Re: DDoS Attack in Progress.
On 10 Oct 2008, at 20:46, Beavis wrote: Hi All, DoS attack in progress, any upstream info for these guys? their phone number doesn't respond. inetnum: 88.247.0.0 - 88.247.79.255 netname: TurkTelekom descr: TT ADSL-alcatel static_ulus country: tr The Spamhaus folk on this list have the address of TurkTelekom's chief security/abuse guy who would take take of this, but we would not be inclined to give his address to someone identifying themselves as Beavis with a gmail address. Can you elaborate on who you are, what's being DoSsed (a router, an http server, a mail server?), and whether you can ACL the source (since you know the source is in 88.247.0.0/17, why not ACL the source at your router or at whatever device is being DoSsed). Steve Linford The Spamhaus Project http://www.spamhaus.org
Re: DDoS Attack in Progress.
Sorry for the anonymity part Steve This is the only one email i got that is added to the NANOG List. John Lopez NOC Manager Constructora Pura Vida (506)243-018-35 Ext. 2901 On Sat, Oct 11, 2008 at 2:05 AM, Steve Linford [EMAIL PROTECTED] wrote: On 10 Oct 2008, at 20:46, Beavis wrote: Hi All, DoS attack in progress, any upstream info for these guys? their phone number doesn't respond. inetnum: 88.247.0.0 - 88.247.79.255 netname: TurkTelekom descr: TT ADSL-alcatel static_ulus country: tr The Spamhaus folk on this list have the address of TurkTelekom's chief security/abuse guy who would take take of this, but we would not be inclined to give his address to someone identifying themselves as Beavis with a gmail address. Can you elaborate on who you are, what's being DoSsed (a router, an http server, a mail server?), and whether you can ACL the source (since you know the source is in 88.247.0.0/17, why not ACL the source at your router or at whatever device is being DoSsed). Steve Linford The Spamhaus Project http://www.spamhaus.org
Re: DDoS Attack in Progress.
Beavis aka John Lopez: I, for one, am glad you're interested in stopping the abuse at its source. Thank you. Steve Linford: why not ACL the source at your router or at whatever device is being (packeted). Mr. Lopez is contributing to the welfare of the net as a whole by addressing the cause, rather than applying a bandage locally to lessen the symptom. I sincerely hope your dismissive advice is not characteristic of Spamhaus policy regarding abused hosts, considering the mission statement at the top of your homepage. Steve Church On Sat, Oct 11, 2008 at 4:05 AM, Steve Linford [EMAIL PROTECTED] wrote: On 10 Oct 2008, at 20:46, Beavis wrote: Hi All, DoS attack in progress, any upstream info for these guys? their phone number doesn't respond. inetnum: 88.247.0.0 - 88.247.79.255 netname: TurkTelekom descr: TT ADSL-alcatel static_ulus country: tr The Spamhaus folk on this list have the address of TurkTelekom's chief security/abuse guy who would take take of this, but we would not be inclined to give his address to someone identifying themselves as Beavis with a gmail address. Can you elaborate on who you are, what's being DoSsed (a router, an http server, a mail server?), and whether you can ACL the source (since you know the source is in 88.247.0.0/17, why not ACL the source at your router or at whatever device is being DoSsed). Steve Linford The Spamhaus Project http://www.spamhaus.org
Re: DDoS Attack in Progress.
On 11 Oct 2008, at 16:22, Steve Church wrote: Beavis aka John Lopez: I, for one, am glad you're interested in stopping the abuse at its source. Thank you. Steve Linford: why not ACL the source at your router or at whatever device is being (packeted). Mr. Lopez is contributing to the welfare of the net as a whole by addressing the cause, rather than applying a bandage locally to lessen the symptom. I sincerely hope your dismissive advice is not characteristic of Spamhaus policy regarding abused hosts, considering the mission statement at the top of your homepage. Steve Church OK, you don't know much about Spamhaus. Dealing with network abuse issues is what we do 24/7. John Lopez contacted my privately and I've given him the address of TurkTelekom's security guy, but the reality of things is that today is a Saturday and tomorrow is a Sunday, unless TurkTelekom's guy is working weekends (unlikely) ACL'ing the source is not just an advisable option but is probably until Monday the only option. Steve Linford The Spamhaus Project http://www.spamhaus.org
Re: DDoS Attack in Progress.
Steve Church wrote: Beavis aka John Lopez: I, for one, am glad you're interested in stopping the abuse at its source. Thank you. Steve Linford: why not ACL the source at your router or at whatever device is being (packeted). Mr. Lopez is contributing to the welfare of the net as a whole by addressing the cause, rather than applying a bandage locally to lessen the symptom. I sincerely hope your dismissive advice is not characteristic of Spamhaus policy regarding abused hosts, considering the mission statement at the top of your homepage. Steve Church Come on, even I think Steve Linford's bonafides are strong enough that this was uncalled for. Andrew
Re: DDoS Attack in Progress.
On Sat, Oct 11, 2008 at 7:52 PM, Steve Church [EMAIL PROTECTED] wrote: Mr. Lopez is contributing to the welfare of the net as a whole by addressing the cause, rather than applying a bandage locally to lessen the symptom. I sincerely hope your dismissive advice is not characteristic of Spamhaus policy regarding abused hosts, considering the mission statement at the top of your homepage. Let's put it this way. Contacts given in confidence arent meant to be shared randomly. Or to people who dont identify themselves and post using freemail addresses. Linford seems to have shared this contact offlist with the guy, after he identified himelf, so case closed. srs -- Suresh Ramasubramanian ([EMAIL PROTECTED])
DDoS Attack in Progress.
Hi All, DoS attack in progress, any upstream info for these guys? their phone number doesn't respond. This is the RIPE Whois query server #1. % The objects are in RPSL format. % % Rights restricted by copyright. % See http://www.ripe.net/db/copyright.html % Note: This output has been filtered. % To receive output for a database update, use the -B flag. % Information related to '88.247.0.0 - 88.247.79.255' inetnum: 88.247.0.0 - 88.247.79.255 netname: TurkTelekom descr: TT ADSL-alcatel static_ulus country: tr admin-c: TTBA1-RIPE tech-c: TTBA1-RIPE status: ASSIGNED PA status: definitions mnt-by: as9121-mnt source: RIPE # Filtered role:TT Administrative Contact Role address: Turk Telekom address: Bilisim Aglari Dairesi address: Aydinlikevler address: 06103 ANKARA phone: +90 312 313 1950 fax-no: +90 312 313 1949 e-mail: [EMAIL PROTECTED] admin-c: BADB3-RIPE tech-c: ZA66-RIPE tech-c: NO638-RIPE tech-c: SO351-RIPE nic-hdl: TTBA1-RIPE mnt-by: AS9121-MNT source: RIPE # Filtered % Information related to '88.247.0.0/17AS9121' route: 88.247.0.0/17 descr: TurkTelecom origin: AS9121 mnt-by: AS9121-MNT source: RIPE # Filtered
Re: DDoS Attack in Progress.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Not surprising -- TurkTelekom has long been known to be a hotbed of malicious activity, a known hoster for Russian/Ukrainian cyber criminals, and perhaps one of the most botnetted ISPs on the planet: http://itw.trendmicro-europe.com/index.php?id=64 - - ferg On Fri, Oct 10, 2008 at 11:46 AM, Beavis [EMAIL PROTECTED] wrote: Hi All, DoS attack in progress, any upstream info for these guys? their phone number doesn't respond. This is the RIPE Whois query server #1. % The objects are in RPSL format. % % Rights restricted by copyright. % See http://www.ripe.net/db/copyright.html % Note: This output has been filtered. % To receive output for a database update, use the -B flag. % Information related to '88.247.0.0 - 88.247.79.255' inetnum: 88.247.0.0 - 88.247.79.255 netname: TurkTelekom descr: TT ADSL-alcatel static_ulus country: tr admin-c: TTBA1-RIPE tech-c: TTBA1-RIPE status: ASSIGNED PA status: definitions mnt-by: as9121-mnt source: RIPE # Filtered role:TT Administrative Contact Role address: Turk Telekom address: Bilisim Aglari Dairesi address: Aydinlikevler address: 06103 ANKARA phone: +90 312 313 1950 fax-no: +90 312 313 1949 e-mail: [EMAIL PROTECTED] admin-c: BADB3-RIPE tech-c: ZA66-RIPE tech-c: NO638-RIPE tech-c: SO351-RIPE nic-hdl: TTBA1-RIPE mnt-by: AS9121-MNT source: RIPE # Filtered % Information related to '88.247.0.0/17AS9121' route: 88.247.0.0/17 descr: TurkTelecom origin: AS9121 mnt-by: AS9121-MNT source: RIPE # Filtered -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFI76Ucq1pz9mNUZTMRAiJoAJ9v5DTn5TZZtBwno+c4JB/zun0AeQCg7vqz uS4eSff62RIus6Qi1foH8II= =S4jc -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
Re: DDoS Attack in Progress.
Try, NOC ITMC/NOC +902125209898 [EMAIL PROTECTED] Mehmet From: Paul Ferguson [EMAIL PROTECTED] Date: Fri, 10 Oct 2008 11:55:41 -0700 To: Beavis [EMAIL PROTECTED] Cc: NANOG list nanog@nanog.org Subject: Re: DDoS Attack in Progress. -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Not surprising -- TurkTelekom has long been known to be a hotbed of malicious activity, a known hoster for Russian/Ukrainian cyber criminals, and perhaps one of the most botnetted ISPs on the planet: http://itw.trendmicro-europe.com/index.php?id=64 - - ferg On Fri, Oct 10, 2008 at 11:46 AM, Beavis [EMAIL PROTECTED] wrote: Hi All, DoS attack in progress, any upstream info for these guys? their phone number doesn't respond. This is the RIPE Whois query server #1. % The objects are in RPSL format. % % Rights restricted by copyright. % See http://www.ripe.net/db/copyright.html % Note: This output has been filtered. % To receive output for a database update, use the -B flag. % Information related to '88.247.0.0 - 88.247.79.255' inetnum: 88.247.0.0 - 88.247.79.255 netname: TurkTelekom descr: TT ADSL-alcatel static_ulus country: tr admin-c: TTBA1-RIPE tech-c: TTBA1-RIPE status: ASSIGNED PA status: definitions mnt-by: as9121-mnt source: RIPE # Filtered role:TT Administrative Contact Role address: Turk Telekom address: Bilisim Aglari Dairesi address: Aydinlikevler address: 06103 ANKARA phone: +90 312 313 1950 fax-no: +90 312 313 1949 e-mail: [EMAIL PROTECTED] admin-c: BADB3-RIPE tech-c: ZA66-RIPE tech-c: NO638-RIPE tech-c: SO351-RIPE nic-hdl: TTBA1-RIPE mnt-by: AS9121-MNT source: RIPE # Filtered % Information related to '88.247.0.0/17AS9121' route: 88.247.0.0/17 descr: TurkTelecom origin: AS9121 mnt-by: AS9121-MNT source: RIPE # Filtered -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFI76Ucq1pz9mNUZTMRAiJoAJ9v5DTn5TZZtBwno+c4JB/zun0AeQCg7vqz uS4eSff62RIus6Qi1foH8II= =S4jc -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/ smime.p7s Description: S/MIME cryptographic signature
