nanog mailing list archives

Re: POP3 DoS attacks and mailanyone.net?

From: Andrew Fried <andrew.fried () gmail com>
Date: Tue, 01 Sep 2009 16:30:47 -0400

Hummm.  Looking through some of my data I found that the domain
NORTHROANOKE.COM resolves to 98.190.204.2 (the first attack vector).

That box is running Microsoft Business Server 2003.  NORTHROANOKE.COM
appears to be some kind of assisted living facility in Roanoke, Virginia
(based on whois).

Doesn't look gmail related from that perspective...


Andrew

Andrew Fried
andrew.fried () gmail com


Winn Johnston wrote:

Issues with gmail.com 

here in DC

Winn Johnston
________________________________________
From: up () 3 am [up () 3 am]
Sent: Tuesday, September 01, 2009 3:28 PM
To: nanog () nanog org
Subject: POP3 DoS attacks and mailanyone.net?

For the first time since I can remember, my POP3 server was effectively
shut down by too many simultaneous connections today.  The first fix I
tried was to raise the number of connections from the default 40 to 100,
but the problem soon returned.

I finally ipfw'd off the offending IP (98.190.204.2 for anyone
interested), then went to look for other possible offenders in the log.  I
noticed several thousand connections today to a few dozen former users
from 4 IPs from 208.70.128.0/21.  One of the users was actually
legitimate.

These IPs belong to mailanyone.net.  The tech contact in their ARIN record
is listed as:

OrgTechHandle: BHE57-ARIN
OrgTechName:   Heitman, Bryan
OrgTechPhone:  +1-816-587-4700
OrgTechEmail:  hostmaster () mailanyone net

However, that phone number goes to a UPS store that has no idea what I'm
talking about.  I then dialed their suppseod NOC number:

Comment:    FuseMail, LLC Network Operations Center contact
Comment:    877.888.3873 x3

I am on hold with that number right now with some very loud and annoying
music.

Can anyone offer any insight as to these people and how/who to deal with
there?

Would a provider be amiss to just block their entire /21?

TIA,

James Smallacombe                     PlantageNet, Inc. CEO and Janitor
up () 3 am                                                     http://3.am
=========================================================================

______________________________________________________________________
This inbound email was scanned by MessageLabs
_____________________________________________________________________

______________________________________________________________________
This email was scanned by MessageLabs
_____________________________________________________________________

Current thread:

POP3 DoS attacks and mailanyone.net? up (Sep 01)
- RE: POP3 DoS attacks and mailanyone.net? Winn Johnston (Sep 01)
  - Re: POP3 DoS attacks and mailanyone.net? Andrew Fried (Sep 01)