Speaking of DDoS attacks

Rowland, Alan D alan_r1 at corp.earthlink.net
Thu Jul 12 23:22:30 UTC 2001


In my humble opinion it looks like something at your mail server.

198.108.1.26 is trapdoor.merit.edu , their mail server, which appears to be
re-sending the original 10 Jul mail.

The original hit their mail server 10 Jul. This copy was forwarded to your
XXX (is this the actual header or are you protecting the innocent?) on 12
Jul.

Your work mail server may not be properly acknowledging receipt of the list
mail so Merit's server continues to re-send (for the default 4 days?) until
the resend TTL.

A trace to 165.135.0.253 dies at 500.Serial2-2.GW1.HNL2.ALTER.NET so I'm not
sure what's hanging there but I'd look at your mail agent configuration.

A second possibility is some non-standard character in your work mail
address. You don't say what it is but if there is a character in it that is
benign on your system but meaningful to Merit's mail system, there may be a
problem.

I've been the victim of a similar "attack" in the past as a result of the _
in my address.

Just my 2¢

-Al

-----Original Message-----
From: Robert Cannon [mailto:rcannon101 at yahoo.com]
Sent: Thursday, July 12, 2001 1:46 PM
To: nanog at merit.edu
Subject: Speaking of DDoS attacks



Speaking of DDOS attacks, there seems to be one going
on associated with the NANOG list.  I was wondering if
anyone could offer insite.

At my work address, I have received the same email
from NANOG about every 10 - 15 minutes.  I have
received hundreds of copies of this email.  Yet at
this address I do not receive the repeated copies (and
no one else on the list appears to have complained). 
If I look at the header of the email, the last hop, if
I am reading it correctly, is named
"zombie.la.interpacket.net" by
mrbig.la.interpacket.net.  I have since unsubscribed
from NANOG from my work address yet still receive the
emails.  Also, this has been going on for over a week
(since a rule filters all my nanog email into a
folder, it has not bothered me too much) - every few
days, the email that I am repeatedly hit with changes.
 Currently, the email I am being hit with is "OT: The
End of Empire."

Below I have pasted the header of the email

I would be curious to hear people's thoughts about
this.   Is this a type of a DDOS?  Anyone familiar
with it?

-B


Received: from XXXX
	([165.135.0.253])
	by XXXX; Thu, 12 Jul 2001 16:01:40 -0400
Received: by XXXX; id QAA14070; Thu, 12 Jul 2001
16:01:38 -0400 (EDT)
Received: from unknown(198.108.1.26) by XXXX via smap
(V5.5)
	id xmaa13982; Thu, 12 Jul 01 16:00:42 -0400
Received: by trapdoor.merit.edu (Postfix)
	id BB70F91231; Tue, 10 Jul 2001 14:35:31 -0400 (EDT)
Delivered-To: nanog-outgoing at trapdoor.merit.edu
Received: by trapdoor.merit.edu (Postfix, from userid
56)
	id 896EB91251; Tue, 10 Jul 2001 14:35:31 -0400 (EDT)
Delivered-To: nanog at trapdoor.merit.edu
Received: from segue.merit.edu (segue.merit.edu
[198.108.1.41])
	by trapdoor.merit.edu (Postfix) with ESMTP id
83A3791231
	for <nanog at trapdoor.merit.edu>; Tue, 10 Jul 2001
14:35:29 -0400 (EDT)
Received: by segue.merit.edu (Postfix)
	id 79E335DE1A; Tue, 10 Jul 2001 14:36:58 -0400 (EDT)
Delivered-To: nanog at merit.edu
Received: from bond.interpacket.net
(us-la-gate.interpacket.net [209.198.223.250])
	by segue.merit.edu (Postfix) with SMTP id ECF9A5DDD8
	for <nanog at merit.edu>; Tue, 10 Jul 2001 14:36:57
-0400 (EDT)
Received: (qmail 31855 invoked from network); 10 Jul
2001 18:35:43 -0000
Received: from mrbig.la.interpacket.net (192.168.6.5)
  by bond.la.interpacket.net with SMTP; 10 Jul 2001
18:35:42 -0000
Received: from [192.168.4.53]
(zombie.la.interpacket.net [192.168.4.53]) by
mrbig.la.interpacket.net with SMTP (Microsoft Exchange
Internet Mail Service Version 5.5.2653.13)
	id N6TNP8LB; Tue, 10 Jul 2001 11:39:32 -0700
Mime-Version: 1.0
X-Sender: mikey at popmail.la.interpacket.net
Message-Id: <[email protected][192.168.4.53]>
Date: Tue, 10 Jul 2001 11:35:52 -0700
To: nanog at merit.edu
From: Mikey Wilsker <mikey at interpacket.net>
Subject: OT: The End of Empire
Content-Type: text/plain; charset="us-ascii" ;
format="flowed"
Sender: owner-nanog at merit.edu
Precedence: bulk
Errors-To: owner-nanog-outgoing at merit.edu
X-Loop: nanog


__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail
http://personal.mail.yahoo.com/



More information about the NANOG mailing list