Project 1999  

Go Back   Project 1999 > General Community > Server Chat

Closed Thread
 
Thread Tools Display Modes
  #1  
Old 07-30-2013, 10:41 AM
Rogean Rogean is offline
I feed hamsters.

Rogean's Avatar

Join Date: Oct 2009
Location: Massachusetts
Posts: 4,642
Default DDoS - Epic Emu

Quote:
[Notes auto-added by email from jake@idco.co]
Greetings,
A DoS attack has effected one of our web servers for a short time multiple times today, a packet capture recently grabbed the IP where this is originating from as you will see in the attachment thousands of packets are being sent from this system per second to one of our web servers. This DoS attack is originating from a DNS server Rogean.com at sending IP 67.23.190.76 owned by your customer Sean Norton.
We request an immediate response to this occurrence by email or via telephone at the cell number listed below, and request that you block any and all traffic from the originating IP to our systems located at the receiving IP 67.205.76.148.
We additionally request that you notify the customer of this incident, and that a DoS attack has been occurring from his servers.
We view this as a very serious matter and will take further action if these issues effect our systems further.
Thank you for your prompt regard of this matter,
--

Jake Ades
Vice President
INTERNETDEVELOPMENT
www.idco.co | jake@idco.co
p 1-800-995-4326 | c 954-369-6946
The internet is serious business.

This communication was sent from Internet Development and contains information that may be confidential or privileged. The information is solely intended for the use of the addressee. If you are not the intended recipient, be advised that any disclosure, copy, distribution, or use of the contents of this communication is prohibited. If you have received this communication in error, please immediately notify the sender by telephone or by electronic mail.
__________________
  #2  
Old 07-30-2013, 10:41 AM
Rogean Rogean is offline
I feed hamsters.

Rogean's Avatar

Join Date: Oct 2009
Location: Massachusetts
Posts: 4,642
Default

Quote:
Mr. Ades

My data center has forwarded me your notice that you believe one of my servers have been participating in a denial of service attack against yours. It is in fact my server that is under attack by your server, along with hundreds of others. The attack is called a DNS Amplification attack. If you look this up you will find many material covering the topic. Basically, an attacker is utilizing a DNS server in your environment (That may be an open resolver) by sending thousands of UDP packets requesting any given DNS Query. Since these are UDP packets and have no handshake like TCP would, the attacker is able to spoof the IP address of my server, even though the traffic isn't originating from my network. This results in your server replying to all of these packets, directing traffic at my server. Your server has been one of many thousand attacking my server in recent days. We have been under attacks exceeding well over 1 gigabit of traffic within the last 2 weeks. Please also note that the IP you have listed (67.23.190.76) does not run a DNS Server and could not be sourcing DNS traffic, but also has in fact been the target of the DDoS attacks we have received.

Please see the following US-CERT article regarding this attack, and methods that can be taken to protect both parties: www.us-cert.gov/ncas/alerts/TA13-088A

Please feel free to reach out to me directly if you have any more questions or comments. I will send this to via directly via email as well as a response to my Data Center so that they may consider this matter closed.

Thanks,

Sean Norton

Sean Norton | Network Engineer | Ockers Company
1340 Belmont Street, Brockton, MA 02301 | 508-586-4642
__________________
  #3  
Old 07-30-2013, 10:42 AM
Rogean Rogean is offline
I feed hamsters.

Rogean's Avatar

Join Date: Oct 2009
Location: Massachusetts
Posts: 4,642
Default

Quote:
Hello Sean,

If you suspected one of our network systems of launching a denial of service attack on your servers you should notify the data center immediately so it can be prevented, logs of this would also be helpful as proof of such an allegation. There are no open resolvers or DNS servers running on our systems that can allow amplification type attacks to occur. If you further believe spoofed addresses to be an issue there are ways to block your systems from accepting them.

Let me make this very clear: there is no denial of service originating from any of our systems towards any of your systems.

Understand that we do not want to pursue further legal action at this time however this message will serve as notice to cease and desist any denial of service related operations and communications of such operations on your networks, be it yourself or the users of your networks, regarding our systems and IP addresses.

We have become aware of information on a message board you are providing hosting for located at Project1999.org which calls for a denial of service attack against the IP address we have provided. We request that you remove any and all information regarding the IP address, calling for an attack on the IP, as well as any content relating to the IP. We further request that you inform the users who are supporting such an attack that it is a criminal and due to the location of the server a federal crime to commit such acts, and that you as the operator do not condone or encourage them. We further request that you inform the users of your systems discussing these types of cyber attacks that due to the location of our network systems, the crime in Canada for a denial of service attack is a mandatory penalty of imprisonment for a term not exceeding ten years.

Currently our systems are blocking IP ranges: 67.23.190.64 - 67.23.190.127 and will continue to do so, we advise you block our network addresses as well if you believe they are interrupting your service and notify our data center at its first occurrence with proof of the IP address in question as we have with Immedion/Netriplex in this matter.

Thank you for your prompt response.

--
Jake Ades
Vice President
INTERNETDEVELOPMENT
www.idco.co | jake@idco.co
p 1-800-995-4326 | c 954-369-6946
The internet is serious business.
This communication was sent from Internet Development and contains information that may be confidential or privileged. The information is solely intended for the use of the addressee. If you are not the intended recipient, be advised that any disclosure, copy, distribution, or use of the contents of this communication is prohibited. If you have received this communication in error, please immediately notify the sender by telephone or by electronic mail.
__________________
  #4  
Old 07-30-2013, 10:42 AM
Rogean Rogean is offline
I feed hamsters.

Rogean's Avatar

Join Date: Oct 2009
Location: Massachusetts
Posts: 4,642
Default

Quote:
Mr. Ades,

After taking a closer look at the IP Address you mentioned, it is now making sense to me that you are responsible for hosting the website “EpicEmu.com”, which the owner of has actively engaged in the past to disrupt our service through multiple methods, including the active hacking of our services. Now that you have made me aware of this information, it makes sense that they would be participating in a DDoS attack against my network – they have every motivation to do so.

Either your customer is responsible for the mess that this has escalated into, or a third party is manipulating both of us. However, let me also be clear: There is no DDoS originating from my network. The IP address you questioned – 67.23.190.76 – is a Server 2003 Box with the Firewall actively blocking all ports except ICMP Echo, and UDP Ports 9000, 7000-7100, for the very specific services we run. You specified the attack type was DNS, which is impossible as this server does not run DNS nor accept connections on that port. Furthermore, that specific IP address has been under attack itself with DNS Amplification traffic which has been causing disruptions in our service.

Regarding the messages on Project1999.org, the IP’s may be listed there as the users have discovered on their own that your customer’s website and owner have been responsible for disrupting or manipulating our services in the past. We will not edit our content as here in the United States, Freedom of Speech is granted by the First Amendment, and your customer would have brought this on himself. I will however do everything in my power to ensure that our services do not participate in unlawful activity, including denial of service.

You may continue to block traffic from my servers on your network, as I will do the same.

Sean Norton | Network Engineer | Ockers Company
1340 Belmont Street, Brockton, MA 02301 | 508-586-4642
__________________
  #5  
Old 07-30-2013, 10:51 AM
Raden Raden is offline
Aviak


Join Date: Mar 2012
Posts: 67
Default

Can anyone explain this to me like I'm 5?
__________________
Raden MacLear 60 Oracle <The Mystical Order>
Domjot 60 Warlord <The Mystical Order>
Niceboots Letsfrak 60 Monk <The Mystical Order>
  #6  
Old 07-30-2013, 10:52 AM
caleros caleros is offline
Orc


Join Date: Jul 2010
Posts: 42
Default

I'm guessing we are to infer that the people at epicemu.com are behind the attacks in an attempt to drive people away from p99 and want to start playing on their server
  #7  
Old 07-30-2013, 10:53 AM
Vaildez Vaildez is offline
Kobold

Vaildez's Avatar

Join Date: May 2013
Location: The Salty Maid
Posts: 166
Default

Rogean,

Had you recently blocked traffic from epicemu? Have attacks persisted after the block?
  #8  
Old 07-30-2013, 10:53 AM
Breeziyo Breeziyo is offline
Sarnak

Breeziyo's Avatar

Join Date: Feb 2012
Posts: 226
Default

Quote:
We will not edit our content as here in the United States, Freedom of Speech is granted by the First Amendment, and your customer would have brought this on himself.


Does this mean there could be an end to the DDoSing sooner than you thought?
__________________
Kaylik Viscerelle - 38 Halfling Rogue
  #9  
Old 07-30-2013, 10:55 AM
carli carli is offline
Kobold

carli's Avatar

Join Date: Jun 2013
Posts: 100
Default

i *think* this is good news. someone translate!
__________________

Veela - Cleric - 60
Lyaa - Rogue - 59
Carli - Necro - 45
<The A-Team>

http://www.twitch.tv/Lyaa6
  #10  
Old 07-30-2013, 10:58 AM
t0lkien t0lkien is offline
Fire Giant

t0lkien's Avatar

Join Date: Nov 2010
Posts: 581
Default

Quote:
Originally Posted by Raden View Post
Can anyone explain this to me like I'm 5?
It looks like another EverQuest server (EpicEmu.com) is at least part of the DDoS attacks on p99 -whether intentionally as Rogean suspects, or unintentionally.

Also, the tech guys at the company hosting EpicEmu.com are not checking their information carefully enough, or are out of the loop when it comes to DDoS attacks. Hence Rogean gave them a bit of polite schooling.
__________________
Last edited by t0lkien; 07-30-2013 at 11:05 AM..
Closed Thread

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 06:25 AM.


Powered by vBulletin®
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.