[39525] in North American Network Operators' Group
RE: Speaking of DDoS attacks
daemon@ATHENA.MIT.EDU (Rowland, Alan D)
Thu Jul 12 19:23:05 2001
Message-ID: <1BEE67ADF602D3119F9A0008C79174C70EC86FDE@PETRIFIED>
From: "Rowland, Alan D" <alan_r1@corp.earthlink.net>
To: 'Robert Cannon' <rcannon101@yahoo.com>, nanog@merit.edu
Date: Thu, 12 Jul 2001 16:22:30 -0700
MIME-Version: 1.0
Content-Type: text/plain;
charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Errors-To: owner-nanog-outgoing@merit.edu
In my humble opinion it looks like something at your mail server.
198.108.1.26 is trapdoor.merit.edu , their mail server, which appears =
to be
re-sending the original 10 Jul mail.
The original hit their mail server 10 Jul. This copy was forwarded to =
your
XXX (is this the actual header or are you protecting the innocent?) on =
12
Jul.
Your work mail server may not be properly acknowledging receipt of the =
list
mail so Merit's server continues to re-send (for the default 4 days?) =
until
the resend TTL.
A trace to 165.135.0.253 dies at 500.Serial2-2.GW1.HNL2.ALTER.NET so =
I'm not
sure what's hanging there but I'd look at your mail agent =
configuration.
A second possibility is some non-standard character in your work mail
address. You don't say what it is but if there is a character in it =
that is
benign on your system but meaningful to Merit's mail system, there may =
be a
problem.
I've been the victim of a similar "attack" in the past as a result of =
the _
in my address.
Just my 2=A2
-Al
-----Original Message-----
From: Robert Cannon [mailto:rcannon101@yahoo.com]
Sent: Thursday, July 12, 2001 1:46 PM
To: nanog@merit.edu
Subject: Speaking of DDoS attacks
Speaking of DDOS attacks, there seems to be one going
on associated with the NANOG list. I was wondering if
anyone could offer insite.
At my work address, I have received the same email
from NANOG about every 10 - 15 minutes. I have
received hundreds of copies of this email. Yet at
this address I do not receive the repeated copies (and
no one else on the list appears to have complained).=20
If I look at the header of the email, the last hop, if
I am reading it correctly, is named
"zombie.la.interpacket.net" by
mrbig.la.interpacket.net. I have since unsubscribed
from NANOG from my work address yet still receive the
emails. Also, this has been going on for over a week
(since a rule filters all my nanog email into a
folder, it has not bothered me too much) - every few
days, the email that I am repeatedly hit with changes.
Currently, the email I am being hit with is "OT: The
End of Empire."
Below I have pasted the header of the email
I would be curious to hear people's thoughts about
this. Is this a type of a DDOS? Anyone familiar
with it?
-B
Received: from XXXX
([165.135.0.253])
by XXXX; Thu, 12 Jul 2001 16:01:40 -0400
Received: by XXXX; id QAA14070; Thu, 12 Jul 2001
16:01:38 -0400 (EDT)
Received: from unknown(198.108.1.26) by XXXX via smap
(V5.5)
id xmaa13982; Thu, 12 Jul 01 16:00:42 -0400
Received: by trapdoor.merit.edu (Postfix)
id BB70F91231; Tue, 10 Jul 2001 14:35:31 -0400 (EDT)
Delivered-To: nanog-outgoing@trapdoor.merit.edu
Received: by trapdoor.merit.edu (Postfix, from userid
56)
id 896EB91251; Tue, 10 Jul 2001 14:35:31 -0400 (EDT)
Delivered-To: nanog@trapdoor.merit.edu
Received: from segue.merit.edu (segue.merit.edu
[198.108.1.41])
by trapdoor.merit.edu (Postfix) with ESMTP id
83A3791231
for <nanog@trapdoor.merit.edu>; Tue, 10 Jul 2001
14:35:29 -0400 (EDT)
Received: by segue.merit.edu (Postfix)
id 79E335DE1A; Tue, 10 Jul 2001 14:36:58 -0400 (EDT)
Delivered-To: nanog@merit.edu
Received: from bond.interpacket.net
(us-la-gate.interpacket.net [209.198.223.250])
by segue.merit.edu (Postfix) with SMTP id ECF9A5DDD8
for <nanog@merit.edu>; Tue, 10 Jul 2001 14:36:57
-0400 (EDT)
Received: (qmail 31855 invoked from network); 10 Jul
2001 18:35:43 -0000
Received: from mrbig.la.interpacket.net (192.168.6.5)
by bond.la.interpacket.net with SMTP; 10 Jul 2001
18:35:42 -0000
Received: from [192.168.4.53]
(zombie.la.interpacket.net [192.168.4.53]) by
mrbig.la.interpacket.net with SMTP (Microsoft Exchange
Internet Mail Service Version 5.5.2653.13)
id N6TNP8LB; Tue, 10 Jul 2001 11:39:32 -0700
Mime-Version: 1.0
X-Sender: mikey@popmail.la.interpacket.net
Message-Id: <a05010406b770fb74762d@[192.168.4.53]>
Date: Tue, 10 Jul 2001 11:35:52 -0700
To: nanog@merit.edu
From: Mikey Wilsker <mikey@interpacket.net>
Subject: OT: The End of Empire
Content-Type: text/plain; charset=3D"us-ascii" ;
format=3D"flowed"
Sender: owner-nanog@merit.edu
Precedence: bulk
Errors-To: owner-nanog-outgoing@merit.edu
X-Loop: nanog
__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail
http://personal.mail.yahoo.com/
