM
mnt-by: DTAG-RR
source: RIPE # Filtered
Posted by RD 2006-04-07 02:09||   2006-04-07 02:09|| Front Page Top

#15 for an amateur thats my best shot, LOL!

mods plz delete as needed thanks.
Posted by RD 2006-04-07 02:11||   2006-04-07 02:11|| Front Page Top

#16 
role: Deutsche Telekom LIR Role Account
address: Deutsche Telekom AG
address: Internet Services
a bit more,

195.243.0.0/16
resolved to

195.243.0.0 - 195.243.255.255

address: Ammerlaender Heerstrasse 138
address: DE 26129 Oldenburg
address: Germany
phone: +49 441 234 4501
fax-no: +49 441 234 4589
e-mail: lir.nic@t-com.net
Posted by RD 2006-04-07 02:20||   2006-04-07 02:20|| Front Page Top

#17 The hit counter shows the current IPs onbord, does anyone else get pinged at RB besides me?

I was pinged a few days ago.
Posted by 2b 2006-04-07 02:46||   2006-04-07 02:46|| Front Page Top

#18 What is pinging, and how would I know if it happened to me?
Posted by trailing wife 2006-04-07 07:09||   2006-04-07 07:09|| Front Page Top

#19 Pinging is geek for "change in life." You're far to junior to experience pinging.
Posted by Besoeker 2006-04-07 07:29||   2006-04-07 07:29|| Front Page Top

#20 Flatterer! ;-)
Posted by trailing wife 2006-04-07 07:40||   2006-04-07 07:40|| Front Page Top

#21 You must bedoing something awfully good for these folks to try so hard to stop it.
Posted by Nimble Spemble 2006-04-07 08:01||   2006-04-07 08:01|| Front Page Top

#22 I wouldn't block off at the country level, either Germany (TGA) or France (JFM): They're the poor people who NEED the information you provide and the insights we provide on this wonderful site of yours, Fred. Many, many thanks. Do know that you have an influence wider than you imagine.

That's WHY they are going after you.
Posted by Ptah">Ptah  2006-04-07 08:25|| http://www.crusaderwarcollege.org]">[http://www.crusaderwarcollege.org]  2006-04-07 08:25|| Front Page Top

#23 You should probably look at publish through proxy and/or packet filtering on your FW / DMZ.

Ultimatley you are going to have to use one of those sentinel generators, as RB allows query direct from web. We all know these, basically generates a random image with text in it, when you search you put that text string in and your params.

I doubt this is too much impact to real users of the site, as when a Human searches for something they really mean it, the bots are just trying DB / Connection DoS attack.

Anyway, you add the image generator to your search logic and this mostly goes away.
Posted by bombay">bombay  2006-04-07 09:03||   2006-04-07 09:03|| Front Page Top

#24 Fred,
Your site is the finest and most complete open source site out there. Thats why they are after you. Hang in there, we need your services here.
Posted by 49 Pan">49 Pan  2006-04-07 09:09||   2006-04-07 09:09|| Front Page Top

#25 I'm an amature at this but it seems you keep getting hit on the search end of the site, Thugburg etc... Password protect that part of your site and charge us to use it. Might stop the trolls from attacking.
Posted by 49 Pan">49 Pan  2006-04-07 09:12||   2006-04-07 09:12|| Front Page Top

#26 Don't need to do that (user, pass, seurity), one little 4 or 3 char image generator is all that is needed.

The system generates an image with a word in it as part of the image, not text.

Humans can read this, and enter the word / chars. Bots cannot. Each time the search page is rendered, a new word is generated in the image.

The user then enters the word/chars generated plus their search params. This will kill DB DoS attacks in their tracks.

Another huge plus, Fred, will NOT have to maintain a user security module (passwords, etc).

These image generators are well known and proven to stop these types of attacks.
Posted by bombay">bombay  2006-04-07 09:17||   2006-04-07 09:17|| Front Page Top

#27 Here is an example, ironic actually, but geektools had problems with their WhoIS DB being DoS and used for malicious reasons. They've recently gone to an image generator. Anyway, you can see what I am talking about in action here :

http://www.geektools.com/whois.php
Posted by bombay">bombay  2006-04-07 09:21||   2006-04-07 09:21|| Front Page Top

#28 That sounds like it might be a good solution. I'll look into it over the weekend.
Posted by Fred 2006-04-07 09:26||   2006-04-07 09:26|| Front Page Top

#29 Time to hit the paypal site here. Hope it helps.
Posted by 49 Pan">49 Pan  2006-04-07 09:29||   2006-04-07 09:29|| Front Page Top

#30 Thanks for the reminder, 49Pan. I just dropped $20. It's not enough by a long shot, but hope it helps.

Fred, have I mentioned that not only are you a mensch, you are a GOD!? ;-p
Posted by  Barbara Skolaut"> Barbara Skolaut  2006-04-07 10:05|| http://ariellestjohndesigns.com/page/15bk1/Home_Page.html]">[http://ariellestjohndesigns.com/page/15bk1/Home_Page.html]  2006-04-07 10:05|| Front Page Top

#31 look at the large amount of traveling this guy does.

These poor oppressed muslims are real globe trotters !
Posted by jim#6 2006-04-07 10:24||   2006-04-07 10:24|| Front Page Top

#32 Should this be reported to the relevent authorities? I mean this guy sure seems like a Zealot of some sort, the Osamanaut type. lol wouldnt it be funny if you read in a few years about the man they caught meddling with net sites and now sits in Gauntanamo Bay ,lol.
Posted by ShepUK 2006-04-07 11:01||   2006-04-07 11:01|| Front Page Top

#33 trailing wife, "ping" is a Unix operating system term that describes one user port sending out a signal to detect if another specific port address on the system (or internet) is functioning / available. It comes from the old sonar term for bouncing acoustic signals off of an underwater object and looking for reflected signals in order to determine range and heading.

Some definitions: (from the e blogger site)

ACK /ak/ interj.
[from the ASCII mnemonic for 0000110]
1. Acknowledge. Used to register one's presence (compare mainstream *Yo!*). An appropriate response to {ping} or {ENQ}.


The opposite of ACK would be NAK or "not acknowledge".
Posted by Zenster 2006-04-07 12:10||   2006-04-07 12:10|| Front Page Top

#34  A good explaination of what is happening here.
I don't think it is those two sites (bvoe.de).
Symptoms sound like a reflection attack. See the link above for an explaination.
In a reflection attack you point to a null site, closed sockets or whatever as yourself.
(HE DID IT -->)
Posted by 3dc 2006-04-07 12:11||   2006-04-07 12:11|| Front Page Top

#35 I'm considering him a bad bot, rather than a DOS. I've seen him before, before I learned how to use IP Tables. He and a machine out of U. of Thessaloniki were the reason I had Thugburg closed down before. I reopened it after I banned Thessaloniki.
Posted by Fred 2006-04-07 12:24||   2006-04-07 12:24|| Front Page Top

#36 I banned Thessaloniki
Sounds like a first person tell all or an Ouzo Punk song.
Posted by 6 2006-04-07 12:45||   2006-04-07 12:45|| Front Page Top

#37 Yuseless islame gets the fleas of a thousand camels award.
Posted by Inspector Clueso 2006-04-07 13:50||   2006-04-07 13:50|| Front Page Top

#38 Send a nasty message to Deutche Telecom. The Germans have nasty laws about this kind of sh$$. They also have the option of pressing legal charges and HEAVY billing costs (EU3000/min) to someone doing this. They also have the NEED to put a stop to this, because it reflects badly upon them and their clients. Who knows, they may even decide to mirror your site for a year for free to recompense you for your troubles. Or, they might decide you're a nuisance and ignore you. If the latter happens, wait until you're hit again, and report it and DT GMBH refusal to do anything to the German government. SH$$ will REALLY happen, then. Oh, and they'll do the investigating to see if it's more than just a routine DoS attack.
Posted by Old Patriot">Old Patriot  2006-04-07 15:22|| http://oldpatriot.blogspot.com/]">[http://oldpatriot.blogspot.com/]  2006-04-07 15:22|| Front Page Top

#39 Full sinktrap today.
Must have something to do with free speech advocating supressive lefty moonbat sun spot activity.
Posted by wxjames 2006-04-07 18:02||   2006-04-07 18:02|| Front Page Top

#40 Just to make clear, the '.com' above isn't THE .com. Just a troll trying to be clever.
Posted by lotp 2006-04-07 18:37||   2006-04-07 18:37|| Front Page Top

#41 One ping, Vasily.

Just 1.
Posted by anonymous2u 2006-04-07 18:39||   2006-04-07 18:39|| Front Page Top

#42 
Redacted by moderator. Comments may be redacted for trolling, violation of standards of good manners, or plain stupidity. Please correct the condition that applies and try again. Contents may be viewed in the
sinktrap. Further violations may result in
banning.
Posted by .com 2006-04-07 18:42||   2006-04-07 18:42|| Front Page Top

#43 LtD, right? Posting from a court library in B.C.?

Posted by SA4511 2006-04-07 18:59||   2006-04-07 18:59|| Front Page Top

#44 I think his blood pressure is rising. Let's see if the moderators can make it pop his head off.
Posted by Darrell 2006-04-07 19:03||   2006-04-07 19:03|| Front Page Top

#45 He's just killing time before meeting with his probation officer. Obviously another Religion of Peace-phyllic pedophile.
Posted by ed 2006-04-07 19:17||   2006-04-07 19:17|| Front Page Top

#46 do wild pigs eat their children?
Posted by 2b 2006-04-07 19:22||   2006-04-07 19:22|| Front Page Top

#47 Fred,

I related the port attack problems to the brother-inlaw [the best I could].

He said bombays approach would work in most instances but that it would depend on the seriousness of the attack, you may eventually need a SonicWALL packet-filtering Gateway...

but if memory serves you purchased one a few months ago correct?
Posted by RD">RD  2006-04-07 19:34||   2006-04-07 19:34|| Front Page Top

#48 It wasn't a Sonic Wall. I cheaped out.
Posted by Fred 2006-04-07 19:48||   2006-04-07 19:48|| Front Page Top

#49 TZ-170. Good enough, usually. If anyone knows of better, specify. How much do you need?
Posted by Whiskey Mike 2006-04-07 20:26||   2006-04-07 20:26|| Front Page Top

#50 To be honest, we had to ditch SonicWall in favor of Cisco because of problems with a full time VPN we needed to establish with LM (Lockheed). Security and Performance were far better as a side benifit, though cost was pretty high compared.

Anyway, you might want to look at PIX (there are some issues, but you can take care of easily via rules and proper setup). If you are considering a swap or addition give it a consider and let me know as I got some great vendors who can get you a deal on minimially used (ie. 6 months).
Posted by bombay">bombay  2006-04-07 21:37||   2006-04-07 21:37|| Front Page Top

#51 Hi Bombay,

I don't do VPN so haven't had probs that I notice. TZ-170 is slow compared to others that cost more (packets processed/sec, yes?) but bang for buck is good all things considered for single server if not a bank. If Fred isn't doing VPN (Fred please correct), and is only doing this server, with those constraints (correctable by Fred) what is best then? I am ALWAYS willing to listen to others solutions who have same probs, and only want to help Fred here.
Posted by Whiskey Mike 2006-04-07 22:28||   2006-04-07 22:28|| Front Page Top

#52 Off-topic or abusive comments deleted]
Posted by Yusef Islam 2006-04-07 05:46||   2006-04-07 05:46|| Front Page Top

#53 Off-topic or abusive comments deleted]
Posted by Yusef Islam 2006-04-07 13:20||   2006-04-07 13:20|| Front Page Top

#54 Off-topic or abusive comments deleted]
Posted by .com 2006-04-07 16:58||   2006-04-07 16:58|| Front Page Top

#55 Off-topic or abusive comments deleted]
Posted by Conservative Dining 2006-04-07 16:52||   2006-04-07 16:52|| Front Page Top

#56 Off-topic or abusive comments deleted]
Posted by .com 2006-04-07 18:42||   2006-04-07 18:42|| Front Page Top

18:39 Noamist
18:42 .com
16:23 Rope a Colt
16:48 Noamist
16:44 Noamist
16:42 Noamist
16:52 Conservative Dining
16:58 .com
16:54 whitecollarredneck
13:20 Yusef Islam
12:56 Yusef Islam
12:52 Yusef Islam
12:50 Yusef Islam
12:48 Yusef Islam
07:13 Yusef Islam
07:00 Yusef Islam
06:03 Yusef Islam
05:46 Yusef Islam
05:40 Yusef Islam
05:38 Yusef Islam
05:35 Yusef Islam
05:29 Yusef Islam
05:25 Yusef Islam
05:22 Yusef Islam









Paypal:
Google
Search WWW Search rantburg.com