Re: What is this Very Stupid DOS Attack Script?

From: Dan Rue (drue_at_therub.org)
Date: 04/06/05

  • Next message: Devon H. O'Dell : "Re: What is this Very Stupid DOS Attack Script?" 
    Date: Wed, 6 Apr 2005 11:28:11 -0500
To: Martin McCormick <martin@dc.cis.okstate.edu>

    On Wed, Apr 06, 2005 at 10:49:08AM -0500, Martin McCormick wrote:
    > We have been noticing flurries of sshd reject messages in
    > which some system out there in the hinterlands hits us with a flood of
    > ssh login attempts. An example:
    >
    > Apr 6 05:49:42 dc sshd[12406]: Failed password for illegal user
    > bruce from 67.19.58.170 port 32983 ssh2

    In my experience, these are just script kiddies goofing around. The
    only useful thing to do is to report them to abuse@ their ISP - this can
    actually be effective in some cases.

    $ whois 67.19.58.170
    OrgName: ThePlanet.com Internet Services, Inc.
    OrgID: TPCM
    Address: 1333 North Stemmons Freeway
    Address: Suite 110
    City: Dallas
    StateProv: TX
    PostalCode: 75207
    Country: US

    ...

    OrgAbuseHandle: ABUSE271-ARIN
    OrgAbuseName: Abuse
    OrgAbusePhone: +1-214-782-7802
    OrgAbuseEmail: abuse@theplanet.com

    I'm sure his ISP would like to know about his behavior - send them a
    report of his attempts. Often in my opinion it's some 13 year old who
    doesn't realize he's not anonymous on the internet. It quickly becomes
    a tedious and thankless job, but it's the best weapon you have imo.

    Also, I find on some systems it's nice to do whitelisting with
    hosts.allow to only allow connectinos from certain addresses. Obviously
    that is not a solution for every system, but it can work well for some.

    Dan
    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

  • Next message: Devon H. O'Dell : "Re: What is this Very Stupid DOS Attack Script?"

    Relevant Pages

    • Re: Hooking Mom up on Roadrunner, cant send mail
      ... I wrote to their Abuse department to inquire ... Comcast is my ISP, and whilst the network is superb, the level of Clue ... and it took me a fortnight to ... I can imagine how a toll-free support line could ...
      (comp.os.linux.networking)
    • Re: Some information
      ... >> abuse desk for this sort of thing. ... > customers who do such abuse. ... > We, as users, lack the resources to track an IP address of an ISP back ... really is in _my_ contract contrary to yours. ...
      (comp.os.linux.security)
    • Re: Good morning or good evening depending upon your location - HOW TO REPORT ABUSE OF THIS NATURE
      ... So report him to his ISP for abuse ... ... Read the full mail or post header. ... then that proves it's genuine, and should confirm its IP, and TRACERT ...
      (alt.os.linux)
    • Re: reject email ?
      ... And it _WILL_ be abuse. ... MailWasher phony bounce; and I do report them as abuse to the sender's ISP ...
      (microsoft.public.windows.inetexplorer.ie6_outlookexpress)
    • Re: RORT Charter
      ... The arrogant ass using that addy sent a message to my "abuse" addy, my ISP, ... as well as my UseNet service provider. ...
      (rec.outdoors.rv-travel)