nanog mailing list archives

Re: relays.osirusoft.com

From: "Michael K. Smith" <mksmith () noanet net>
Date: Tue, 26 Aug 2003 17:36:45 -0700


On 8/26/03 4:45 PM, "Matthew Sullivan" <matthew () sorbs net> wrote:


George William Herbert wrote:

Yes, this is due to a massive DDOS.  At least three
of the spamfilter BLs have been so attacked this week.

Some of the networks represented here have not been
as timely about helping the BL providers with the
DDOSes as they could be.  Please keep in mind that
without dynamic BLs anti-spam folks will fall back
to sending out static block maps, which getting your
IP space out of will be difficult if not impossible.

IT IS VERY MUCH IN NETWORK OPERATORS
BEST INTEREST THAT THIS NOT HAPPEN.

Please take what measures are necessary to help
ensure that your customers are not intentionally
or neglegently DDOSing the BLs.

Well said George,

I have been one of the recepients of the DDoS attacks.  If people see
non DNS UDP traffic or non Type 3 ICMP traffic aimed at 203.15.51.32/27
it is likely DDoS traffic.  Currently I still have at least one IP in
that range Null Routed by upstreams.

SORBS may have to implement a subscription model soon to fund more hosts
around the world if the DDoS's continue,  I am desperately trying to
avoid it, should it become nessessary it will be for the +50k
queries/day users out there.  The point is SORBS is funded soley by
myself and through hosting dontations - I have 5 public secondaries
donated currently, and I cannot afford, personally, any DDoS proofing
other than that I have now.  I know of at least 3 other DNSbls that are
experiencing DDoS issues, and one DNSbl operator that is scared stiff of
DDoS.

Yours

Mat

Note: If anyone wants to talk about SORBS, public secondaries,
donations, policy etc... this is not the forum, please contact me off list.


Hello:

If you and others are experiencing DDOS attacks it would be a good idea to
get the affected IP's on to the various lists associated with the tracking
of such events.  If you would like me to post them, I would be happy to do
so.  Please let me know the IP blocks, other than the one mentioned above,
and I will post them to the lists.

Thanks,

Mike
-- 
Michael K. Smith          NoaNet
206.219.7116 (work)       206.579.8360 (cell)
mksmith () noanet net        http://www.noanet.net

Current thread:

relays.osirusoft.com Richard Welty (Aug 26)
- Re: relays.osirusoft.com Gary E. Miller (Aug 26)
  - Re[2]: relays.osirusoft.com Richard Welty (Aug 26)
    - Re: relays.osirusoft.com Nathan J. Mehl (Aug 27)
    - Re: relays.osirusoft.com Chris Woodfield (Aug 27)
    - Re[2]: relays.osirusoft.com Richard Welty (Aug 27)
  - Re: relays.osirusoft.com Crist Clark (Aug 26)
    - Re: relays.osirusoft.com michael (Aug 26)
- <Possible follow-ups>
- Re: Re[2]: relays.osirusoft.com George William Herbert (Aug 26)
  - Re: relays.osirusoft.com Matthew Sullivan (Aug 26)
    - Re: relays.osirusoft.com Michael K. Smith (Aug 26)
  - Re: Re[2]: relays.osirusoft.com Paul Vixie (Aug 27)
    - Re: Re[2]: relays.osirusoft.com jlewis (Aug 27)
    - Re: Re[2]: relays.osirusoft.com Margie (Aug 27)
    - Re: relays.osirusoft.com Matthew Sullivan (Aug 27)
    - Re: relays.osirusoft.com Iljitsch van Beijnum (Aug 27)
    - Re: relays.osirusoft.com Vadim Antonov (Aug 28)
- Re[2]: relays.osirusoft.com Richard Welty (Aug 26)
- Re: Re[2]: relays.osirusoft.com Paul Vixie (Aug 27)
- Re: relays.osirusoft.com Paul Vixie (Aug 27)
- Re: Re[2]: relays.osirusoft.com George William Herbert (Aug 28)