The attack started around 03:05:07 EST on Saturday, December 12th, 2009. As far as I know, the attack is still going on. My service provider has null routed the target IP (old IP for www.nullamatix.com), at least until the attack subsides. Fortunately, Nullamatix.com is back up and running as of 14:30:00 EST on Sunday, December 13th, 2009. Here are some details of the attack.
The Involved
These IP addresses contributed to the 133MB worth of dropped firewall log data generated between 03:05:07 and 03:40:00. I imagine by 03:40, the entire pipe was filled and iptables wasn't seeing anything else to drop, hence the decline in the number of packets.
| Source IP | - | # of Packets |
| 140.128.64.168 | - | 251029 |
| 84.19.172.30 | - | 163157 |
| 213.74.4.160 | - | 135143 |
| 85.12.42.240 | - | 77208 |
| 72.18.196.223 | - | 74521 |
| 81.27.32.250 | - | 5685 |
| 92.48.68.32 | - | 1421 |
| 85.10.128.63 | - | 364 |
| 87.118.126.165 | - | 254 |
| 79.140.64.133 | - | 153 |
| 62.193.228.104 | - | 106 |
| 213.186.46.163 | - | 61 |
| 212.58.5.194 | - | 32 |
| 192.83.166.21 | - | 23 |
| 79.132.212.7 | - | 21 |
| 204.16.241.176 | - | 14 |
CIDR for The Involved
For anyone interested, here are the CIDR blocks for the involved networks:
[nullamatix.com ~]:# ip route show | sed 's/unreachable //;s/ scope.*$//' | grep -v ' dev' 140.128.0.0/13 84.19.160.0/19 213.74.0.0/16 85.12.0.0/18 72.18.192.0/20 81.27.32.0/20 92.48.64.0/18 85.10.128.0/20 87.118.64.0/18 79.140.64.0/20 62.193.192.0/18 213.186.32.0/19 212.58.0.0/19 192.83.166.0/23 79.132.192.0/19 204.16.240.0/21
Null Route The Involved
Here's how to null route these networks:
route add -net 140.128.0.0/13 reject route add -net 84.19.160.0/19 reject route add -net 213.74.0.0/16 reject route add -net 85.12.0.0/18 reject route add -net 72.18.192.0/20 reject route add -net 81.27.32.0/20 reject route add -net 92.48.64.0/18 reject route add -net 85.10.128.0/20 reject route add -net 87.118.64.0/18 reject route add -net 79.140.64.0/20 reject route add -net 62.193.192.0/18 reject route add -net 213.186.32.0/19 reject route add -net 212.58.0.0/19 reject route add -net 192.83.166.0/23 reject route add -net 79.132.192.0/19 reject route add -net 204.16.240.0/21 reject
IPTable DROP The Involved
And here's how to drop incoming data from these networks with IP tables:
iptables -A INPUT -s 140.128.0.0/13 -j DROP iptables -A INPUT -s 84.19.160.0/19 -j DROP iptables -A INPUT -s 213.74.0.0/16 -j DROP iptables -A INPUT -s 85.12.0.0/18 -j DROP iptables -A INPUT -s 72.18.192.0/20 -j DROP iptables -A INPUT -s 81.27.32.0/20 -j DROP iptables -A INPUT -s 92.48.64.0/18 -j DROP iptables -A INPUT -s 85.10.128.0/20 -j DROP iptables -A INPUT -s 87.118.64.0/18 -j DROP iptables -A INPUT -s 79.140.64.0/20 -j DROP iptables -A INPUT -s 62.193.192.0/18 -j DROP iptables -A INPUT -s 213.186.32.0/19 -j DROP iptables -A INPUT -s 212.58.0.0/19 -j DROP iptables -A INPUT -s 192.83.166.0/23 -j DROP iptables -A INPUT -s 79.132.192.0/19 -j DROP iptables -A INPUT -s 204.16.240.0/21 -j DROP
Feel free to ask any questions, I'll do my best to provide any information I can. Still have absolutely no idea what might have provoked such an attack.
Word Count: 573
1 Comment
[ RSS feed | Trackback URI | Leave a Comment ]
Wow, dd0s huh. These guys are PATHETIC... Let's think, who knocks down a tech blog?? Someone who has a lesser, rarely visited, infrequently indexed blog?? Possibly someone who was offended by a post that targeted noobish winbl0ws users (yes that includes you fagBuntu gurus as well)?? I'm going to say personally I think it's someone that was probably at start, a Nulla reader. Constantly checking the RSS for some new mind blowing info that totally get's this lil mama's boy off. He probably read the Poor Man's Ban article and instantly knew guypat was gawd, and with his guidance he would be rich and gawdlike as well. But this lil shithead FAILED miserably, as he does with everything else in life. Couldn’t get indexed if his life depended on it, bogus backlinks, and zero traffic. Then he realized how much money he owed Google for all those fucking words he added to his campaign and shit started going downhill. His shitty website gets closed down for failure to pay is $1.99 a month fee for his hosting company, loses his 3-4 followers that he told he could teach his ninja SEO skills too, and before you know it we have a depressed, unskilled, vengeful prick to who’s ready for some payback. How dare guypat release top secret info such has how to manipulate the web for you personal gain, and it not work for me, this guy needs to go down. After rallying with a few friends that are known to be best of best on freenode (that's hilarious just in itself) these queers had a plan. Attack nullamatix, get in, rm -f / and get out. Much to there dismay they were unable to find a working exploit for ToES v1.0 on any of the underground hacking scene sites. This leaves only one thing left to do, DDOS HIM CAUSE WERE TO FUCKING LAME TO DO ANYTHING ELSE. You guys fail at life, it would behoove you to just cut yourself and get on with it.
Leave a Comment
Trackback Responses to This Post: