Kegz (not Kegkilla) caught DDOSing P99, drags his RL job/company into the mess

  • Guest, it's time once again for the hotly contested and exciting FoH Asshat Tournament!



    Go here and fill out your bracket!
    Who's been the biggest Asshat in the last year? Once again, only you can decide!
Status
Not open for further replies.

Gavinmad

Mr. Poopybutthole
42,273
50,242
The source can be found herehttp://www.project1999.org/forums/sh...d.php?t=116770, but I'll do my best to provide a condensed version.

So yeah, as some people may have known, p99 was being DDOSed. Rogean had the following email exchange from a Jake Ades, Vice President of Internet Development.

Ades_sl said:
Greetings,
A DoS attack has effected one of our web servers for a short time multiple times today, a packet capture recently grabbed the IP where this is originating from as you will see in the attachment thousands of packets are being sent from this system per second to one of our web servers. This DoS attack is originating from a DNS server Rogean.com at sending IP 67.23.190.76 owned by your customer Sean Norton.
We request an immediate response to this occurrence by email or via telephone at the cell number listed below, and request that you block any and all traffic from the originating IP to our systems located at the receiving IP 67.205.76.148.
We additionally request that you notify the customer of this incident, and that a DoS attack has been occurring from his servers.
We view this as a very serious matter and will take further action if these issues effect our systems further.
Thank you for your prompt regard of this matter,
--

The internet is serious business.
This communication was sent from Internet Development and contains information that may be confidential or privileged. The information is solely intended for the use of the addressee. If you are not the intended recipient, be advised that any disclosure, copy, distribution, or use of the contents of this communication is prohibited. If you have received this communication in error, please immediately notify the sender by telephone or by electronic mail.
Rogean_sl said:
Mr. Ades

My data center has forwarded me your notice that you believe one of my servers have been participating in a denial of service attack against yours. It is in fact my server that is under attack by your server, along with hundreds of others. The attack is called a DNS Amplification attack. If you look this up you will find many material covering the topic. Basically, an attacker is utilizing a DNS server in your environment (That may be an open resolver) by sending thousands of UDP packets requesting any given DNS Query. Since these are UDP packets and have no handshake like TCP would, the attacker is able to spoof the IP address of my server, even though the traffic isn't originating from my network. This results in your server replying to all of these packets, directing traffic at my server. Your server has been one of many thousand attacking my server in recent days. We have been under attacks exceeding well over 1 gigabit of traffic within the last 2 weeks. Please also note that the IP you have listed (67.23.190.76) does not run a DNS Server and could not be sourcing DNS traffic, but also has in fact been the target of the DDoS attacks we have received.

Please see the following US-CERT article regarding this attack, and methods that can be taken to protect both parties:www.us-cert.gov/ncas/alerts/TA13-088A

Please feel free to reach out to me directly if you have any more questions or comments. I will send this to via directly via email as well as a response to my Data Center so that they may consider this matter closed.

Thanks,

Sean Norton

Sean Norton | Network Engineer | Ockers Company
1340 Belmont Street, Brockton, MA 02301 | 508-586-4642
Ades_sl said:
Hello Sean,

If you suspected one of our network systems of launching a denial of service attack on your servers you should notify the data center immediately so it can be prevented, logs of this would also be helpful as proof of such an allegation. There are no open resolvers or DNS servers running on our systems that can allow amplification type attacks to occur. If you further believe spoofed addresses to be an issue there are ways to block your systems from accepting them.

Let me make this very clear: there is no denial of service originating from any of our systems towards any of your systems.

Understand that we do not want to pursue further legal action at this time however this message will serve as notice to cease and desist any denial of service related operations and communications of such operations on your networks, be it yourself or the users of your networks, regarding our systems and IP addresses.

We have become aware of information on a message board you are providing hosting for located at Project1999.org which calls for a denial of service attack against the IP address we have provided. We request that you remove any and all information regarding the IP address, calling for an attack on the IP, as well as any content relating to the IP. We further request that you inform the users who are supporting such an attack that it is a criminal and due to the location of the server a federal crime to commit such acts, and that you as the operator do not condone or encourage them. We further request that you inform the users of your systems discussing these types of cyber attacks that due to the location of our network systems, the crime in Canada for a denial of service attack is a mandatory penalty of imprisonment for a term not exceeding ten years.

Currently our systems are blocking IP ranges: 67.23.190.64 - 67.23.190.127 and will continue to do so, we advise you block our network addresses as well if you believe they are interrupting your service and notify our data center at its first occurrence with proof of the IP address in question as we have with Immedion/Netriplex in this matter.

Thank you for your prompt response.

--
The internet is serious business.
This communication was sent from Internet Development and contains information that may be confidential or privileged. The information is solely intended for the use of the addressee. If you are not the intended recipient, be advised that any disclosure, copy, distribution, or use of the contents of this communication is prohibited. If you have received this communication in error, please immediately notify the sender by telephone or by electronic mail.
Rogean_sl said:
Mr. Ades,

After taking a closer look at the IP Address you mentioned, it is now making sense to me that you are responsible for hosting the website ?EpicEmu.com?, which the owner of has actively engaged in the past to disrupt our service through multiple methods, including the active hacking of our services. Now that you have made me aware of this information, it makes sense that they would be participating in a DDoS attack against my network ? they have every motivation to do so.

Either your customer is responsible for the mess that this has escalated into, or a third party is manipulating both of us. However, let me also be clear: There is no DDoS originating from my network. The IP address you questioned ? 67.23.190.76 ? is a Server 2003 Box with the Firewall actively blocking all ports except ICMP Echo, and UDP Ports 9000, 7000-7100, for the very specific services we run. You specified the attack type was DNS, which is impossible as this server does not run DNS nor accept connections on that port. Furthermore, that specific IP address has been under attack itself with DNS Amplification traffic which has been causing disruptions in our service.

Regarding the messages on Project1999.org, the IP?s may be listed there as the users have discovered on their own that your customer?s website and owner have been responsible for disrupting or manipulating our services in the past. We will not edit our content as here in the United States, Freedom of Speech is granted by the First Amendment, and your customer would have brought this on himself. I will however do everything in my power to ensure that our services do not participate in unlawful activity, including denial of service.

You may continue to block traffic from my servers on your network, as I will do the same.

Sean Norton | Network Engineer | Ockers Company
1340 Belmont Street, Brockton, MA 02301 | 508-586-4642
Rogean_sl said:
Hi Jake,

I?d like to bring something else to your attention.

The owner of EpicEmu.com represents himself online as ?Kegz?. You can see him listed as the Administrator of the site on the message boards.

A particular post he has made has been brought to my attention by other users of my community. The picture is here:http://oi41.tinypic.com/11wdfzr.jpg

As you can see, the owner of EpicEmu.com is openly advocating and encouraging the attacks that were taking place on my own servers.

With that said I would also recommend, as you have to me, that you also discuss with your customers the nature of cyber attacks and associated legalities and penalties.

Thanks,

Sean Norton | Network Engineer | Ockers Company
1340 Belmont Street, Brockton, MA 02301 | 508-586-4642

Then, suddenly, we have this.

Rogean_sl said:
Look what I just found:
jakeades.png


...uh oh, cat's out of the bag now.

Out of respect for the rules here, I won't post all the various linkedin and other personal info that people have dug up, but it's all there in the link to the p99 thread at the top of the post. I don't think anyone who is familiar with the unhinged nature of Kegz' posting would be very surprised by this, but it all makes for a good read.

*edit*

Web archive of the P99 rl pic thread.

http://web.archive.org/liveweb/http:...&postcount=577

The pics are dead links, but they both go to jakeades.com

http://jakeades.com/vehicle/us2.jpg

http://jakeades.com/vehicle/us3.jpg
 

Noodleface

A Mod Real Quick
37,961
14,508
Should you be posting emails that say:

This communication was sent from Internet Development and contains information that may be confidential or privileged. The information is solely intended for the use of the addressee. If you are not the intended recipient, be advised that any disclosure, copy, distribution, or use of the contents of this communication is prohibited. If you have received this communication in error, please immediately notify the sender by telephone or by electronic mail.
 

Friday

Lord Nagafen Raider
870
104
Feel free to contact him yourself since that is what it says since you apparently believe everything you read.

This communication was sent from Friday - Rerolled.org and contains information that may be confidential or privileged. The information is solely intended for the use of the addressee. If you are not the intended recipient, be advised that any disclosure, copy, distribution, or use of the contents of this communication is prohibited. If you have received this communication in error, please immediately notify the sender by telephone or by electronic mail.
 

Gavinmad

Mr. Poopybutthole
42,273
50,242
It's just non-binding legalese. I entered into no contract of confidentiality with the person who sent those emails, and I found them in a public forum. I have zero criminal or civil liability in reposting them.
 

Slacker242

Lord Nagafen Raider
70
3
I don't mean to be an ass but on a scale of 1-10 for gaming controversies and internet gossip I would rate this about a 2.
 
  • 1Like
Reactions: 1 user
6,216
8
"We will not edit our content as here in the United States, Freedom of Speech is granted by the First Amendment, and your customer would have brought this on himself."

hmm walking a fine line Sean.
 

Friday

Lord Nagafen Raider
870
104
He's a confirmed voting democrat which makes sense that he preaches open source.

Release Kegz from RRP please.
 
  • 1Like
Reactions: 1 user

Gavinmad

Mr. Poopybutthole
42,273
50,242
Edited in some more info. Web archive of the P99 rl picture thread has dead links to jakeades.com
 

Soygen

The Dirty Dozen For the Price of One
<Nazi Janitors>
28,312
43,095
This dude is not too bright, though we all knew that from his posts here.
 
  • 1Like
Reactions: 1 user

Dis

Confirmed Male
748
45
You had me, I was all interested and shit, then it abruptly ended. I feel unsatisfied.
 
  • 1Like
Reactions: 1 user

OneofOne

Silver Baronet of the Realm
6,549
7,899
RL name, pic, DOB, address, job, linked in account, voter ID #... feels like something is still missing.
 
  • 1Like
Reactions: 1 user
Status
Not open for further replies.