RE: Distributed spam-based DoS in progress

["Steve Drees" <drees () rangebroadband com>]

> At 8:25 PM -0500 2/17/03, Transistor Sister wrote:
> > bounced back to the originating host. The nature of the
> messages are so
> > varied that they may have been taken from a spam archive somewhere.
>
> One theory I've heard on this is that the script kiddies are using
> spam for DoS attacks under the (probably correct) assumption that if
> you report it to the relevant authorities they will dismiss it as
> "just being spam."  This was from someone who had in fact tried to
> report such a DoS attack and received just that response.

I'm not buying it. I think there is a more obvious cause here. Spammers
spreading their load out across multiple relays. I spoke with the
original complainer and was able to correlate her problem with our
current problem. Sure our load was lighter but we were able to trace the
problem back to to subnets. 64.119.220.0/24 and 64.119.213.0/24. Both
netblocks are allocated to the same company.

OrgName:    iWay Broadband, Inc.
OrgID:      IWBB
Address:    2075-R Corte Del Nogal
City:       Carlsbad
StateProv:  CA
PostalCode: 92009
Country:    US

NetRange:   64.119.192.0 - 64.119.223.255
CIDR:       64.119.192.0/19
NetName:    IWAY-BLK-1
NetHandle:  NET-64-119-192-0-1
Parent:     NET-64-0-0-0-0
NetType:    Direct Allocation
NameServer: DNS1.IWAYNETWORKS.COM
NameServer: DNS2.IWAYNETWORKS.COM
Comment:    ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate:    2001-08-30
Updated:    2002-06-04

TechHandle: ZW85-ARIN
TechName:   iWay Networks
TechPhone:  +1-760-929-2650
TechEmail:  ip () iwayhosting net




----------------------------------------------------------------------------

Do you know the base address of the Global Offset Table (GOT) on a Solaris 8
box?
CORE IMPACT does.
www.securityfocus.com/core