Project 1999 - Making Norrath Great Again

[Notes auto-added by email from[email protected]/* <![CDATA[ */!function(t,e,r,n,c,a,p){try{t=document.currentScript||function(){for(t=document.getElementsByTagName('script'),e=t.length;e--if(t[e].getAttribute('data-cfhash'))return t[e]}();if(t&&(c=t.previousSibling)){p=t.parentNode;if(a=c.getAttribute('data-cfemail')){for(e='',r='0x'+a.substr(0,2)|0,n=2;a.length-n;n+=2)e+='%'+('0'+('0x'+a.substr(n,2)^r).toString(16)).slice(-2);p.replaceChild(document.createTextNode(decodeURIComponent(e)),c)}p.removeChild(t)}}catch(u){}}()/* ]]> */]
Greetings,
A DoS attack has effected one of our web servers for a short time multiple times today, a packet capture recently grabbed the IP where this is originating from as you will see in the attachment thousands of packets are being sent from this system per second to one of our web servers. This DoS attack is originating from a DNS server Rogean.com at sending IP 67.23.190.76 owned by your customer Sean Norton.
We request an immediate response to this occurrence by email or via telephone at the cell number listed below, and request that you block any and all traffic from the originating IP to our systems located at the receiving IP 67.205.76.148.
We additionally request that you notify the customer of this incident, and that a DoS attack has been occurring from his servers.
We view this as a very serious matter and will take further action if these issues effect our systems further.
Thank you for your prompt regard of this matter,
--

Jake Ades
Vice President
INTERNETDEVELOPMENT
www.idco.co|[email protected]/* <![CDATA[ */!function(t,e,r,n,c,a,p){try{t=document.currentScript||function(){for(t=document.getElementsByTagName('script'),e=t.length;e--if(t[e].getAttribute('data-cfhash'))return t[e]}();if(t&&(c=t.previousSibling)){p=t.parentNode;if(a=c.getAttribute('data-cfemail')){for(e='',r='0x'+a.substr(0,2)|0,n=2;a.length-n;n+=2)e+='%'+('0'+('0x'+a.substr(n,2)^r).toString(16)).slice(-2);p.replaceChild(document.createTextNode(decodeURIComponent(e)),c)}p.removeChild(t)}}catch(u){}}()/* ]]> */
p 1-800-995-4326 | c 954-369-6946
The internet is serious business.

This communication was sent from Internet Development and contains information that may be confidential or privileged. The information is solely intended for the use of the addressee. If you are not the intended recipient, be advised that any disclosure, copy, distribution, or use of the contents of this communication is prohibited. If you have received this communication in error, please immediately notify the sender by telephone or by electronic mail.

Mr. Ades

My data center has forwarded me your notice that you believe one of my servers have been participating in a denial of service attack against yours. It is in fact my server that is under attack by your server, along with hundreds of others. The attack is called a DNS Amplification attack. If you look this up you will find many material covering the topic. Basically, an attacker is utilizing a DNS server in your environment (That may be an open resolver) by sending thousands of UDP packets requesting any given DNS Query. Since these are UDP packets and have no handshake like TCP would, the attacker is able to spoof the IP address of my server, even though the traffic isn't originating from my network. This results in your server replying to all of these packets, directing traffic at my server. Your server has been one of many thousand attacking my server in recent days. We have been under attacks exceeding well over 1 gigabit of traffic within the last 2 weeks. Please also note that the IP you have listed (67.23.190.76) does not run a DNS Server and could not be sourcing DNS traffic, but also has in fact been the target of the DDoS attacks we have received.

Please see the following US-CERT article regarding this attack, and methods that can be taken to protect both parties:www.us-cert.gov/ncas/alerts/TA13-088A

Please feel free to reach out to me directly if you have any more questions or comments. I will send this to via directly via email as well as a response to my Data Center so that they may consider this matter closed.

Thanks,

Sean Norton

Sean Norton | Network Engineer | Ockers Company
1340 Belmont Street, Brockton, MA 02301 | 508-586-4642

Hello Sean,

If you suspected one of our network systems of launching a denial of service attack on your servers you should notify the data center immediately so it can be prevented, logs of this would also be helpful as proof of such an allegation. There are no open resolvers or DNS servers running on our systems that can allow amplification type attacks to occur. If you further believe spoofed addresses to be an issue there are ways to block your systems from accepting them.

Let me make this very clear: there is no denial of service originating from any of our systems towards any of your systems.

Understand that we do not want to pursue further legal action at this time however this message will serve as notice to cease and desist any denial of service related operations and communications of such operations on your networks, be it yourself or the users of your networks, regarding our systems and IP addresses.

We have become aware of information on a message board you are providing hosting for located at Project1999.org which calls for a denial of service attack against the IP address we have provided. We request that you remove any and all information regarding the IP address, calling for an attack on the IP, as well as any content relating to the IP. We further request that you inform the users who are supporting such an attack that it is a criminal and due to the location of the server a federal crime to commit such acts, and that you as the operator do not condone or encourage them. We further request that you inform the users of your systems discussing these types of cyber attacks that due to the location of our network systems, the crime in Canada for a denial of service attack is a mandatory penalty of imprisonment for a term not exceeding ten years.

Currently our systems are blocking IP ranges: 67.23.190.64 - 67.23.190.127 and will continue to do so, we advise you block our network addresses as well if you believe they are interrupting your service and notify our data center at its first occurrence with proof of the IP address in question as we have with Immedion/Netriplex in this matter.

Thank you for your prompt response.

--
Jake Ades
Vice President
INTERNETDEVELOPMENT
www.idco.co|[email protected]/* <![CDATA[ */!function(t,e,r,n,c,a,p){try{t=document.currentScript||function(){for(t=document.getElementsByTagName('script'),e=t.length;e--if(t[e].getAttribute('data-cfhash'))return t[e]}();if(t&&(c=t.previousSibling)){p=t.parentNode;if(a=c.getAttribute('data-cfemail')){for(e='',r='0x'+a.substr(0,2)|0,n=2;a.length-n;n+=2)e+='%'+('0'+('0x'+a.substr(n,2)^r).toString(16)).slice(-2);p.replaceChild(document.createTextNode(decodeURIComponent(e)),c)}p.removeChild(t)}}catch(u){}}()/* ]]> */
p 1-800-995-4326 | c 954-369-6946
The internet is serious business.
This communication was sent from Internet Development and contains information that may be confidential or privileged. The information is solely intended for the use of the addressee. If you are not the intended recipient, be advised that any disclosure, copy, distribution, or use of the contents of this communication is prohibited. If you have received this communication in error, please immediately notify the sender by telephone or by electronic mail.

Click to expand...

Mr. Ades,

After taking a closer look at the IP Address you mentioned, it is now making sense to me that you are responsible for hosting the website "EpicEmu.com", which the owner of has actively engaged in the past to disrupt our service through multiple methods, including the active hacking of our services. Now that you have made me aware of this information, it makes sense that they would be participating in a DDoS attack against my network - they have every motivation to do so.

Either your customer is responsible for the mess that this has escalated into, or a third party is manipulating both of us. However, let me also be clear: There is no DDoS originating from my network. The IP address you questioned - 67.23.190.76 - is a Server 2003 Box with the Firewall actively blocking all ports except ICMP Echo, and UDP Ports 9000, 7000-7100, for the very specific services we run. You specified the attack type was DNS, which is impossible as this server does not run DNS nor accept connections on that port. Furthermore, that specific IP address has been under attack itself with DNS Amplification traffic which has been causing disruptions in our service.

Regarding the messages on Project1999.org, the IP's may be listed there as the users have discovered on their own that your customer's website and owner have been responsible for disrupting or manipulating our services in the past. We will not edit our content as here in the United States, Freedom of Speech is granted by the First Amendment, and your customer would have brought this on himself. I will however do everything in my power to ensure that our services do not participate in unlawful activity, including denial of service.

You may continue to block traffic from my servers on your network, as I will do the same.

Sean Norton | Network Engineer | Ockers Company
1340 Belmont Street, Brockton, MA 02301 | 508-586-4642

Click to expand...

Click to expand...

Click to expand...