Tracking a DDOS

Roger_Marquis · January 20, 2003, 1:35am

One of our clients sustained a severe SMTP DDOS attack on New Years'
Day. The DDOS was caused by a bulk mailing which had forged their
domain name in the return address. The attack was staged over
several days from dial-up lines at fast.net (Bethlehem, PA). We
contacted fast.net shortly after the massmail began but it continued
unabated for two additional days. Some of the source IPs were
eventually listed by MAPS and Wirehub and they're still listed to
this date.

5 minutes after our call to fast.net's support desk we tracked a
portscan from one of their netblocks (206.245.164.0-206.245.164.255,
Internet Unlimited, at nearly the same address in Bethlehem, PA).
A quick check of the reverse DNS revealed nearly exclusive use by
porn, throw-away, and otherwise spam domains.

Though we're still tabulating damages and collecting evidence it
appears the DDOS was hosted by and allowed to continue unabated by
fast.net (aka iuinc.com) after they had knowledge of the problem,
knowledge of its source, and knowledge of its effects.

Since fast.net/iuinc.com has not replied to our email or phone calls
we're looking for anyone with information on this company, its
owners or operators, and any history of network or SMTP abuse. All
help will be appreciated and kept confidential.

Thanks in advance,

jpayne · January 20, 2003, 1:55am

Fastnet is a publicly owned company that recently went on a buying spree and purchased (among others) Applied Theory and Earthstation NetAXS.

You should be able to find contacts from NetAXS (unless Tony has moved on...)

william1 · January 20, 2003, 1:35am

'n confused. I thought AppliedTheory (was CRL) was bought by Clearblue
which later aquired part in Navisite and later had Navisite aquire
most of Clearblue (sounds weird, I know). Now appliedtheory.com goes to
navisite, so I assumed appliedtheory was aquired as part of clearblue,
(if it wasn't why the website going there)? So is its history:

crl->appliedtheory->clearblue->navisite->fastnet

jpayne · January 20, 2003, 4:00am

Not sure of the full history, but http://www.fast.net/news/files/060302-pr.pdf

Kevin_Day · January 20, 2003, 4:36am

As a Clearblue customer, I can confirm that all the Applied Theory stuff seems to be gone now from the support pages. (The same functionality is there, but the appliedtheory.com URL's have all been changed to clearblue.com names)

Some of the stuff looks pretty cool - being able to monitor from a website your rack's temperatures, voltages, the datacenter's UPS and generator statuses, etc... Unfortunately it's all "coming soon"(unless you're in Syracuse), and has been for at least 6 months. Applied Theory was also supposed to be doing port, application and server monitoring, which seems to overlap with what Navisite offers, so that may have something to do with its departure.