[Operators] Potential distributed attack

[Daniel Fischaleck]

Am Dienstag, 10. April 2012, 23:03:54 schrieb Claudiu Curcă:
> Hello,
> 
> 
> 
> Tonight I've noticed an increase in server traffic and once I checked stuff
> aut I saw that some few thousand users were created from a russian IP
> address (178.47.4.86). The users were automatically created with the
> username XXyyyyyyZZ, where (XX and ZZ are numerica land yyyyy are random
> words). According to logs, all these users flooded the user dyavol at qip.ru,
> probably as some sort of childish revenge or something similar.
> 
> 
> 
> Lately, I've been firewalling entire classes of IPs from the Russian
> Federation because of these automated registrations, although only now logs
> have shown actual flooding.
> 
> 
> 
> With all respect to free and boundless communication, I am taking the
> caution of blocking each and every IP block from the Russian Federation,
> since I do not want (nor have to, for that matter) stay and guard the
> server from automated registrations (as a fun fact, out of all the former
> automated registrations detected, 105 of them, 104 were from Russia).
> 
> 
> 
> I know it's harsh, but I encourage the rest of the admins to be vigilant
> and take hard countermeasures against such abuse.
> 
> 
> 
> Best Regards,
> 
> 
> 
> Claudiu Curcă - coderollers.com

Hi,

the same thing happened to my server orcalab.net. Public registration is now 
disabled till I get that IP sorted and I am restoring a backup of the old user 
database right now. I got over 1000 registrations within a few minutes. Same 
scheme as yours.

Thank you for providing the IP address, I will also block the whole russian IP 
block.

Will you file a complaint against this subscriber or do you think it has no 
sense at all to complain at a russian business?

best regards,

Daniel


-- 
Daniel Fischaleck

Tel.: +498771  3710
Mobil: +49172 833 7935
Fax: +498771 408369

d.fischaleck at inet-tec.net
daniel at fischaleck.net