From owner-freebsd-security Sun May 23 18:16: 6 1999 Delivered-To: freebsd-security@freebsd.org Received: from roble.com (roble.com [199.108.85.50]) by hub.freebsd.org (Postfix) with ESMTP id 7CF6214E3F for ; Sun, 23 May 1999 18:15:58 -0700 (PDT) (envelope-from sendmail@roble.com) Received: from roble2.roble.com (roble2.roble.com [199.108.85.52]) by roble.com (Roble1b) with SMTP id SAA11151; Sun, 23 May 1999 18:16:06 -0700 (PDT) Date: Sun, 23 May 1999 18:15:55 -0700 (PDT) From: Roger Marquis To: security@FreeBSD.ORG Cc: firewall-wizards@nfr.net, Firewalls@lists.gnac.net Subject: Re: Denial of service attack from "imagelock.com" In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, May 22, 1999 at 06:40:20PM -0700, David Babler wrote: > > On Sat, May 22, 1999 at 11:05:28AM -0600, Brett Glass wrote: > > > This morning, someone at the domain "imagelock.com" apparently launched a > > > denial of service attack against a Web server I administer. The abuser was > > imagelock.com has been banned from my web servers ever since they > > initiated a DoS attack against me a few months ago. Basically, they > > download every accessible file on a website. The company's MO is to > > Their web client also gleefully ignores robots.txt as well, and spent 2 > hours here chasing web poisoned pages - apparently quitting only when it > didn't find any images to fingerprint. So they're now blocked here at the > firewall too - thanks for the heads-up. Wonder how much they can sell > their service for when they find they don't have access to poke around? Great information! Thanks Brett. I checked our httpd logs and immediately found several thousand hits from this subnet, which is now filtered. Imagelock could be another name for Cyveillance.com. We saw an identical pattern 2 months ago from another IP which had/has no reverse DNS. The domain turned out to be Cyveillance and their ISP was (at the time) Digex.net who forwarded our complaint and followed up twice. Thank you Digex! After 3 complaints to Digex and Cyveillance we finally received this response from Cyveillance: > Recently Digex, our internet provider, forwarded your inquiry regarding > visits to your site from 207.87.178.66. > > We provide companies with brand protection services on the internet. To > accomplish this goal we employ search engines / web crawlers to scan the > internet. We are in no way involved with the creation of unsolicited > commercial email. Please see our web site at http://www.cyveillance.com > where you can learn more about our company and what we do. > > It appears we crawled your web site as part of our general web search, and > crawled your mailto directories as part of that search. We hope we didn't > cause you any inconvenience. > > If you have any questions, don't hesitate to contact me. > > Paul K. Witting > Manager of Information Systems > Cyveillance - Intelligent Internet Surveillance > PWitting@Cyveillance.com > (703) 519-4212 However they never did stop scanning our subnets until we filtered their subnet at 207.87.178. This subnet still has no reverse DNS however `whois` shows Cyveillance is now a customer of imaphost.com and namesecure.com. "imaphost.com" is already in our IP filter list (all 27 lines of it) for previous HTTP abuses however namesecure.com is not. Call me paraniod but it sure looks like another Cyveillance attempt to cover their tracks. -- Roger Marquis Roble Systems Consulting http://www.roble.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message