RR.COM abusers

Vernon Schryver vjs@calcite.rhyolite.com
Tue Mar 9 16:52:57 UTC 2004


> From: Mark Atkinson <darkmark@filament.org>

> http://security.rr.com/contact.htm
> lists specific examples.  Can you classify it as a DoS?

In the 24 hours ending midnight GMT March 8 (yesterday), they sent
about 740,000 packets to 12 of the public DCC servers.  (I finally
asked a calculator, which told me that my mental aritmetic unit is
busted.)  That's about 8 pkts/second.  The per-server load is about 3
times above levels that trigger the automatic DoS defenses in dccd.
In the last 16 hours they've sent about 600K packets or about 9 pps.

However, I can't honestly say it is any of :

]  * Spam Attacks in Progress (not single spams): Sendmail or NNTP logs
]  * System Penetration: Incident Logs (Apache/Web/Other) INCLUDING:
]    Date/Time/Time Zone/Source IP/Destination IP/Destination
]    dir/user/pass logs/etc
]  * DoS: Incident Logs INCLUDING: Date/Time/Time Zone/Source
]    IP/Destination IP/Source Port/Destination Port
]  * Cracking (Password Attempts): Incident Logs (Apache/Web/Other)
]    INCLUDING: Date/Time/Time Zone/Source IP/Destination IP/Destination
]    dir/user/pass logs/etc

Notice that they implicitly say that if you don't have "logs", the
problem does not exist.  Note also that I called the phone number
in the whois record for rr.com that web page points and listened
to the recorded GFW brush-off.

Follow the links on http://security.rr.com/contact.htm and ask yourself
if you really want to receive any IP packets from any IP address that
outfit owns.  Look at the copyright dates on the pages.  Notice which
DNS blacklists and whitelist they use, not that those were bad choices
two or three years ago but in light of changes in the last six months.
Consider their promise to scan your network.  As far as I can tell,
they are trying to handle abuse "on the cheap" and by letting you do
as much of their work as they can force you to do.  If you have only
a vanity domain and no clients, friends, or relatives using RR.COM
services, the answer seems easy.


Vernon Schryver    vjs@rhyolite.com



More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.