From owner-freebsd-isp Tue Oct 15 4:29:53 2002 Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E053237B401 for ; Tue, 15 Oct 2002 04:29:50 -0700 (PDT) Received: from westhost30.westhost.net (westhost30.westhost.net [216.71.84.171]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5A37143EAF for ; Tue, 15 Oct 2002 04:29:50 -0700 (PDT) (envelope-from ank@ozinsight.com) Received: from anna (CPE-203-51-188-52.vic.bigpond.net.au [203.51.188.52]) by westhost30.westhost.net (8.11.6/8.11.6) with SMTP id g9FBTkG20332; Tue, 15 Oct 2002 06:29:47 -0500 Message-ID: <000a01c2743e$2fd41de0$0200a8c0@anna> From: "Arkadi Kosmynin" To: Cc: References: <000f01c27434$903aa8c0$0200a8c0@anna> <20021015110223.GA15252@surreal.seattlefenix.net> Subject: Re: An attack? Does it happen to anybody else? Date: Tue, 15 Oct 2002 21:29:48 +1000 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thanks Benjamin, Sorry about neglecting to provide more complete information. It was HTTP. The content is publicly available. All requests were like this: 212.160.201.118 - - [12/Oct/2002:05:09:07 -0500] "GET /client/ozum286.zip?Cache HTTP/1.0" 200 1757520 213.17.138.154 - - [12/Oct/2002:05:09:13 -0500] "GET /client/ozum286.zip?Cache HTTP/1.0" 200 1339080 195.210.137.130 - - [14/Oct/2002:08:09:22 -0500] "GET /download/ozway/ozway-401.tar.gz HTTP/1.0" 200 119838 I don't think this is an attack, really. Looks more like a virus or a broken automatic downloader of some kind. This is why I would like to know if it happened to anyone else. And the hosts don't seem to be closely related. Two are from Poland and one from Russia. I ignored the first two incidents, but now it seems to be a tendency... Arkadi. ----- Original Message ----- From: "Benjamin Krueger" To: "Arkadi Kosmynin" Cc: Sent: Tuesday, October 15, 2002 9:02 PM Subject: Re: An attack? Does it happen to anybody else? > * Arkadi Kosmynin (ank@ozinsight.com) [021015 03:21]: > > Hi, > > > > > > There were 3 incidents of high volume downloading from our site during the > > past week. I can't understand what is going on and would appreciate any info > > on the issue. > > > > I checked our logs: > > > > Folks from 195.210.137.130 downloaded ~140MB of the same file. > > Folks from 212.160.201.118 ~ 350MB. > > Folks from 213.17.138.154 ~ 590MB. > > > > This hurts us. What can I do about it? > > > > > > Thanks, > > > > Arkadi. > > You neglect to mention what service (ftp, http?) this is affecting, what they > were downloading, and whether the content is publicly available. Personally, I > never recommend that one assume every painful action on the internet is malicious. > Often folks end up acting hostile in return, only to find that the problem was > simply misconfigured software or a misguided server administrator. > > If it hurts, stop it. Block the hosts at the firewall, contact the administrator > of those machines or that network space, remove or move the files, use tcp wrappers > to lock them out, implement rate limiting, hide the content behind a username and > password, or cry. All are reasonable options, and all but one are productive. > > -- > Benjamin Krueger > ---------------------------------------------------------------- > Send mail w/ subject 'send public key' or query for (0x251A4B18) > Fingerprint = A642 F299 C1C1 C828 F186 A851 CFF0 7711 251A 4B18 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message