From: security curmudgeon (jericho@attrition.org)
To: abuse@cogentco.com
Cc: abuse@bitdefender.com, legal@attrition.org
Date: Thu, 9 Apr 2009 21:26:20 +0000 (UTC)
Subject: DoS attack from your customer (149.5.168.19)


Cogentco,

One of your customers is performing a bandwidth saturation attack against attrition.org today. 
Here is a sample of what we're seeing:

[..]
149.5.168.19 - - [09/Apr/2009:08:25:09 -0400] "GET /pipermail/isn/2006-March.txt HTTP/1.1" 200 871432 "-" 
"Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1b3pre) Gecko/20090105 Firefox/3.1b3pre"

149.5.168.19 - - [09/Apr/2009:08:25:27 -0400] "GET /pipermail/isn/2006-March.txt HTTP/1.1" 200 871432 "-" 
"Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1b3pre) Gecko/20090105 Firefox/3.1b3pre"

149.5.168.19 - - [09/Apr/2009:08:25:29 -0400] "GET /pipermail/isn/2006-March.txt HTTP/1.1" 200 871432 "-" 
"Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1b3pre) Gecko/20090105 Firefox/3.1b3pre"

149.5.168.19 - - [09/Apr/2009:08:25:37 -0400] "GET /pipermail/isn/2006-March.txt HTTP/1.1" 200 871432 "-" 
"Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1b3pre) Gecko/20090105 Firefox/3.1b3pre"

149.5.168.19 - - [09/Apr/2009:08:25:40 -0400] "GET /pipermail/isn/2006-March.txt HTTP/1.1" 200 871432 "-" 
"Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1b3pre) Gecko/20090105 Firefox/3.1b3pre"

149.5.168.19 - - [09/Apr/2009:08:25:55 -0400] "GET /pipermail/isn/2006-March.txt HTTP/1.1" 200 871432 "-" 
"Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1b3pre) Gecko/20090105 Firefox/3.1b3pre"

149.5.168.19 - - [09/Apr/2009:08:25:56 -0400] "GET /pipermail/isn/2006-March.txt HTTP/1.1" 200 871432 "-" 
"Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1b3pre) Gecko/20090105 Firefox/3.1b3pre"

[..]

They have located an archive file that is ~ 871k and are reloading it as fast as possible. If this was really 
a web browser, they should be receiving a 301 and not transferring the file each time. This has resulted in a 
consumption attack against our web server as the person has requested this file 4,450 times between
09/Apr/2009:00:08:47 and 09/Apr/2009:17:11:58. We have put in an IP base block to prevent this attack temporarily.

Attrition.org takes such attacks very seriously and will pursue this with law enforcement if required. Please 
advise on how this will be dealt with, or at least that you are addressing the issue.

Jared Richo
attrition.org



%rwhois V-1.5:0010b0:00 rwhois.cogentco.com
149.5.168.19
network:ID:NET-9505A8101D
network:Network-Name:NET-9505A8101D
network:IP-Network:149.5.168.16/29
network:Country:RO
network:City:Bucharest
network:Street-Address:Str Preciziei 24, West Gate Park, H2, S6
network:Org-Name:Bitdefender
network:Tech-Contact:ZC108-ARIN
network:Updated:2008-12-15 09:56:45
network:Updated-by:Bill Garrison