-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Sean M. Doran Sent: June 23, 2001 11:31 AM To: nanog@merit.edu Subject: DDOS anecdotes
Some of you may find http://grc.com/dos/grcdos.htm very interesting.
The rest of NANOG may, as we do, wonder why Mr. Gibson, after almost naming us in that page (he didn't name _us_ directly, but left enough not-so-subtle hints that both us and our users noticed us being mentioned), chose to brush off our offers to help, claiming instead that he just wanted to move on and forget about the whole thing. (I ought to mention that it took at least a week to get a reply from Mr. Gibson) We ended up concluding that Mr. Gibson's main goal is the distribution of large quantities of FUD. It seems, I might add, that Mr. Gibson is particularly successful at this remarkably valuable art. Vivien -- Can you elaborate further? Tim
-----Original Message----- From: Tim Devries [mailto:Tim.Devries@Q9.com] Sent: June 23, 2001 1:55 PM To: 'Vivien M.'; nanog@merit.edu Subject: RE: DDOS anecdotes
Can you elaborate further?
Certainly, I can elaborate further. (although not in HTML... plain text is so much more elegant)
From Mr. Gibson's page: "<Gibson> It looks like he's lost his dynDNS <^b0ss^> you know what serve he keeps them all on <^b0ss^> yup <Gibson> yeah, I have his server, but I think he's off the air <Gibson> for now and won't be bothering me again any time soon. <^b0ss^> we had alot of bots on ips.mine.nu <^b0ss^> but they took it down <^b0ss^> for illegal use" ""Wicked" and his IRC Bots communicate by logging onto an IRC server located at the domain "wkdbots.***.**" (I have blanked the upper portion of the domain to allow me to provide all other details.) This domain name is hosted by a dynamic DNS service, allowing Wicked to change the location of the IRC server, as needed, by pointing the "wkdbots" domain at a different IP address. This highlights one of the several weaknesses of the IRC Bots system: A single discovered Bot reveals the IRC meeting place of the entire Bot fleet. The subsequent loss of access to their shared domain cripples the Bot network by denying its access to its central communications hub. "
We thus have the reference to dynamic DNS services twice here. Now, I ought to mention that mine.nu is one of our domains (although ips.mine.nu was indeed removed for AUP violations as Mr. Gibson points out). So, there's the first reference to us. The second is the "wkdbots.***.**". It just so happens that we provide services in a domain that's ***.**, and coincidentally enough, there was a wkdbots.***.** in that domain. So, I think it's fairly clear that Mr. Gibson was talking about us here (some of our users were also able to make the wkdbots.***.** link and emailed us pointing us to Mr. Gibson's site). What happened? Well... He never contacted us about the wkdbots.***.**, for one thing... even though we have a rather efficient abuse department, unlike so many of the large companies Mr. Gibson is so eager to criticize. Once we heard about Mr. Gibson's troubles (yay slashdot), and noticed the two references to us, we immediately contacted Mr. Gibson to see if there was anything we could help with, or if there was anything he wanted us to do. The reply came about a week later, and while I'd prefer not to post it to NANOG, let's just say that it was effectively a form letter saying "thanks for contacting me about the DDoS attacks. I've decided I'm just going to move on, and have a nice life". Suffice it to say that we were quite upset. Mr. Gibson didn't seem to have any problems criticizing EarthLink, @Home, etc for not being responsible, but Mr. Gibson a) never contacted us, despite the fact that abusive usage of our services seemed to play a large role in the attacks he was a victim of, and b) rejected our offer to help. That, along with questionable claims on his site about magic packets that can penetrate through NATs and similar devices, means that I have very little confidence in Mr. Gibson from a technical perspective, although as I said before I'd sincerely like to congratulate him on his FUD-spreading skills. Oh, and FWIW, wkdbots.***.** was removed promptly anyways... it now points to a nice useless RFC 1918 IP. Should we mention that the two wicked and b0ss people contacted us, too, wanting their hostnames/accoutns back? Vivien -- Vivien M. vivienm@dyndns.org Assistant System Administrator Dynamic DNS Network Services http://www.dyndns.org/
participants (2)
-
Tim Devries
-
Vivien M.