Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Tracking the bad guys

  • From: Eric Brunner-Williams
  • Date: Mon May 31 12:41:35 2004

Sean,

I'm looking at a different problem, spam-over-http. Here's one event, 406
inserts of the URL paxil-medication.info from a single attack node in a
weblog. The insert times and numbers of inserts/minute are below. 

07:17  1
09:22  4
09:23  45
09:24  30
09:25  32
09:26  38
09:27  22
09:28  24
09:29  8
09:30  20
09:31  14
09:32  32
09:33  31
09:34  32
09:35  22
09:36  34
09:37  17

The targeted site (my wife's political weblog) is provisioned at 128kb/s,
on a dual-processor 1GHz PIII running Freebsd 5.2.1, so the rate limiting
factor is b/w, and the upper-bound on the number of writes is the number
of posts with "open" comments.

The attack node is 151.42.235.185 (IUnet, Italy dhcp-spam-swamp).

The Afilias whois data for paxil-medication.info is redily available, the
salient points are:
        a. the registrant Jerry Buckheimer claims domicile in American Samoa,
        and is the tech-c and admin-c,
        b. the registrar is Wild West Domains [R213-LRMS],
        c. the nameservers are ns{1,2}.dataextend.com, [67.15.0.{62,191}]
        	The registrant Tunahan Korkmaz claims domicile in Turkey.
        	These servers are in the address block [CIDR: 67.15.0.0/18]
        	allocated by ARIN to Everyones Internet of Houston TX, and
        	the registrar is NameSecure.com (also tech-c).

As a class (I've got more, I'm sure everyone who hosts blogs has too), the
attack node(s) are not interesting. Some blogware vendors offer the bandaide
of ip address (/32) blocking, and "wait" times between comments to foil robo
insertion engines, and so on. More interesting is the benefitting URL, and
the NS and registration providers that provide the persistant infrastructure
for this form of theft-of-advertizing.

The economics of the registration and ns/webhosting business are not so
different from the access-isp market, leading to the abuse-desk-vacant 
syndrome, or worse -- I've got three complaints of this size or larger out
to my competitors and they are taking the fill-in-the-web-form approach to
this.

Other folks with data, or insight, drop me a line. I'll summarize.

Eric




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.