RR.COM abusers

Stephen Misel steve@neonova.net
Tue Mar 9 17:36:09 UTC 2004


Well, it's the only broadband available where I live.  I tried the
satellite stuff before RoadRunner lit up on my side of town and it was a
complete disaster.

... but I don't run DCC at home, and tend to agree that RR's "charcoal
hat", so block away.

-Steve

On Tue, 2004-03-09 at 11:52, Vernon Schryver wrote:
> > From: Mark Atkinson <darkmark@filament.org>
> 
> > http://security.rr.com/contact.htm
> > lists specific examples.  Can you classify it as a DoS?
> 
> In the 24 hours ending midnight GMT March 8 (yesterday), they sent
> about 740,000 packets to 12 of the public DCC servers.  (I finally
> asked a calculator, which told me that my mental aritmetic unit is
> busted.)  That's about 8 pkts/second.  The per-server load is about 3
> times above levels that trigger the automatic DoS defenses in dccd.
> In the last 16 hours they've sent about 600K packets or about 9 pps.
> 
> However, I can't honestly say it is any of :
> 
> ]  * Spam Attacks in Progress (not single spams): Sendmail or NNTP logs
> ]  * System Penetration: Incident Logs (Apache/Web/Other) INCLUDING:
> ]    Date/Time/Time Zone/Source IP/Destination IP/Destination
> ]    dir/user/pass logs/etc
> ]  * DoS: Incident Logs INCLUDING: Date/Time/Time Zone/Source
> ]    IP/Destination IP/Source Port/Destination Port
> ]  * Cracking (Password Attempts): Incident Logs (Apache/Web/Other)
> ]    INCLUDING: Date/Time/Time Zone/Source IP/Destination IP/Destination
> ]    dir/user/pass logs/etc
> 
> Notice that they implicitly say that if you don't have "logs", the
> problem does not exist.  Note also that I called the phone number
> in the whois record for rr.com that web page points and listened
> to the recorded GFW brush-off.
> 
> Follow the links on http://security.rr.com/contact.htm and ask yourself
> if you really want to receive any IP packets from any IP address that
> outfit owns.  Look at the copyright dates on the pages.  Notice which
> DNS blacklists and whitelist they use, not that those were bad choices
> two or three years ago but in light of changes in the last six months.
> Consider their promise to scan your network.  As far as I can tell,
> they are trying to handle abuse "on the cheap" and by letting you do
> as much of their work as they can force you to do.  If you have only
> a vanity domain and no clients, friends, or relatives using RR.COM
> services, the answer seems easy.
> 
> 
> Vernon Schryver    vjs@rhyolite.com
> _______________________________________________
> DCC mailing list      DCC@rhyolite.com
> http://www.rhyolite.com/mailman/listinfo/dcc




More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.