DDoS Attack in Progress.

Beavis · October 10, 2008, 6:46pm

Hi All,

DoS attack in progress, any upstream info for these guys? their
phone number doesn't respond.

This is the RIPE Whois query server #1.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

% Note: This output has been filtered.
% To receive output for a database update, use the "-B" flag.

% Information related to '88.247.0.0 - 88.247.79.255'

inetnum: 88.247.0.0 - 88.247.79.255
netname: TurkTelekom
descr: TT ADSL-alcatel static_ulus
country: tr
admin-c: TTBA1-RIPE
tech-c: TTBA1-RIPE
status: ASSIGNED PA "status:" definitions
mnt-by: as9121-mnt
source: RIPE # Filtered

role: TT Administrative Contact Role
address: Turk Telekom
address: Bilisim Aglari Dairesi
address: Aydinlikevler
address: 06103 ANKARA
phone: +90 312 313 1950
fax-no: +90 312 313 1949
e-mail: abuse@ttnet.net.tr
admin-c: BADB3-RIPE
tech-c: ZA66-RIPE
tech-c: NO638-RIPE
tech-c: SO351-RIPE
nic-hdl: TTBA1-RIPE
mnt-by: AS9121-MNT
source: RIPE # Filtered

% Information related to '88.247.0.0/17AS9121'

route: 88.247.0.0/17
descr: TurkTelecom
origin: AS9121
mnt-by: AS9121-MNT
source: RIPE # Filtered

Paul_Ferguson · October 10, 2008, 6:55pm

Not surprising -- TurkTelekom has long been known to be a hotbed of
malicious activity, a known hoster for Russian/Ukrainian cyber criminals,
and perhaps one of the most botnetted ISPs on the planet:

http://itw.trendmicro-europe.com/index.php?id=64

- - ferg

Mehmet_Akcin2 · October 10, 2008, 6:58pm

Try,

NOC ITMC/NOC +902125209898 itmcistanbul@turktelekom.com.tr

Mehmet

Steve_Linford · October 11, 2008, 8:05am

The Spamhaus folk on this list have the address of TurkTelekom's chief security/abuse guy who would take take of this, but we would not be inclined to give his address to someone identifying themselves as "Beavis" with a gmail address. Can you elaborate on who you are, what's being DoSsed (a router, an http server, a mail server?), and whether you can ACL the source (since you know the source is in 88.247.0.0/17, why not ACL the source at your router or at whatever device is being DoSsed).

   Steve Linford
   The Spamhaus Project
   http://www.spamhaus.org

Beavis · October 11, 2008, 12:46pm

Sorry for the anonymity part Steve This is the only one email i got
that is added to the NANOG List.

John Lopez
NOC Manager
Constructora Pura Vida
(506)243-018-35 Ext. 2901

Steve_Church · October 11, 2008, 2:22pm

Beavis aka John Lopez:
I, for one, am glad you're interested in stopping the abuse at its source.
Thank you.

Steve Linford:

why not ACL the source at your router or at whatever device is being

(packeted).
Mr. Lopez is contributing to the welfare of the net as a whole by addressing
the cause, rather than applying a bandage locally to lessen the symptom. I
sincerely hope your dismissive advice is not characteristic of Spamhaus
policy regarding abused hosts, considering the mission statement at the top
of your homepage.

Steve Church

William_Pitcock · October 11, 2008, 2:41pm

You do?

I can assure you there are several people who would love to have this
information. Care to share with the rest of the anti-abuse community?

Kind regards,
William Pitcock
DroneBL

Steve_Linford · October 11, 2008, 2:52pm

OK, you don't know much about Spamhaus. Dealing with network abuse issues is what we do 24/7. John Lopez contacted my privately and I've given him the address of TurkTelekom's security guy, but the reality of things is that today is a Saturday and tomorrow is a Sunday, unless TurkTelekom's guy is working weekends (unlikely) ACL'ing the source is not just an advisable option but is probably until Monday the only option.

   Steve Linford
   The Spamhaus Project
   http://www.spamhaus.org

Andrew_D_Kirch1 · October 11, 2008, 7:35pm

Steve Church wrote:

Beavis aka John Lopez:
I, for one, am glad you're interested in stopping the abuse at its source.
Thank you.

Steve Linford:

why not ACL the source at your router or at whatever device is being

(packeted).
Mr. Lopez is contributing to the welfare of the net as a whole by addressing
the cause, rather than applying a bandage locally to lessen the symptom. I
sincerely hope your dismissive advice is not characteristic of Spamhaus
policy regarding abused hosts, considering the mission statement at the top
of your homepage.

Steve Church

Come on, even I think Steve Linford's bonafides are strong enough that
this was uncalled for.

Andrew

Suresh_Ramasubramani · October 11, 2008, 10:23pm

Let's put it this way. Contacts given in confidence arent meant to be
shared randomly. Or to people who dont identify themselves and post
using freemail addresses. Linford seems to have shared this contact
offlist with the guy, after he identified himelf, so case closed.

srs