DDoS Attack in Progress.
Hi All, DoS attack in progress, any upstream info for these guys? their phone number doesn't respond. This is the RIPE Whois query server #1. % The objects are in RPSL format. % % Rights restricted by copyright. % See http://www.ripe.net/db/copyright.html % Note: This output has been filtered. % To receive output for a database update, use the "-B" flag. % Information related to '88.247.0.0 - 88.247.79.255' inetnum: 88.247.0.0 - 88.247.79.255 netname: TurkTelekom descr: TT ADSL-alcatel static_ulus country: tr admin-c: TTBA1-RIPE tech-c: TTBA1-RIPE status: ASSIGNED PA "status:" definitions mnt-by: as9121-mnt source: RIPE # Filtered role: TT Administrative Contact Role address: Turk Telekom address: Bilisim Aglari Dairesi address: Aydinlikevler address: 06103 ANKARA phone: +90 312 313 1950 fax-no: +90 312 313 1949 e-mail: abuse@ttnet.net.tr admin-c: BADB3-RIPE tech-c: ZA66-RIPE tech-c: NO638-RIPE tech-c: SO351-RIPE nic-hdl: TTBA1-RIPE mnt-by: AS9121-MNT source: RIPE # Filtered % Information related to '88.247.0.0/17AS9121' route: 88.247.0.0/17 descr: TurkTelecom origin: AS9121 mnt-by: AS9121-MNT source: RIPE # Filtered
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Not surprising -- TurkTelekom has long been known to be a hotbed of malicious activity, a known hoster for Russian/Ukrainian cyber criminals, and perhaps one of the most botnetted ISPs on the planet: http://itw.trendmicro-europe.com/index.php?id=64 - - ferg On Fri, Oct 10, 2008 at 11:46 AM, Beavis <pfunix@gmail.com> wrote:
Hi All,
DoS attack in progress, any upstream info for these guys? their phone number doesn't respond.
This is the RIPE Whois query server #1. % The objects are in RPSL format. % % Rights restricted by copyright. % See http://www.ripe.net/db/copyright.html
% Note: This output has been filtered. % To receive output for a database update, use the "-B" flag.
% Information related to '88.247.0.0 - 88.247.79.255'
inetnum: 88.247.0.0 - 88.247.79.255 netname: TurkTelekom descr: TT ADSL-alcatel static_ulus country: tr admin-c: TTBA1-RIPE tech-c: TTBA1-RIPE status: ASSIGNED PA "status:" definitions mnt-by: as9121-mnt source: RIPE # Filtered
role: TT Administrative Contact Role address: Turk Telekom address: Bilisim Aglari Dairesi address: Aydinlikevler address: 06103 ANKARA phone: +90 312 313 1950 fax-no: +90 312 313 1949 e-mail: abuse@ttnet.net.tr admin-c: BADB3-RIPE tech-c: ZA66-RIPE tech-c: NO638-RIPE tech-c: SO351-RIPE nic-hdl: TTBA1-RIPE mnt-by: AS9121-MNT source: RIPE # Filtered
% Information related to '88.247.0.0/17AS9121'
route: 88.247.0.0/17 descr: TurkTelecom origin: AS9121 mnt-by: AS9121-MNT source: RIPE # Filtered
-----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFI76Ucq1pz9mNUZTMRAiJoAJ9v5DTn5TZZtBwno+c4JB/zun0AeQCg7vqz uS4eSff62RIus6Qi1foH8II= =S4jc -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
Try, NOC ITMC/NOC +902125209898 itmcistanbul@turktelekom.com.tr Mehmet From: Paul Ferguson <fergdawgster@gmail.com> Date: Fri, 10 Oct 2008 11:55:41 -0700 To: Beavis <pfunix@gmail.com> Cc: NANOG list <nanog@nanog.org> Subject: Re: DDoS Attack in Progress. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Not surprising -- TurkTelekom has long been known to be a hotbed of malicious activity, a known hoster for Russian/Ukrainian cyber criminals, and perhaps one of the most botnetted ISPs on the planet: http://itw.trendmicro-europe.com/index.php?id=64 - - ferg On Fri, Oct 10, 2008 at 11:46 AM, Beavis <pfunix@gmail.com> wrote:
Hi All,
DoS attack in progress, any upstream info for these guys? their phone number doesn't respond.
This is the RIPE Whois query server #1. % The objects are in RPSL format. % % Rights restricted by copyright. % See http://www.ripe.net/db/copyright.html
% Note: This output has been filtered. % To receive output for a database update, use the "-B" flag.
% Information related to '88.247.0.0 - 88.247.79.255'
inetnum: 88.247.0.0 - 88.247.79.255 netname: TurkTelekom descr: TT ADSL-alcatel static_ulus country: tr admin-c: TTBA1-RIPE tech-c: TTBA1-RIPE status: ASSIGNED PA "status:" definitions mnt-by: as9121-mnt source: RIPE # Filtered
role: TT Administrative Contact Role address: Turk Telekom address: Bilisim Aglari Dairesi address: Aydinlikevler address: 06103 ANKARA phone: +90 312 313 1950 fax-no: +90 312 313 1949 e-mail: abuse@ttnet.net.tr admin-c: BADB3-RIPE tech-c: ZA66-RIPE tech-c: NO638-RIPE tech-c: SO351-RIPE nic-hdl: TTBA1-RIPE mnt-by: AS9121-MNT source: RIPE # Filtered
% Information related to '88.247.0.0/17AS9121'
route: 88.247.0.0/17 descr: TurkTelecom origin: AS9121 mnt-by: AS9121-MNT source: RIPE # Filtered
-----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFI76Ucq1pz9mNUZTMRAiJoAJ9v5DTn5TZZtBwno+c4JB/zun0AeQCg7vqz uS4eSff62RIus6Qi1foH8II= =S4jc -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
On 10 Oct 2008, at 20:46, Beavis wrote:
Hi All,
DoS attack in progress, any upstream info for these guys? their phone number doesn't respond.
inetnum: 88.247.0.0 - 88.247.79.255 netname: TurkTelekom descr: TT ADSL-alcatel static_ulus country: tr
The Spamhaus folk on this list have the address of TurkTelekom's chief security/abuse guy who would take take of this, but we would not be inclined to give his address to someone identifying themselves as "Beavis" with a gmail address. Can you elaborate on who you are, what's being DoSsed (a router, an http server, a mail server?), and whether you can ACL the source (since you know the source is in 88.247.0.0/17, why not ACL the source at your router or at whatever device is being DoSsed). Steve Linford The Spamhaus Project http://www.spamhaus.org
Sorry for the anonymity part Steve This is the only one email i got that is added to the NANOG List. John Lopez NOC Manager Constructora Pura Vida (506)243-018-35 Ext. 2901 On Sat, Oct 11, 2008 at 2:05 AM, Steve Linford <linford@spamhaus.org> wrote:
On 10 Oct 2008, at 20:46, Beavis wrote:
Hi All,
DoS attack in progress, any upstream info for these guys? their phone number doesn't respond.
inetnum: 88.247.0.0 - 88.247.79.255 netname: TurkTelekom descr: TT ADSL-alcatel static_ulus country: tr
The Spamhaus folk on this list have the address of TurkTelekom's chief security/abuse guy who would take take of this, but we would not be inclined to give his address to someone identifying themselves as "Beavis" with a gmail address. Can you elaborate on who you are, what's being DoSsed (a router, an http server, a mail server?), and whether you can ACL the source (since you know the source is in 88.247.0.0/17, why not ACL the source at your router or at whatever device is being DoSsed).
Steve Linford The Spamhaus Project http://www.spamhaus.org
why not ACL the source at your router or at whatever device is being (packeted). Mr. Lopez is contributing to the welfare of the net as a whole by addressing
Beavis aka John Lopez: I, for one, am glad you're interested in stopping the abuse at its source. Thank you. Steve Linford: the cause, rather than applying a bandage locally to lessen the symptom. I sincerely hope your dismissive advice is not characteristic of Spamhaus policy regarding abused hosts, considering the mission statement at the top of your homepage. Steve Church On Sat, Oct 11, 2008 at 4:05 AM, Steve Linford <linford@spamhaus.org> wrote:
On 10 Oct 2008, at 20:46, Beavis wrote:
Hi All,
DoS attack in progress, any upstream info for these guys? their phone number doesn't respond.
inetnum: 88.247.0.0 - 88.247.79.255 netname: TurkTelekom descr: TT ADSL-alcatel static_ulus country: tr
The Spamhaus folk on this list have the address of TurkTelekom's chief security/abuse guy who would take take of this, but we would not be inclined to give his address to someone identifying themselves as "Beavis" with a gmail address. Can you elaborate on who you are, what's being DoSsed (a router, an http server, a mail server?), and whether you can ACL the source (since you know the source is in 88.247.0.0/17, why not ACL the source at your router or at whatever device is being DoSsed).
Steve Linford The Spamhaus Project http://www.spamhaus.org
On 11 Oct 2008, at 16:22, Steve Church wrote:
Beavis aka John Lopez: I, for one, am glad you're interested in stopping the abuse at its source. Thank you.
why not ACL the source at your router or at whatever device is being (packeted). Mr. Lopez is contributing to the welfare of the net as a whole by addressing
Steve Linford: the cause, rather than applying a bandage locally to lessen the symptom. I sincerely hope your dismissive advice is not characteristic of Spamhaus policy regarding abused hosts, considering the mission statement at the top of your homepage.
Steve Church
OK, you don't know much about Spamhaus. Dealing with network abuse issues is what we do 24/7. John Lopez contacted my privately and I've given him the address of TurkTelekom's security guy, but the reality of things is that today is a Saturday and tomorrow is a Sunday, unless TurkTelekom's guy is working weekends (unlikely) ACL'ing the source is not just an advisable option but is probably until Monday the only option. Steve Linford The Spamhaus Project http://www.spamhaus.org
Beavis aka John Lopez: I, for one, am glad you're interested in stopping the abuse at its source. Thank you.
Steve Linford:
why not ACL the source at your router or at whatever device is being
(packeted). Mr. Lopez is contributing to the welfare of the net as a whole by addressing the cause, rather than applying a bandage locally to lessen the symptom. I sincerely hope your dismissive advice is not characteristic of Spamhaus policy regarding abused hosts, considering the mission statement at the top of your homepage.
Steve Church Come on, even I think Steve Linford's bonafides are strong enough that
Steve Church wrote: this was uncalled for. Andrew
On Sat, Oct 11, 2008 at 7:52 PM, Steve Church <nanog@headcandy.org> wrote:
Mr. Lopez is contributing to the welfare of the net as a whole by addressing the cause, rather than applying a bandage locally to lessen the symptom. I sincerely hope your dismissive advice is not characteristic of Spamhaus policy regarding abused hosts, considering the mission statement at the top of your homepage.
Let's put it this way. Contacts given in confidence arent meant to be shared randomly. Or to people who dont identify themselves and post using freemail addresses. Linford seems to have shared this contact offlist with the guy, after he identified himelf, so case closed. srs -- Suresh Ramasubramanian (ops.lists@gmail.com)
On Sat, 2008-10-11 at 08:05 +0000, Steve Linford wrote:
On 10 Oct 2008, at 20:46, Beavis wrote:
Hi All,
DoS attack in progress, any upstream info for these guys? their phone number doesn't respond.
inetnum: 88.247.0.0 - 88.247.79.255 netname: TurkTelekom descr: TT ADSL-alcatel static_ulus country: tr
The Spamhaus folk on this list have the address of TurkTelekom's chief security/abuse guy who would take take of this, but we would not be inclined to give his address to someone identifying themselves as "Beavis" with a gmail address. Can you elaborate on who you are, what's being DoSsed (a router, an http server, a mail server?), and whether you can ACL the source (since you know the source is in 88.247.0.0/17, why not ACL the source at your router or at whatever device is being DoSsed).
You do? I can assure you there are several people who would love to have this information. Care to share with the rest of the anti-abuse community? Kind regards, William Pitcock DroneBL
participants (8)
-
Andrew D Kirch
-
Beavis
-
Mehmet Akcin
-
Paul Ferguson
-
Steve Church
-
Steve Linford
-
Suresh Ramasubramanian
-
William Pitcock