[01:01] *** dwarren has joined #arpnetworks [01:03] *** LT has joined #arpnetworks [01:08] *** dwarren has quit IRC (Quit: leaving) [01:08] *** dwarren has joined #arpnetworks [01:09] *** dwarren has quit IRC (Client Quit) [01:11] *** dwarren has joined #arpnetworks [08:29] anyone one else in the 206.125.175.x range experiencing DoS from 80.82.64.0-80.82.79.0 ip's ? [08:29] That's what she said!! [08:29] BryceBot: no [08:29] Oh, okay... I'm sorry. 'anyone one else in the 206.125.175.x range experiencing DoS from 80.82.64.0-80.82.79.0 ip's ?' [08:31] lol [08:33] forgotten: incoming rate of 10kbps on my server. doesn't seem like a dos [08:33] (that's probably my ssh connection) [08:37] ant: im getting roughly 5,000 blocks per 10minutes. All going to port 80. Before blocking it was bringing my apache service to it's knees. [08:38] forgotten: not sure what you mean by blocks, but doesn't seem like much... [08:39] http://wmfb.co/txt/holyshit.txt [08:40] oh, is that a syn flood? [08:40] not sure, showing as normal TCP / port 80 traffic. just massive constant web server requests [08:41] when allowed to pass to the httpd, murders it. [08:41] if it's only syn's then it's a syn flood. if they actually send ack's then not [08:42] but when you actually see requests in the web server's log file then it's not a syn flood [08:44] ya i dont wanna try to test that lol [08:46] did you see entries in the log file before you filtered the packets? [08:52] some yes, thats how i discovered it [08:53] ok, then it is at least not only a syn flood [08:54] anyway. either somebody doesn't like you they mistyped the ip address.. [08:54] *or [08:55] =/ [09:25] *** LT has quit IRC (Quit: Leaving) [10:23] That's what she said!! [10:24] forgotten: that is ecatel netblock [10:24] i recommend you drop all of it, at all times [10:24] with no exceptions [10:25] it's a cybercrime isp pretty much.. [10:29] hazardous: i blocked the /20 i could find [10:29] 80.82.64.0/24 [10:29] know of any other blocks? [10:42] *** dwarren has quit IRC (Quit: leaving) [11:12] forgotten: http://bgp.he.net/AS29073#_prefixes [11:13] .oO(aggregation? who needs aggregation?!) [11:16] staticsafe: thank you!! :) [12:05] *** toddf has quit IRC (Remote host closed the connection) [12:05] *** toddf has joined #arpnetworks [12:05] *** ChanServ sets mode: +o toddf [13:23] *** staticsafe has quit IRC (Ping timeout: 260 seconds) [13:25] *** staticsafe has joined #arpnetworks [15:18] forgotten: http://www.spamhaus.org/drop/ (maybe already used by up_the_irons or his upstreams) [15:21] I think forgotten was just asking to see if he was being targeted, or if that DoS'er was attacking the range. [15:22] ah yes, I misread "blocks" as "tips for blocking" :) [15:32] thx for the assist brycec :) [15:32] np [15:32] attack is still ongoing =/ [15:39] *** dwarren has joined #arpnetworks [15:41] *** dwarren has quit IRC (Client Quit) [15:44] *** dwarren has joined #arpnetworks [16:05] *** carvite_ has quit IRC (Quit: leaving) [16:06] *** carvite_ has joined #arpnetworks [16:07] *** carvite_ has quit IRC (Client Quit) [16:08] *** carvite has quit IRC (Remote host closed the connection) [16:09] *** carvite has joined #arpnetworks [16:23] *** carvite has quit IRC (Remote host closed the connection) [16:24] *** carvite has joined #arpnetworks [18:27] *** sga0_ has joined #arpnetworks [18:27] *** sga0 has quit IRC (Ping timeout: 258 seconds) [20:31] *** dj_goku has quit IRC (Ping timeout: 246 seconds) [20:35] *** dj_goku has joined #arpnetworks [20:35] *** dj_goku has quit IRC (Changing host) [20:35] *** dj_goku has joined #arpnetworks [22:31] *** awyeah has quit IRC (Ping timeout: 260 seconds) [22:34] *** awyeah has joined #arpnetworks [22:49] *** toeshred has quit IRC (Ping timeout: 260 seconds) [23:50] *** toeshred has joined #arpnetworks