Security Basics mailing list archives
RE: Networking and DOS attacks
From: "Jim Serino" <jim.serino () mindspring com>
Date: Wed, 3 May 2006 22:37:06 -0400
Well Since I have done extensive work on these UDP Port hits and have recorded them for over 7 months and I can assure you that the address are not being spoofed as many think. As you say they are since I have done serious detailed analysis of the data that is sent in those packets. They are nothing more than ADVERTISEMENTS. I have sent all my information to those companies and countries involved with this scam. As such I have been at times blacklisted thru SORBS as a spammer because I have sent legitimate information about these scams. Most of these IP address show up on the SANS top 10 listing every night. I have all the known sending IP address since they continue to be the same. It took me a full week of just going thru One Hours worth of DETAILED packet information from my firewall rawlogs. That spreadsheet is 5 MEG in size where as the log file is only 2 meg ins size. The difference is because I not only have the sending IP address and who is controlling it and the Advertised website name and its IP address and the Company that is maintaining it for them and the final destination address. This is not a joke these are nothing more than scammers. I have kept quiet about this and have written to Craig Wright about this and the scam. Craig's Law knowledge impressed me and sent him only a little of the information I get. Here is only a brief listing of the scammers: Sending IP Address Country Advertised Website which is only a jump thru site IP Address of the website Owner of IP Address Final Destination website IP Address of final OWNER /country 202.111.173.84 CHINA www.helpfixpc.com 64.214.203.136 Global Crossing http://www.registryupdate.com/ 200.105.36.166 OPTYNEX TELECOM of Panama 202.111.173.84 CHINA www.helpfixpc.com 64.214.203.136 Global Crossing http://www.registryupdate.com/ 200.105.36.166 OPTYNEX TELECOM[PARA]of Panama 221.5.251.242 CHINA http://theregfixer.com 63.251.92.195 eNom thru Internap http://winregcleaner.com/?hop=xiulipc1 68.178.172.84 Go Daddy Software, Inc[PARA]USA 202.99.172.130 CHINA www.cleanthispc.com 67.19.13.19 ThePlanet.com Internet Services, Inc. http://www.registrycleaner32.com/?hop=cleanthepc 64.111.198.131 ISPrime, Inc.[PARA]USA 202.99.172.130 CHINA www.cleanthispc.com 67.19.13.19 ThePlanet.com Internet Services, Inc. http://www.registrycleaner32.com/?hop=cleanthepc 64.111.198.131 ISPrime, Inc.[PARA]USA 221.221.255.9 CHINA www.registryalert.com 64.214.203.136 Global Crossing http://www.registryupdate.com/ 200.105.36.166 OPTYNEX TELECOM[PARA]of Panama 221.12.161.109 CHINA www.helpfixpc.com 64.214.203.136 Global Crossing http://www.registryupdate.com/ 200.105.36.166 OPTYNEX TELECOM[PARA]of Panama 202.111.173.83 CHINA www.helpfixpc.com 64.214.203.136 Global Crossing http://www.registryupdate.com/ 200.105.36.166 OPTYNEX TELECOM[PARA]of Panama 202.111.173.83 CHINA www.helpfixpc.com 64.214.203.136 Global Crossing http://www.registryupdate.com/ 200.105.36.166 OPTYNEX TELECOM[PARA]of Panama So I can only hope that you can get this and this was only 9 lines that I took out of 128 lines for only just one hours worth of detailed logs one November day. I have gone after them just like I have email spammers and I have tracked many of them to website in Holland that were owned by a big time Spammer from Brazil and another Brazilian group didn't fare too well when they decided to fight the police and are now in their eternal rest. Here are the some ads that are in the data portion of the UDP packets STOP! WINDOWS REQUIRES IMMEDIATE ATTENTION... Windows has found 55 Critical System Errors... To fix the errors please do the following:.. 1. Download Repair Registry Pro from: www.registryalert.com 2. Install Repair Registry Pro. 3. Run Repair Registry Pro. 4. Reboot your computer.. FAILURE TO ACT NOW MAY LEAD TO SYSTEM FAILURE!.. ......SYSTEM......................ALERT...........:.......:...TOP! WINDOWS REQUIRES IMMEDIATE ATTENTION... Windows has found 47 CRITICAL SYSTEM ERRORS!.. To fix the errors please do the following:. 1. Download Registry Repair from: www.fixms.com. 2. Install Registry Repair. 3. Run Registry Repair. 4. Reboot your computer. FAILURE TO ACT NOW MAY LEAD TO DATA LOSS AND CORRUPTION!... ......................SYSTEM......................ALERT......... .............. Microsoft Windows has encountered an Internal Error. Your windows registry is corrupted...We recommend a complete system scan... Visit. http://FixTheReg.net To repair now... ......................System......................User.............STOP! WINDOWS REQUIRES IMMEDIATE ATTENTION..... Windows has found 39 CRITICAL SYSTEM ERRORS!.... To fix the errors please do the following:.. 1. Download Registry Repair from: www.fixscan.com.. 2. Install Registry Repair.. 3. Run Registry Repair.. 4. Reboot your computer.. FAILURE TO ACT NOW MAY LEAD TO DATA LOSS AND CORRUPTION!... When you reach the final destination website you read their privacy policy that they need to have a Security Measures to maintain your Private information and that that several of them need to install keyloggers on your systems so that they can monitor you Internet Activity. There are registry-cleaning programs that do a far better job. I don't know how many read Mark Russinovich's Blog but he did do a detailed report on one such scam and that it actually downloaded the problems and then reported that you had to pay to have your systems cleaned by another program. I have not spent the time to install any of these scams since I have seen more information on far better programs that do a much better job and are free. Now before you tell me about disabling Messenger service I have had that disable on my Windows 2000 Pro since 2000. I also disabled it when I setup my fathers Windows XP Home system in 2002 when he first got it long before SP2. I have tracked all of these UDP port hits since 2001. I went after those scammer that were sending their advertisements using NETSEND to blasted the whole Internet so that you download their program you can have these messages stopped. The FTC shut them down since the same information can be gotten for FREE from Microsoft. This new bred of scammers are trying to get people to download registry-cleaning programs or Trojan busters, but now that they can't get thru any more with XP SP2 disabling the Messenger Service so these scammers are now resorting to sending out 5 to 16 messages at a time, which now will get the users attention because they are getting an alert message from their firewall or modem about the attacks. So when people like John decide to move to a faster means of Internet access and start looking at their modems log files or asks why a certain website is pinging them or sending them these continuous advertisements to scam them. They ask why is this happening. I tell them it has always been happening for years its just that they didn't know it and if they had been using Windows 98 they wouldn't see it because it didn't use Messenger, and if they got a Windows XP they were forced to download SP 2 and the Windows firewall never reported any such attacks. It wasn't until these people started on their faster access with these more intelligent modems that people are now getting these port attacks. It was just so many of those moving on to using their Cable modems and didn't know that the hackers had the passwords and were using them to send spam emails. But after they changed the password and disable some other things that stopped happening. This happened a lot in 2000 to 2002. Now these scammers are now using any tactic to get traffic to their scams in order to gather more computers into their botnets that continue to grow. Traffic logs don't tell the whole story they just tell you who is hitting you and not why. It is in the packets details one can actually see that those are nothing more than advertisements trying to sell you programs to clean you registry or to bust Trojan and virus. Typical Scare Tactics advertisements but are nothing more than scams and that is just one of the ways these scams are operating to become botnets. Jim Serino Ex-DEC Field Service System Engineer/Contract OpenVMS Systems Manager with 30 years of experience in computers and networking. -----Original Message----- From: David Gillett [mailto:gillettdavid () fhda edu] Sent: Tuesday, May 02, 2006 12:20 To: john () johnmachell wanadoo co uk; security-basics () securityfocus com Subject: RE: Networking and DOS attacks You haven't given us any clue as to whether these packets are inbound (blocked and logged) or outbound (allowed and logged). But since 81.79.70.215 is a UK DSL address, I'll assume that that is you. Since the traffic is UDP packets, there's no guarantee that the source address is valid. But the consistent source port number of the packets from 61.156.42.117 suggests that these packets come from the same source, whereas those with different source addresses also have different source ports -- stuff that spoofs the source address usually doesn't randomize the source port. So this looks very much like a distributed Denial of Service (DoS) attack against one IP address. If this is a static address, then you appear to have pissed somebody off; if this is a dynamic address, then perhaps some user who it was previously allocated to made some enemies who have no way of knowing that you are not he. Most DoS attacks work by consuming some resource, making it unavailable for legitimate use. A frequent target resource is bandwidth. By the time these packets have made it down the wire to your firewall, they've used all the bandwidth on your DSL connection that they can, and so the damage is done. The only possibility of blocking the attack is from within your ISP's network, before your DSL line is reached. So you need to report this to your ISP and ask for their help. They may or may not be willing to take any action. David Gillett
-----Original Message----- From: john () johnmachell wanadoo co uk [mailto:john () johnmachell wanadoo co uk] Sent: Tuesday, May 02, 2006 4:48 AM To: security-basics () securityfocus com Subject: Networking and DOS attacks I am very new to networking. I have a Netgear ADSL modem/router with a firewall that is set to allow all outgoing traffic and block all incoming and to send me a security log each day. Please could someone to tell me what the log means (see below) and whether I should be concerned or not as, since the DOS and UDP messages started appearing I seem to get lots of disconnections from my ISP. Cheers, John Thu, 1970-01-01 01:00:16 - Initialize LCP. Thu, 1970-01-01 01:00:16 - LCP is allowed to come up. Thu, 1970-01-01 01:00:20 - CHAP authentication success Thu, 1970-01-01 01:00:35 - Send out NTP request to time-g.netgear.com Tue, 2006-05-02 08:57:03 - Receive NTP Reply from time-g.netgear.com Tue, 2006-05-02 08:56:28 - Router start up Tue, 2006-05-02 09:22:01 - UDP Packet - Source:199.2.51.139,50244 Destination:81.79.70.215,1029 - [DOS] Tue, 2006-05-02 09:28:58 - UDP Packet - Source:222.208.168.130,49057 Destination:81.79.70.215,1033 - [DOS] Tue, 2006-05-02 09:28:59 - UDP Packet - Source:150.64.232.13,30794 Destination:81.79.70.215,1026 - [DOS] Tue, 2006-05-02 09:52:41 - UDP Packet - Source:61.156.42.117,38734 Destination:81.79.70.215,1032 - [DOS] Tue, 2006-05-02 09:52:41 - UDP Packet - Source:61.156.42.117,38734 Destination:81.79.70.215,1033 - [DOS] Tue, 2006-05-02 09:52:41 - UDP Packet - Source:61.156.42.117,38734 Destination:81.79.70.215,4081 - [DOS] Tue, 2006-05-02 09:52:41 - UDP Packet - Source:61.156.42.117,38734 Destination:81.79.70.215,2 - [DOS] -------------------------------------------------------------- ----------- This List Sponsored by: Webroot Don't leave your confidential company and customer records un-protected. Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no obligation. See why so many companies trust Spy Sweeper Enterprise to eradicate spyware from their networks. FREE 30-Day Trial of Spy Sweeper Enterprise http://www.webroot.com/forms/enterprise_lead.php -------------------------------------------------------------- ------------
Current thread:
- Networking and DOS attacks john (May 02)
- Re: Networking and DOS attacks Hunter Barrington (May 03)
- Re: Networking and DOS attacks Harrison Holland (May 03)
- RE: Networking and DOS attacks David Gillett (May 03)
- RE: Networking and DOS attacks Jim Serino (May 04)