Blog Tags: 

The DDoS spam bot from hell (a suburb of China)

Happy new year everyone,

I'm back online to put out a fire. My inbox was full of alerts that the CPU on the server that runs the site was maxing out.

Well boys and girls, it turns out www.turnkeylinux.org has been under an escalating distributed denial of service attack that started about two weeks ago. To the best of my knowledge the site continued operating normally. We use a ton of caching. Did any of you notice a slowdown?

Lucky for us the "attack" was braindead simple so it was easy to figure out what was happening and block the offending IPs. 32 nodes from 4 Chinese /16 network blocks which I sincerely hope aren't home to any TurnKey fans:

60.169.73.186
222.186.24.101
60.169.78.19
60.169.75.168
61.160.232.38
222.186.26.164
60.169.78.57
60.169.78.174
61.160.232.22
60.169.78.193
60.169.78.177
222.186.25.134
60.169.78.15
60.169.78.52
60.169.75.50
60.169.78.54
61.160.232.39
60.169.78.7
61.160.232.58
61.160.232.4
61.160.232.10
60.169.75.161
60.169.78.42

All using the same User Agent:

Mozilla/5.0 (Windows NT 6.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1

Supposedly identifies as Firefox but from the logs it's transparent it isn't behaving like a real browser. For example, a real browser gets CSS and image files. This just crawls all over the site and POSTs a zillion times the kind of predictable crap our spam filter blocks half-asleep.

What does that sound like? Ah yes, a poorly programmed, incredibly persistent spam bot network from hell. None of the spam attempts went through our countermeasures but it still took up a ton of CPU time.

Being naturally inquisitive I investigated the offending IPs and it turns out most of them are running a remotely exploitable version of SSH (SSH-2.0-OpenSSH_4.3). I'm half tempted to run metasploit to get into these systems and clean away the spambot software as a public service but that's illegal and I'm a bit busy besides.

Wouldn't it be neat though if we had a net equivalent of the Justice League to deal with the kind of lowlife scum who commandeer hapless machines to run very low quality spam software?

Note that I tried doing the right thing and looked up the abuse contact for the network that was attacking us (and presumably thousands/millions of other sites) on WHOIS:

person:         Jinneng Wang
address:        17/F, Postal Building No.120 Changjiang
address:        Middle Road, Hefei, Anhui, China
country:        CN
phone:          +86-551-2659073
fax-no:         +86-551-2659287
e-mail:         wang@mail.hf.ah.cninfo.net
nic-hdl:        JW89-AP
mnt-by:         MAINT-NEW
changed:        wang@mail.hf.ah.cninfo.net 19990818
source:         APNIC

Then instead of sending off an angry e-mail into the void I actually picked up the phone, dialed the number, and listened to some funky Chinese elevator music until some guy (Mr. Jinneng Wang I presume?) who didn't speak English picked up and eventually hung up on me after an akward mutually incomprehensible exchange. Of course. How could it be any different?

I don't get it, what's the point of putting up an abuse contact in the WHOIS records if the person listed doesn't speak English? Just list the abuse contact in Mandarin and get it over with.

Sometimes I feel like a character in a Neal Stephenson novel.

Comments

Liraz Siri's picture

Thanks for the fail2ban reference. I think I came across it a while back but I had totally forgotten about it since. Looks generic enough to be tweaked to deal with pretty much any circumstance. I'll set threshold and auto-ban IP addresses that hammer us too hard. Thanks and happy new year!
Liraz Siri's picture

Googling for "Jinneng Wang" spam turns up 22,000 results. So I guess I'm not the only one that has run into trouble with this guy's networks.
Joel's picture

While not perfect, may I humbly suggest CloudFlare? automated bot defense system via DNS.

It's free and highly customizable

 

 

 

Pages

Add new comment