Hello,

I have a server that started hitting my server that starting last night with the host name: consumerhealthdigest.com IP Address is 198.20.76.132...

So I tried to log into my BBS this morning via the web from work and noticed that I could not connect. Apparently this took the BBS down completely. It is trying to hit the QOTD on port 17 through Synchronet BBS. It actually took the BBS down. So I logged into the machine via remote and found out that it was taken down by this. I reloaded SBBS from the SBBSctrl and it stared trying to connect to this IP address and was hitting really quick. I put it in the IP block ist but this server is persistent. Does anyone know a way I can block this? Thanks in advance.

James

---
þ Synchronet þ Computer God!!! - Get Involved - W est Jordan, Ut. telnet://cpugod.synchro.net

Re: IP Blocking.
By: Warchilin66 to All on Tue Aug 15 2017 09:56:58

So I tried to log into my BBS this morning via the web from work and noticed that I could not connect. Apparently this took the BBS down completely. It is trying to hit the QOTD on port 17 through Synchronet BBS. It actually took the BBS down. So I logged into the machine via remote and found out that it was taken down by this. I reloaded SBBS from the SBBSctrl and it stared trying to connect to this IP address and was hitting really quick. I put it in the IP block ist but this server is persistent. Does anyone know a way I can block this? Thanks in advance.

as long as the ip is in the ip.can it can still try to contact your system, but automatically rejected, so you should have no issues.

If you have the latest and greatest (beta) of sbbs, it will automatically take care of this for you after so many attempts. It also has throttling to keep that Ip from contstantly hammering your servers.

--

Tim Smith (KK4QBN)
KK4QBN BBS

---
* Synchronet * KK4QBN - kk4qbn.synchro.net - 7064229538 - Chatsworth GA USA

On 2017 Aug 15 09:56:58, you wrote to All:

I have a server that started hitting my server that starting last night with the host name: consumerhealthdigest.com IP Address is

198.20.76.132...

block it in your firewall... either the one in your modem device or the one on the BBS machine... i'd block it in your perimeter firewall on the modem...

)\/(ark

Always Mount a Scratch Monkey
Do you manage your own servers? If you are not running an IDS/IPS yer doin' it wrong...
... He ate anchovies, poi AND vegemite.... and died.
---
* Origin: (1:3634/12.73)
þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net

On 2017 Aug 15 12:47:02, you wrote to Warchilin66:

So I tried to log into my BBS this morning via the web from work and
noticed that I could not connect. Apparently this took the BBS down
completely. It is trying to hit the QOTD on port 17 through Synchronet
BBS. It actually took the BBS down. So I logged into the machine via
remote and found out that it was taken down by this. I reloaded SBBS
from the SBBSctrl and it stared trying to connect to this IP address
and was hitting really quick. I put it in the IP block ist but this
server is persistent. Does anyone know a way I can block this? Thanks
in advance.

as long as the ip is in the ip.can it can still try to contact your

system,

but automatically rejected, so you should have no issues.

ummm... it is a Denial of Service, though... they've got the SBBS spending too much time handling the drop... best to block these in the firewall and stop them from abusing SBBS in the first place...

)\/(ark

Always Mount a Scratch Monkey
Do you manage your own servers? If you are not running an IDS/IPS yer doin' it wrong...
... Lard: Once again, in excess, bad, in moderation, freaking enjoy it.
---
* Origin: (1:3634/12.73)
þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net

Re: IP Blocking.
By: Warchilin66 to All on Tue Aug 15 2017 09:56 am

Hello,

I have a server that started hitting my server that starting last night with the host name: consumerhealthdigest.com IP Address is 198.20.76.132...

So I tried to log into my BBS this morning via the web from work and noticed that I could not connect. Apparently this took the BBS down completely. It is trying to hit the QOTD on port 17 through Synchronet BBS. It actually took the BBS down. So I logged into the machine via remote and found out that it was taken down by this.

It seems unlikely. Do you have an log snippet or is this just conjecture?

I reloaded SBBS from the SBBSctrl and it
stared trying to connect to this IP address and was hitting really quick. I put it in the IP block ist but this server is persistent. Does anyone know a way I can block this? Thanks in advance.

Use the ip.can file. If you don't want to see the log entry when they connect, use the ip-silent.can file.

digital man

Synchronet/BBS Terminology Definition #31:
JS = JavaScript
Norco, CA WX: 74.1øF, 65.0% humidity, 3 mph NNE wind, 0.00 inches rain/24hrs

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net

Re: IP Blocking.
By: mark lewis to KK4QBN on Tue Aug 15 2017 14:05:18

ummm... it is a Denial of Service, though... they've got the SBBS spending too much time handling the drop... best to block these in the firewall and stop them from abusing SBBS in the first place...

am I wrong or does the throttling not take care of ddos? and exactly WHERE does he say it is ddos? from what he has posted it could be regular Mirai.

I get these attempts on my mail server until I put them in my ip.can then it puts a halt to it.

--

Tim Smith (KK4QBN)
KK4QBN BBS

---
* Synchronet * KK4QBN - kk4qbn.synchro.net - 7064229538 - Chatsworth GA USA

Re: IP Blocking.
By: Warchilin66 to All on Tue Aug 15 2017 09:56 am

I have a server that started hitting my server that starting last night with the host name: consumerhealthdigest.com IP Address is 198.20.76.132...

I had this exact ip address hit my BBS as well, it also took my BBS offline,
I put it in my ip.can and shut down QOTD feature, I don't use QOTD anyway.

So I tried to log into my BBS this morning via the web from work and noticed that I could not connect. Apparently this took the BBS down completely. It is trying to hit the QOTD on port 17 through Synchronet BBS. It actually took the BBS down. So I logged into the machine via remote and found out that it was taken down by this. I reloaded SBBS from the SBBSctrl and it stared trying to connect to this IP address and was hitting really quick. I put it in the IP block ist but this server is persistent. Does anyone know a way I can block this? Thanks in advance.

Shut QOTD off and it will go away completely.

"... A cubicle is just a padded cell without a door."

---
þ Synchronet þ the Outwest BBS - outwestbbs.com Telnet - outwestbbs.com:23

On 2017 Aug 15 18:21:00, you wrote to me:

ummm... it is a Denial of Service, though... they've got the SBBS
spending too much time handling the drop... best to block these in
the firewall and stop them from abusing SBBS in the first place...

am I wrong or does the throttling not take care of ddos?

the DOS is against the server... SBBS in this case...

and exactly WHERE does he say it is ddos?

he didn't say it was a DDOS... DDOS is more than one attacker... this was only one attacker...

and these days, we also have DRDoS, Distributed Reflective Denial of Service, which is based on udp attacks...

from what he has posted it could be regular Mirai.

not hitting the QOTD port, it likely isn't... Mirai and its variants hit 22, 23, 2222, 5555, and 7547... now the variants have expanded to numerous other ports... 135 (DCE/RPC), 445 (Active Directory), 1433 (MSSQL), 3306 (MySQL), and
3389 (RDP).

then you have the Hajime worm which appears to be the work of a whitehat... it looks like Mirai from the attacked side but its goal is to stop and prevent Mirai and variants from getting in to IoT devices...

I get these attempts on my mail server until I put them in my ip.can
then it puts a halt to it.

yep...

FWIW: here's an interesting link on Mirai and what it can do... in our little BBS world, we're only concerned with a few of them, for the most part...


)\/(ark

Always Mount a Scratch Monkey
Do you manage your own servers? If you are not running an IDS/IPS yer doin' it wrong...
... For God's sake, keep a grip on yourself! - Brad Majors
---
* Origin: (1:3634/12.73)
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert|cvs|bbs].synchro.net

On 2017 Aug 15 21:47:42, you wrote to Warchilin66:

I have a server that started hitting my server that starting last
night with the host name: consumerhealthdigest.com IP Address is
198.20.76.132...

I had this exact ip address hit my BBS as well, it also took my BBS offline, I put it in my ip.can and shut down QOTD feature, I don't use QOTD anyway.

what we've pretty much done is to turn off the udp side and have only the tcp side... some things, like DNS, have to use udp, though... the only time DNS uses tcp is when the response is too large for a udp packet... in that case, the client and server switch to tcp for that one query...

FWIW: feedreader shows this about that consumerhealthdigest site...

----->8 snip 8<-----
What's new on Consumerhealthdigest.com: Check updates and related news right now. Consumerhealthdigest is pretty active and updates frequently with 100+ articles published this month alone (they might potentially reach about 1.24M visitors within the said period of time). It seems that Consumerhealthdigest is
infected or spreading some malware, so we recommend that you stay away until it's fixed.
----->8 snip 8<-----

but i don't see any date associated with the report... it is possible that it has been hacked and is being used to distribute malware... the real question is
why attack the QOTD port...

[time passes]

ahhh... here it is... QOTD runs on both udp and tcp... udp is not secure in that the originating address can be spoofed... the tcp three-way handshake prevents this... because the udp address can be spoffed, udp services can be used in amplification attacks... these are attacks where a udp service is flooded with requests using a spoofed originating address... all these replies are sent to the spoofed address even though it is NOT the one that sent the original request(s)... so in the case of consumerhealthdigest, it is most likely that they are under attack and systems sending data to them are simply weapons being weilded by others... others who are hidden because of the spoofed
address in the udp packets...

https://www.us-cert.gov/ncas/alerts/TA14-017A

----->8 snip 8<-----
Alert (TA14-017A)
UDP-Based Amplification Attacks

Original release date: January 17, 2014 | Last revised: November 04, 2016

Systems Affected

Certain application-layer protocols that rely on User Datagram Protocol (UDP) have been identified as potential attack vectors:

* DNS
* NTP
* SNMPv2
* NetBIOS
* SSDP
* CharGEN
* QOTD
* BitTorrent
* Kad
* Quake Network Protocol
* Steam Protocol
* RIPv1
* Multicast DNS (mDNS)
* Portmap/RPC
* LDAP

Overview

A Distributed Reflective Denial of Service (DRDoS) attack is a form of Distributed Denial of Service (DDoS) that relies on the use of publicly accessible UDP servers, as well as bandwidth amplification factors, to overwhelm a victim system with UDP traffic.
----->8 snip 8<-----


)\/(ark

Always Mount a Scratch Monkey
Do you manage your own servers? If you are not running an IDS/IPS yer doin' it wrong...
... Frigerobics: Leaning, bending, stretching while looking in the fridge.
---
* Origin: (1:3634/12.73)
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert|cvs|bbs].synchro.net

Re: IP Blocking.
By: mark lewis to KK4QBN on Wed Aug 16 2017 12:22:18

ummm... it is a Denial of Service, though... they've got the SBBS
spending too much time handling the drop... best to block these in
the firewall and stop them from abusing SBBS in the first place...

am I wrong or does the throttling not take care of ddos?

the DOS is against the server... SBBS in this case...

and exactly WHERE does he say it is ddos?

he didn't say it was a DDOS... DDOS is more than one attacker... this was only one attacker...

AH, My bad, I though the two were one in the same, My ignorance.

and these days, we also have DRDoS, Distributed Reflective Denial of Service, which is based on udp attacks...

too many idiots with too much time on their hands I presume.. I don't see what if anyything a person could gain by compromising port 17

from what he has posted it could be regular Mirai.

not hitting the QOTD port, it likely isn't... Mirai and its variants hit 22, 23, 2222, 5555, and 7547... now the variants have expanded to numerous other ports... 135 (DCE/RPC), 445 (Active Directory), 1433 (MSSQL), 3306 (MySQL), and 3389 (RDP).

How about the constant garbage that acts just like Mirai trying to hit my mailservers?

They are either expanding their horizons, or Skynet is taking over :)

then you have the Hajime worm which appears to be the work of a whitehat... it looks like Mirai from the attacked side but its goal is to stop and prevent Mirai and variants from getting in to IoT devices...

Good on it then.. if thats it's true intention it needs to be added to our exepmt ips lists.

--

Tim Smith (KK4QBN)
KK4QBN BBS

---
* Synchronet * KK4QBN - kk4qbn.synchro.net - 7064229538 - Chatsworth GA USA

On 2017 Aug 16 17:12:28, you wrote to me:

and exactly WHERE does he say it is ddos?

he didn't say it was a DDOS... DDOS is more than one attacker... this
was only one attacker...

AH, My bad, I though the two were one in the same, My ignorance.

not a problem... DoS, DDoS and DRDoS are all basically the same thing... they're all Denial of Service... DDoS is Distributed Denial of Service which means the attacks come from several vectors... DRDoS is Distributed Reflective Denial of Service which means that someone is targetting a site by spoofing their address in UDP packets sent to other sites... those other sites will send
their responses to the site whose address is spoofed and there's the DoS if there's enough traffic...

and these days, we also have DRDoS, Distributed Reflective Denial of
Service, which is based on udp attacks...

too many idiots with too much time on their hands I presume.. I don't
see what if anyything a person could gain by compromising port 17

they're not compromising port 17... they're using systemA's port 17 to flood systemB by spoofing systemB's address in the UDP requests they're sending to systemA... systemA thinks it is systemB doing the requesting... by using a lot of systems like systemA to flood systemB, they're DoSing systemB and no one knows where the real attackers are coming from...

the original report we read in here was about that health site... it wasn't the
health site that was sending all those requests... the health site was the one under attack by the unknows generating those faked packets that looked like they were from the health site...

from what he has posted it could be regular Mirai.

not hitting the QOTD port, it likely isn't... Mirai and its variants
hit 22, 23, 2222, 5555, and 7547... now the variants have expanded to
numerous other ports... 135 (DCE/RPC), 445 (Active Directory), 1433
(MSSQL), 3306 (MySQL), and 3389 (RDP).

How about the constant garbage that acts just like Mirai trying to hit
my mailservers?

you mean the ones trying all kinds of names and passwords?? those are average dictionary attacks... they're not Mirai or a variant of Mirai... they're looking for existing accounts with poor passwords... if they find one, they can
use that info on other sites with similar accounts OR they may use that info to
hijack someone's twitter, facebook or apple accounts or any other accounts where someone reused their password...

They are either expanding their horizons, or Skynet is taking over :)

nah... they've been doing this stuff for years before Mirai came around...

then you have the Hajime worm which appears to be the work of a
whitehat... it looks like Mirai from the attacked side but its goal
is to stop and prevent Mirai and variants from getting in to IoT
devices...

Good on it then.. if thats it's true intention it needs to be added to
our exepmt ips lists.

the thing is, you can't tell it from Mirai from this side of the screen... besides, it can't help your BBS any more than Mirai can harm it... other than tying up your terminal nodes and giving you a little DoS...

)\/(ark

Always Mount a Scratch Monkey
Do you manage your own servers? If you are not running an IDS/IPS yer doin' it wrong...
... Does 'virgin wool' come from sheep the shepherd hasn't caught yet?
---
* Origin: (1:3634/12.73)
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert|cvs|bbs].synchro.net

El 15/08/17 a las 12:56, Warchilin66 escribió:

Hello,

I have a server that started hitting my server that starting last night with the host name: consumerhealthdigest.com IP Address is 198.20.76.132...

So I tried to log into my BBS this morning via the web from work and noticed that I could not connect. Apparently this took the BBS down completely. It is trying to hit the QOTD on port 17 through Synchronet BBS. It actually took the
BBS down. So I logged into the machine via remote and found out that it was taken down by this. I reloaded SBBS from the SBBSctrl and it stared trying to connect to this IP address and was hitting really quick. I put it in the IP block ist but this server is persistent. Does anyone know a way I can block this? Thanks in advance.

James

use fail2ban on linux

---
þ Synchronet þ Computer God!!! - Get Involved - W est Jordan, Ut. telnet://cpugod.synchro.net

---
þ Synchronet þ Dock Sud BBS TLD 24 HS - http://www.docksud.com.ar - telnet://bbs.docksud.com.ar