Results 1 to 25 of 79
-
12-08-2011, 09:46 AM #1Web Hosting Master
- Join Date
- Dec 2001
- Posts
- 5,221
Is anyone else seeing a huge spike of attacks from Burst.net?
Greetings:
Over the past several days, we are seeing a large increase of attacks from IP addresses controlled by or otherwise owned by Burst.net (nic@hostnoc.net - abuse@hostnoc.net)
The IP's involved to date include the following:
64.191.13.168
64.191.13.148
74.50.10.25
96.9.169.228
96.9.169.210
96.9.169.206
96.9.149.90
96.9.149.82
96.9.149.68
96.9.149.106
173.212.213.38
173.212.213.36
173.212.213.30
173.212.213.20
173.212.254.6
173.212.197.42
173.212.197.48
173.212.197.142
173.212.195.182
173.212.195.174
173.212.195.150
173.212.195.142
173.212.195.136
While we've notified nic@hostnoc.net / abuse@hostnoc.net the attacks continue (now into the 3rd day with the actual number of IP's involved increasing as well as the types of attacks).
Is anyone else checking their security reports, and seeing a large number of attacks from Burst.net?
Thank you.0
-
12-08-2011, 10:02 AM #2
I'm not seeing any increase in attacks from BurstNET's IP space and, in fact, from our logs and stats that we keep, they are one of the very, very low-abuser hosts we monitor on a daily basis, which is a testament to how they manage things considering they're a budget provider which, by definition, tends to attract some of the less-savoury patrons.
One suggestion though - Send your abuse reports to abuse [at] burst.net rather than the Hostnoc addresses. That will open a ticket in their system with the abuse guys, who I've found from experience are all over this stuff like a rash.0
-
12-08-2011, 10:17 AM #3Web Hosting Master
- Join Date
- Dec 2001
- Posts
- 5,221
Good day:
The servers being attacked are at various geographic locations -- Ireland, England, US (various), etc.
Normally Burst.net is on the low list of data centers hosting attackers which is why this caught me by surprise.
The responses from the abuse department we've been sending the emails to over the past several days have been "we've notified the customer"
From our experience, solid providers have close to a no tolerance level for abuse, and typically give a customer 24 hours to clean things up (if that amount of time).
When I saw the attacks no only continue, but the number of IP's involve double from yesterday to today (3rd day), I was surprised and concerned.
Thank you for the note about sending to abuse@burst.net (we are using the abuse addresses as provided by Arins -- so you would think Burst.net set up those addresses with some logic behind them... not sure).
Thank you.0
-
12-08-2011, 10:26 AM #4
That was my exact same reaction - BurstNET are on my list of "good guys" when it comes to handling the stuff that some DCs tend to push to the back of the queue. Not so with Burst, they do do something
The same applies at BurstNET. I've been on the receiving end of one of their "We'll give you 24 hours to clean it up" notices (fortunately it was an IP we no longer use and a simple error because our old rDNS was still set to it). (Phew!)
What they post at ARIN and "what the personal experience of a long-standing customer has" can be 2 different things. I just gave you a short-cut to their abuse guys. The outcome is the same, but the "speed of delivery" from the issue at hand is a more pleasant experience0
-
12-08-2011, 10:49 AM #5Randy
- Join Date
- Aug 2006
- Location
- Ashburn VA, San Diego CA
- Posts
- 4,615
Pretty much every large scale DDOS I've dealt with involved some burst IP's but not unusually high compared to other budget hosts. Chances are the attackers are using proxy pools hosted at burst given how the IP's seem to belong to a few close 'ranges'.
Fast Serv Networks, LLC | AS29889 | DDOS Protected | Managed Cloud, Streaming, Dedicated Servers, Colo by-the-U
Since 2003 - Ashburn VA + San Diego CA Datacenters0
-
12-08-2011, 12:04 PM #6WHT Addict
- Join Date
- Aug 2003
- Posts
- 108
I just wanted to let you know that we are looking into the reported issues. While we might not be able to provide specific details, I assure you that we will do whatever we can to prevent additional abuse. We are very sorry for any inconvenience.
0
-
12-08-2011, 06:21 PM #7WHT Addict
- Join Date
- Feb 2003
- Location
- hmm..
- Posts
- 174
Yep a ton of hits in our server(s) mod_sec logs from Burst.net IPs.
Mostly Generic SQL injections originating from the 173.212.x.x range.
Come-on Burst, please nail this doo-dah.0
-
12-09-2011, 10:35 AM #8Web Hosting Master
- Join Date
- Dec 2001
- Posts
- 5,221
Good day:
"I just wanted to let you know that we are looking into the reported issues. While we might not be able to provide specific details, I assure you that we will do whatever we can to prevent additional abuse. We are very sorry for any inconvenience."
While we are still seeing attacks, thank you very much for jumping onto the issue!
Thank you!0
-
12-09-2011, 11:45 AM #9Web Hosting Master
- Join Date
- Dec 2001
- Posts
- 5,221
Good day:
The issue got more serious with the posting of http://blog.spiderlabs.com/2011/12/h...-detected.html
Burst.net please address quickly.
Thank you.0
-
12-09-2011, 11:47 AM #10Web Hosting Master
- Join Date
- Jun 2011
- Location
- Internet
- Posts
- 2,985
Burst, same as any other budget provider, will get a lot of abusive customers looking to just get a cheap throwaway server just to ddos people with.
It's a tough situation. You either leave clients free to do whatever they like and get tonnes of abuse; or you set a limit for UDP, or port speed limit which can be removed if they require more - and then have more support tickets requesting limits to be removed.
It's a lose-lose situation really. Shame.0
-
12-09-2011, 07:31 PM #11Newbie
- Join Date
- Dec 2011
- Posts
- 5
Hi,
same for me with those:
96.9.173.40 96-9-173-40.static.hostnoc.net CIDR:96.9.128.0/18
64.191.99.110 64-191-99-110.static.hostnoc.net CIDR:64.191.0.0/17
And since several days0
-
12-10-2011, 12:01 PM #12Web Hosting Master
- Join Date
- Dec 2001
- Posts
- 5,221
Good day:
If the attacks, which are still occurring, continue into tomorrow, it will be a full week of attacks.
Burst.net please stop the attacks.
Thank you.0
-
12-10-2011, 05:04 PM #13New Member
- Join Date
- Dec 2011
- Posts
- 3
Hallo all,
We are new on this forum and this is my first post.
Already 3 days our web shop is suffering this SQL attacks.
We also contact support@burst.net and we send regularly logs to them to examination.
They say yesterday that attack will stop, but is not stoping.
We also arange our IP black list inside our protection of IP which is repeating,
but still attack reports is coming! Atack is still alive.
One example log is this:
Code:Threat Level: 9 Block Type: critical Attacker IP: 173.212.254.44 Block Count: 264 Why Blocked: (1) You have Black Listed this IP manually #custom_bl (2) MySQL attack #15511603 Attack Used: /index.php?option=com_clanlist&clanId=-999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0x33633273366962%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- Referrer: 0 Browser: Mozilla/5.2 (Windows; U; Windows NT 5.2; en-EN) Gecko/20080919 Firefox/3.5.6 OS: Windows NT 5.2 (Windows XP x64 Edition or Windows Server 2003) Host: platon.yapitasi.com ISP: Network Operations Center Organization: Network Operations Center Country: United States State: Pennsylvania City: Scranton Zip: 18501 Area Code: 570
BURSTNET admin say that they will do everything to stop this. But, how hard is to isolate source of
attack if you know IP addresses which is always repeating?0
-
12-10-2011, 05:51 PM #14Web Hosting Master
- Join Date
- Sep 2008
- Location
- Seattle, WA
- Posts
- 1,323
█ Brian Kearney, Stealthy Hosting/Server Stadium Seattle, WA [AS23033] Skype: StealthyHosting
█ Custom Dedicated Servers
█ Low Cost Instant Dedicated Servers
█ Email: Sales@StealthyHosting.com0
-
12-10-2011, 08:21 PM #15Web Hosting Master
- Join Date
- Dec 2001
- Posts
- 5,221
Greetings:
"BURSTNET admin say that they will do everything to stop this. But, how hard is to isolate source of attack if you know IP addresses which is always repeating?"
Exactly.
The IP addresses involved continue to be involved with MORE Bust.net IP's getting involved.
The IP's involved are 100% under the control of burst.net.
While they may rent/lease the IP's to their customers, in the end, burst.net has the final say about shutting down access.
At present, for every server we manage, the number of attacks from Burst.net exceed China, Korea, Brazil, and other common sources of attacks. And when I write exceed, I mean that you can add up the attacks from all other sources, and Burst.net has the number exceeded / beat.
Burst.net please stop the ongoing attacks.
Thank you.0
-
12-10-2011, 09:25 PM #16Temporarily Suspended
- Join Date
- Dec 2011
- Location
- United States
- Posts
- 51
Burst is one of the largest, if not the largest budget provider around today and, I would only expect to have a large number of abusive clients purchasing services for the use of DDoS. I've always expected it, we've had a few hits against our clients services to our network from BURST's Network, and when we contact them with the results or information they usually resolve it pretty quickly and track it down.
I would just give 'em some time, they can't screen every kiddie that sign's up with their products and uses them for negative things, it just takes time to catch them and terminate them. I love when they then come here crying that BurstNET terminated them for abuse and saying they didn't do nothing, and when Burst responsds they will change their story to, "Oh I let my friend use it but I didn't give him permission to do that" or "My friend asked me to send a flood towards his server to test the bandwidth and connection!", but don't understand your the person paying the bill, your responsible for the actions and things done, and placed on your server, or coming from your server... Kids!
----
By the way, @Burst.NET: Are you guy's having any network issues or problems as of right now, or would know of anything in your Scranton DC?0
-
12-10-2011, 10:10 PM #17Junior Guru Wannabe
- Join Date
- Apr 2009
- Location
- Huntersville, NC
- Posts
- 72
0
-
12-10-2011, 10:27 PM #180
-
12-11-2011, 11:53 AM #19Newbie
- Join Date
- Dec 2011
- Location
- Spain
- Posts
- 20
Hi,
Sorry, I am very late to write here, but we had the same attack on more as 4 servers and was must work about to understand and stop the incomming hackings:
Hacking for only our Server 1 cames between the 6th december until today from:
2 IPs out of 173.212.194.*
7 IPs out of 173.212.197.*
2 IPs out of 173.212.209.*
2 IPs out of 173.212.213.*
1 IP out of 173.212.227.*
4 IPs out of 173.212.235.*
7 IPs out of 173.212.254.*
5 IPs out of 96.9.149.*
3 IPs out of 96.9.169.*
3 IPs out of 96.9.173.*
3 IPs out of 64.191.13.*
2 IPs out of 64.191.49.*
2 IPs out of 64.191.99.*
I can report for other servers too!
We have send at the 7.12. a Abuse information to the operating center HOSTNOC and we get an answer ca. 24 hours later, that the attacks will been stopped. The attacks was not stopped and needs our server capacity! Why the operation center has not stopped until 9.12. we have make an crime complaint over the IC3.GOV (Internet Crime Complaint Center) and I hope, in feature other users will doe the same!
The last attack I have registered was in this night ca. 4 h (CET)
I have understand, that normal is not allowed to give a client more as 4 IPs per server! I am not ready with a total sum of differented IPs, can been that more networks from same operation center in my log-files with produce the same problem?! But in moment thats are 43 differented IPs out of 13 differented IP-Segments! So, why one attacker can get shortly 43 differented ore more IPs out of 13 or more differented IP-Segments?
Why a operation center, they exactly know, where are the clients, have not direct stop this attacks in between of 24 hours?! 5 days the attacks was running - also 4 days to long! Where will been payed the cost to resolve later problems about this action? We cant see today, what the hackers in beetween has changed!
Sorry, when my english is not the best, I am german
Thank you
Detlef0
-
12-11-2011, 12:26 PM #20Newbie
- Join Date
- Dec 2011
- Posts
- 5
we have make an crime complaint over the IC3.GOV (Internet Crime Complaint Center)0
-
12-11-2011, 02:20 PM #21Web Hosting Master
- Join Date
- Dec 2001
- Posts
- 5,221
Greetings:
"I would just give 'em some time"
One would think seven (7) days is more than enough time.
This is not like, oh the attack just started, why isn't anyone responding.... or calling you seconds after I sent the email asking if you got it.
Burst.net has known about this issue for how long?, and is doing what steps they can make public to stop the attacks?
Unless the FBI changed things, it only takes $50,000 worth of damages to get the FBI involved... does burst.net need to allow the attacks to continue until it would be irresponsible for those being attacked over and over and over again to ignore the FBI and other government involvement?
Thank you.0
-
12-11-2011, 04:28 PM #22Web Hosting Master
- Join Date
- Mar 2002
- Location
- •
- Posts
- 785
When you said attacks in the first post I assumed you mean DDoS.
These look like just proxies hosted on those boxes which are perfectly legal.
If you dont want this traffic then why dont you just block the entire burst ip range from your firewall.0
-
12-11-2011, 06:55 PM #23******* Unleaded
- Join Date
- Feb 2004
- Posts
- 3,849
edgedirector.com
managed dns global failover and load balance (gslb)
exactstate.com
uptime report for webhostingtalk.com0
-
12-11-2011, 07:33 PM #24Web Hosting Master
- Join Date
- Mar 2005
- Location
- Orlando, Florida
- Posts
- 2,625
I thought the same thing. Knowing them, it's likely because it's a Sunday.
I have noticed several of my VPS's with them having massive performance issues that started a few days ago. First thing I did was back up and download... the last two times I had performance issues this bad and I brought it to their attention (for them to do nothing), the entire VPS had it's raid array go corrupt. Hopefully the slowness is just from idiots SQL attacking remote servers█ Matthew Rosenblatt, and I do lots of things.
█ Used to be a full time server administrator, now I help build cruise ships and inspect homes.
█ My company, Ferrell Solutions, specializes in home inspections and property management.
█ RecallScan is a service for monitoring appliances and vehicles in your home for recalls.0
-
12-11-2011, 07:36 PM #25Web Hosting Master
- Join Date
- Apr 2000
- Location
- Nevada, US
- Posts
- 5,550
Really, I could have sworn I saw posts from atleast two different BurstNET employees in this thread (now three...), stating we are aware, and working on the issue. You must have "selective reading syndrome", a common disease found around WHT.
Obviously this is not a 1-2-3 issue to fix, otherwise it would have been done already. Just from the sheer amount of IPs involved, common sense should tell you that this is a widespread issue, and needs to be tracked down and stopped on a larger scale. We have been working to stop this on a larger scale, not just one account at a time, which would take forever...as they just sign up for more accounts as soon as old ones are blocked/suspended.
Regardless, point being, we are not ignoring this, and not doing nothing about it---it is just a complex issue on a mass scale, and going to take time to rid these scum.
.
.SmartHost™ - Intelligent Hosting! - Multiple Locations - US/EU! - Ultra-Fast NVME SSD VPS!
http://www.smarthost.net - sales@smarthost.net - Resale/Affiliate Programs
Cloud Hosting - VPS Hosting - Dedicated Servers - Colocation - Flux Capacitors0
Similar Threads
-
Is burst.net serious company. 12th day and no reply from burst.net / nocster.net
By dm1375 in forum Colocation, Data Centers, IP Space and NetworksReplies: 9Last Post: 09-09-2011, 01:48 PM -
Huge spike in Fraud orders
By uksysadmin in forum Web HostingReplies: 20Last Post: 12-28-2007, 07:57 PM -
Huge spike server load of 192 o.O
By the_go_453 in forum Hosting Security and TechnologyReplies: 9Last Post: 07-10-2007, 01:53 AM -
review: Burst.net/Nocster/Unrestricted ... we were a Burst.net Colo client
By hostmedic in forum Web HostingReplies: 24Last Post: 01-06-2006, 10:13 AM -
huge spike in traffic, site stats are similar /haven't changed much
By huh in forum Dedicated ServerReplies: 26Last Post: 07-11-2003, 01:02 PM