[CLUE-Tech] Hacking?

[David Anselmi]

Adam Bultman wrote:
> 
> Okay. I think I'm getting hacked, or DDOSed.
> 
> Here's my symptoms:
> 
> 1. Lots of requests to my server.  I,on my ISDN, can barely keep up with
> a tcpdump, watching hosts hitting me.  I just about peg my bandwidth on my
> colo if I lave httpd up.   www.glaven.org/images/hack2.jpg shows my usage
> . You can see, it's higher than normal when the attacks started.
> 
> 2. IF I
> turn on http,
> this is what I get: 24.141.100.20 - - [08/Jun/2002:07:46:47 -0400] "HEAD
> http://www.spotlife.com/users2/missjaco86/webcam;$sessionid$QM3XJGIAAG4JQCQBDYQCFFI/pic/image.jpg?%ts
> HTTP/1.0" 404 0
> 24.141.100.20 - - [08/Jun/2002:07:46:47 -0400] "GET
> http://www.spotlife.com/users2/shellay/webcam;$sessionid$QM3XJGIAAG4JQCQBDYQCFFI/pic/image.jpg?%ts
> HTTP/1.0" 404 264

You aren't spotlife.com, right?  But requests for that site are coming
to your server.  So it seems that DNS is snafu'd somewhere.  I can get
to spotlife.com ok, so it doesn't seem to be a problem with the
authoritative servers (unless they've been fixed already).  If you think
all the hits are coming from a particular place, perhaps they have a
cache that is bad.

It is possible that this is malicious (especially if it continues).  But
also possible that it is just bad administration.  There seem to be a
few people running DNS servers that don't know how DNS works.

You can try to block this traffic as far upstream as you can--may not be
easy, but it's the best way.  Will your provider set up the filter for
you?

> 3.  It appears to be happening to both my DNS servers, nothing else.  I
> neglected to mention this earlier. These are my DNS servers.  They run
> httpd because I need the big brother status pages.  I *was* running BIND
> 8.2.3, I believe, but now I'm running 9.1.2 or whatever the newest version
> is.

Do you have to run httpd to use BB on the DNS servers?  Seems to me that
they could report somewhere else that was running httpd.

Dave