RE: Networking and DOS attacks

["Jim Serino" <jim.serino () mindspring com>]

Well Since I have done extensive work on these UDP Port hits and have
recorded them for over 7 months and I can assure you that the address are
not being spoofed as many think. As you say they are since I have done
serious detailed analysis of the data that is sent in those packets. They
are nothing more than ADVERTISEMENTS. I have sent all my information to
those companies and countries involved with this scam. As such I have been
at times blacklisted thru SORBS as a spammer because I have sent legitimate
information about these scams. Most of these IP address show up on the SANS
top 10 listing every night.

I have all the known sending IP address since they continue to be the same.
It took me a full week of just going thru One Hours worth of DETAILED packet
information from my firewall rawlogs. That spreadsheet is 5 MEG in size
where as the log file is only 2 meg ins size. The difference is because I
not only have the sending IP address and who is controlling it and the
Advertised website name and its IP address and the Company that is
maintaining it for them and the final destination address.

This is not a joke these are nothing more than scammers. I have kept quiet
about this and have written to Craig Wright about this and the scam. Craig's
Law knowledge impressed me and sent him only a little of the information I
get.

Here is only a brief listing of the scammers:

Sending IP Address      Country Advertised Website which is only a jump thru
site    IP Address of the website       Owner of IP Address     Final Destination
website IP Address of final     OWNER /country
202.111.173.84  CHINA   www.helpfixpc.com       64.214.203.136  Global Crossing
http://www.registryupdate.com/  200.105.36.166  OPTYNEX TELECOM of Panama
202.111.173.84  CHINA   www.helpfixpc.com       64.214.203.136  Global Crossing
http://www.registryupdate.com/  200.105.36.166  OPTYNEX TELECOM[PARA]of Panama
221.5.251.242   CHINA   http://theregfixer.com  63.251.92.195   eNom thru Internap
http://winregcleaner.com/?hop=xiulipc1  68.178.172.84   Go Daddy Software,
Inc[PARA]USA
202.99.172.130  CHINA   www.cleanthispc.com     67.19.13.19     ThePlanet.com Internet
Services, Inc.  http://www.registrycleaner32.com/?hop=cleanthepc
64.111.198.131  ISPrime, Inc.[PARA]USA
202.99.172.130  CHINA   www.cleanthispc.com     67.19.13.19     ThePlanet.com Internet
Services, Inc.  http://www.registrycleaner32.com/?hop=cleanthepc
64.111.198.131  ISPrime, Inc.[PARA]USA
221.221.255.9   CHINA   www.registryalert.com   64.214.203.136  Global Crossing
http://www.registryupdate.com/  200.105.36.166  OPTYNEX TELECOM[PARA]of Panama
221.12.161.109  CHINA   www.helpfixpc.com       64.214.203.136  Global Crossing
http://www.registryupdate.com/  200.105.36.166  OPTYNEX TELECOM[PARA]of Panama
202.111.173.83  CHINA   www.helpfixpc.com       64.214.203.136  Global Crossing
http://www.registryupdate.com/  200.105.36.166  OPTYNEX TELECOM[PARA]of Panama
202.111.173.83  CHINA   www.helpfixpc.com       64.214.203.136  Global Crossing
http://www.registryupdate.com/  200.105.36.166  OPTYNEX TELECOM[PARA]of Panama

So I can only hope that you can get this and this was only 9 lines that I
took out of 128 lines for only just one hours worth of detailed logs one
November day. I have gone after them just like I have email spammers and I
have tracked many of them to website in Holland that were owned by a big
time Spammer from Brazil and another Brazilian group didn't fare too well
when they decided to fight the police and are now in their eternal rest.

Here are the some ads that are in the data portion of the UDP packets

STOP! WINDOWS REQUIRES IMMEDIATE ATTENTION...
Windows has found 55 Critical System Errors...
To fix the errors please do the following:..
1. Download Repair Registry Pro from: www.registryalert.com
2. Install Repair Registry Pro.
3. Run Repair Registry Pro.
4. Reboot your computer..
FAILURE TO ACT NOW MAY LEAD TO SYSTEM FAILURE!..


......SYSTEM......................ALERT...........:.......:...TOP!
WINDOWS REQUIRES IMMEDIATE ATTENTION...
Windows has found 47 CRITICAL SYSTEM ERRORS!..
To fix the errors please do the following:.
1. Download Registry Repair from: www.fixms.com.
2. Install Registry Repair.
3. Run Registry Repair.
4. Reboot your computer.
FAILURE TO ACT NOW MAY LEAD TO DATA LOSS AND CORRUPTION!...


......................SYSTEM......................ALERT.........
..............
Microsoft Windows has encountered an Internal Error.
Your windows registry is corrupted...We recommend a complete system scan...
Visit. http://FixTheReg.net
To repair now...


......................System......................User.............STOP!
WINDOWS REQUIRES IMMEDIATE ATTENTION.....
Windows has found 39 CRITICAL SYSTEM ERRORS!....
To fix the errors please do the following:..
1. Download Registry Repair from: www.fixscan.com..
2. Install Registry Repair..
3. Run Registry Repair..
4. Reboot your computer..
FAILURE TO ACT NOW MAY LEAD TO DATA LOSS AND CORRUPTION!...

When you reach the final destination website you read their privacy policy
that they need to have a Security Measures to maintain your Private
information and that that several of them need to install keyloggers on your
systems so that they can monitor you Internet Activity. There are
registry-cleaning programs that do a far better job. I don't know how many
read Mark Russinovich's Blog but he did do a detailed report on one such
scam and that it actually downloaded the problems and then reported that you
had to pay to have your systems cleaned by another program. I have not spent
the time to install any of these scams since I have seen more information on
far better programs that do a much better job and are free.

Now before you tell me about disabling Messenger service I have had that
disable on my Windows 2000 Pro since 2000. I also disabled it when I setup
my fathers Windows XP Home system in 2002 when he first got it long before
SP2. I have tracked all of these UDP port hits since 2001. I went after
those scammer that were sending their advertisements using NETSEND to
blasted the whole Internet so that you download their program you can have
these messages stopped. The FTC shut them down since the same information
can be gotten for FREE from Microsoft. This new bred of scammers are trying
to get people to download registry-cleaning programs or Trojan busters, but
now that they can't get thru any more with XP SP2 disabling the Messenger
Service so these scammers are now resorting to sending out 5 to 16 messages
at a time, which now will get the users attention because they are getting
an alert message from their firewall or modem about the attacks. So when
people like John decide to move to a faster means of Internet access and
start looking at their modems log files or asks why a certain website is
pinging them or sending them these continuous advertisements to scam them.
They ask why is this happening. I tell them it has always been happening for
years its just that they didn't know it and if they had been using Windows
98 they wouldn't see it because it didn't use Messenger, and if they got a
Windows XP they were forced to download SP 2 and the Windows firewall never
reported any such attacks. It wasn't until these people started on their
faster access with these more intelligent modems that people are now getting
these port attacks. It was just so many of those moving on to using their
Cable modems and didn't know that the hackers had the passwords and were
using them to send spam emails. But after they changed the password and
disable some other things that stopped happening. This happened a lot in
2000 to 2002. Now these scammers are now using any tactic to get traffic to
their scams in order to gather more computers into their botnets that
continue to grow.

Traffic logs don't tell the whole story they just tell you who is hitting
you and not why. It is in the packets details one can actually see that
those are nothing more than advertisements trying to sell you programs to
clean you registry or to bust Trojan and virus. Typical Scare Tactics
advertisements but are nothing more than scams and that is just one of the
ways these scams are operating to become botnets.


Jim Serino
Ex-DEC Field Service System Engineer/Contract OpenVMS Systems Manager with
30 years of experience in computers and networking.





-----Original Message-----
From: David Gillett [mailto:gillettdavid () fhda edu]
Sent: Tuesday, May 02, 2006 12:20
To: john () johnmachell wanadoo co uk; security-basics () securityfocus com
Subject: RE: Networking and DOS attacks

  You haven't given us any clue as to whether these packets are
inbound (blocked and logged) or outbound (allowed and logged).
But since 81.79.70.215 is a UK DSL address, I'll assume that that
is you.
  Since the traffic is UDP packets, there's no guarantee that the
source address is valid.  But the consistent source port number of
the packets from 61.156.42.117 suggests that these packets come from
the same source, whereas those with different source addresses also
have different source ports -- stuff that spoofs the source address
usually doesn't randomize the source port.
  So this looks very much like a distributed Denial of Service (DoS)
attack against one IP address.  If this is a static address, then
you appear to have pissed somebody off; if this is a dynamic address,
then perhaps some user who it was previously allocated to made some
enemies who have no way of knowing that you are not he.

  Most DoS attacks work by consuming some resource, making it unavailable
for legitimate use.  A frequent target resource is bandwidth.  By the
time these packets have made it down the wire to your firewall, they've
used all the bandwidth on your DSL connection that they can, and so the
damage is done.  The only possibility of blocking the attack is from
within your ISP's network, before your DSL line is reached.

  So you need to report this to your ISP and ask for their help.  They
may or may not be willing to take any action.

David Gillett


> -----Original Message-----
> From: john () johnmachell wanadoo co uk
> [mailto:john () johnmachell wanadoo co uk]
> Sent: Tuesday, May 02, 2006 4:48 AM
> To: security-basics () securityfocus com
> Subject: Networking and DOS attacks
>
> I am very new to networking. I have a Netgear ADSL
> modem/router with a firewall that is set to allow all
> outgoing traffic and block all incoming and to send me a
> security log each day. Please could someone to tell me what
> the log means (see below) and whether I should be concerned
> or not as, since the DOS and UDP messages started appearing I
> seem to get lots of disconnections from my ISP. Cheers, John
>
> Thu, 1970-01-01 01:00:16 - Initialize LCP.
> Thu, 1970-01-01 01:00:16 - LCP is allowed to come up.
> Thu, 1970-01-01 01:00:20 - CHAP authentication success Thu,
> 1970-01-01 01:00:35 - Send out NTP request to
> time-g.netgear.com Tue, 2006-05-02 08:57:03 - Receive NTP
> Reply from time-g.netgear.com Tue, 2006-05-02 08:56:28 -
> Router start up Tue, 2006-05-02 09:22:01 - UDP Packet -
> Source:199.2.51.139,50244 Destination:81.79.70.215,1029 -
> [DOS] Tue, 2006-05-02 09:28:58 - UDP Packet -
> Source:222.208.168.130,49057 Destination:81.79.70.215,1033 -
> [DOS] Tue, 2006-05-02 09:28:59 - UDP Packet -
> Source:150.64.232.13,30794 Destination:81.79.70.215,1026 -
> [DOS] Tue, 2006-05-02 09:52:41 - UDP Packet -
> Source:61.156.42.117,38734 Destination:81.79.70.215,1032 -
> [DOS] Tue, 2006-05-02 09:52:41 - UDP Packet -
> Source:61.156.42.117,38734 Destination:81.79.70.215,1033 -
> [DOS] Tue, 2006-05-02 09:52:41 - UDP Packet -
> Source:61.156.42.117,38734 Destination:81.79.70.215,4081 -
> [DOS] Tue, 2006-05-02 09:52:41 - UDP Packet -
> Source:61.156.42.117,38734 Destination:81.79.70.215,2 - [DOS]
>
> --------------------------------------------------------------
> -----------
> This List Sponsored by: Webroot
>
> Don't leave your confidential company and customer records
> un-protected.
> Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE
> with no obligation. See why so many companies trust Spy
> Sweeper Enterprise to eradicate spyware from their networks.
> FREE 30-Day Trial of Spy Sweeper Enterprise
>
> http://www.webroot.com/forms/enterprise_lead.php
> --------------------------------------------------------------
> ------------