RELEASE: July 05/2004 by Paul Lezica aka netfreak
SUBJECT: problems and solutions in regards to the YILDIZ TECHNICAL UNIVERSITY
situation
SUMMARY: a description of the bandwidth abuse by YILDIZ TECHNICAL UNIVERSITY
to the preterhuman.net archive and the subsequent banning of said abuser, followed
by the Denial of Serivce attacks perpetrated by YILDIZ TECHNICAL UNIVERSITY
on preterhuman.net (216.232.xxx.xxx)
INTRODUCTION: a client using an application designed for web site leeching
began downloading the preterhuman.net text archive at maximum bandwidth on or
near June 29/2004. This client has been identified as a user at YILDIZ TECHNICAL
UNIVERSITY in ISTANBUL, TURKEY using IP address 194.27.100.21. This client was
identified by the network administrator of preterhuman.net and blocked due to
extreme bandwidth abuse. On or near July 1/2004, a Denial of Service attack
was launched by a user at YILDIZ TECHNICAL UNIVERSITY using IP address 194.27.100.21
on preterhuman.net causing loss of service to preterhuman.net services and the
inability by preterhuman.net routers to remain connected to the Internet Service
Provider (TELUS BROADBAND). The network administrator of preterhuman.net was
notified by TELUS BROADBAND that the Denial of Service attack originating from
194.27.100.21 was directed at preterhuman.net (216.232.xxx.xxx) on port 80,
which we assumed was a result of the user being blocked for bandwidth abuse.
One of the preterhuman.net routers was able to manually re-connect to the TELUS
BROADBAND service and was immediately flooded with connections by 194.27.100.21
as seen below:
15:10:41.196793 194.27.100.21.2460
> preterhuman.net.80: S 2876059724:2876059724(0) win 60352 <mss 1380,nop,wscale
2,nop,nop,sackOK> [tos 0x28]
15:10:41.204431 194.27.100.21.2461 > preterhuman.net.80: S 306906096:306906096(0)
win 60352 <mss 1380,nop,wscale 2,nop,nop,sackOK> [tos 0x28]
15:10:41.262835 194.27.100.21.2462 > preterhuman.net.80: S 2688803491:2688803491(0)
win 60352 <mss 1380,nop,wscale 2,nop,nop,sackOK> [tos 0x28]
15:10:41.266284 194.27.100.21.2463 > preterhuman.net.80: S 3504865214:3504865214(0)
win 60352 <mss 1380,nop,wscale 2,nop,nop,sackOK> [tos 0x28]
15:10:41.270468 194.27.100.21.2464 > preterhuman.net.80: S 3826439759:3826439759(0)
win 60352 <mss 1380,nop,wscale 2,nop,nop,sackOK> [tos 0x28]
15:10:42.194622 194.27.100.21.2465 > preterhuman.net.80: S 2659873481:2659873481(0)
win 60352 <mss 1380,nop,wscale 2,nop,nop,sackOK> [tos 0x28]
15:10:42.198049 194.27.100.21.2466 > preterhuman.net.80: S 269098271:269098271(0)
win 60352 <mss 1380,nop,wscale 2,nop,nop,sackOK> [tos 0x28]
15:10:42.660494 194.27.100.21.2467 > preterhuman.net.80: S 3611304299:3611304299(0)
win 60352 <mss 1380,nop,wscale 2,nop,nop,sackOK> [tos 0x28]
15:10:43.193885 194.27.100.21.2468 > preterhuman.net.80: S 2607824175:2607824175(0)
win 60352 <mss 1380,nop,wscale 2,nop,nop,sackOK> [tos 0x28]
15:10:43.197816 194.27.100.21.2469 > preterhuman.net.80: S 3944725251:3944725251(0)
win 60352 <mss 1380,nop,wscale 2,nop,nop,sackOK> [tos 0x28]
15:10:43.253011 194.27.100.21.2448 > preterhuman.net.80: S 3088894217:3088894217(0)
win 60352 <mss 1380,nop,wscale 2,nop,nop,sackOK> [tos 0x28]
15:10:43.253623 194.27.100.21.2449 > preterhuman.net.80: S 305711064:305711064(0)
win 60352 <mss 1380,nop,wscale 2,nop,nop,sackOK> [tos 0x28]
This sample log of the constant flooding is only from a couple of seconds, though
accurately shows how fast packets were being launched at our router. The preterhuman.net
router went offline only a few minutes later.
PROBLEM: a loss of Internet connection for preterhuman.net beginning
July 1/2004 and continuing until July 5/2004 when the network was issued a new
IP address. Attacks were directed at the preterhuman.net domain which had to
be directed at another IP address. The preterhuman.net archive and sites hosted
by preterhuman.net could not remain online.
SOLUTION: the preterhuman.net text file archive of over 100,000 documents
will no longer be open to the public. Access will be granted for affiliates
of the network, or users willing to pay a fee. The preterhuman.net domain will
be forwarded to a high bandwidth host where this document will be hosted.
CONCLUSION: the vision of a freely accessible public text file collection
spanning subjects ranging from Art to Weapons is flawed. 3+ years were spent
building the archive and it has become one of the largest collections available
on the Internet. Knowledge should be free, but unfortunately society doesn't
seem to work that way. For those of you interested, here is the full investigation
report used to track the attacker:
inetnum: 194.27.100.0 -
194.27.101.255
netname: YILDIZ-NET
descr: Yildiz Technical University
country: TR
notify: ipadmin@ulak.net.tr
mnt-by: ULAKNET-MNT
changed: ipadmin@ulak.net.tr 20010208
route: 194.27.0.0/16
descr: ULAKNET
origin: AS8517
holes: 194.27.149.0/24
mnt-by: ULAKNET-MNT
changed: ipadmin@ulak.net.tr 20010213
person: Reha Basaran
address: Yildiz Technical University
address: YTU Faculty of Science
address: Davutpasa Cad 127, Esenler
address: 34210 Istanbul/TURKEY
phone: +90 212 449 1656
fax-no: +90 212 449 1514
e-mail: basaran@yildiz.edu.tr
nic-hdl: RB15945-RIPE
changed: ipadmin@ulak.net.tr 20010109
person: Ozgur Akcali
address: Yildiz Technical University
address: YTU Faculty of Science
address: Davutpasa Cad 127, Esenler
address: 34210 Istanbul/TURKEY
phone: +90 212 449 1657
fax-no: +90 212 449 1514
e-mail: akcali@yildiz.edu.tr
nic-hdl: OA1032-RIPE
changed: ipadmin@ulak.net.tr 20010109
27.194.IN-ADDR.ARPA.
SOA source=ns1.ulakbim.gov.tr.; responsible person=hostmaster@ulakbim.gov.tr.
Do what you wish with this information. As of today (July 5/2004), the preterhuman.net
domain resolves to the United States Department Of Defense web site. The domain
is undoubtedly still being attacked, so hopefully the DOD will bash some skulls.
(update: we are now back to our server)
-netfreak
preterhuman.net network
admin@preterhuman.net