Page 1 of 4 1234 LastLast
Results 1 to 25 of 79
  1. #1

    Is anyone else seeing a huge spike of attacks from Burst.net?

    Greetings:

    Over the past several days, we are seeing a large increase of attacks from IP addresses controlled by or otherwise owned by Burst.net (nic@hostnoc.net - abuse@hostnoc.net)

    The IP's involved to date include the following:

    64.191.13.168
    64.191.13.148
    74.50.10.25
    96.9.169.228
    96.9.169.210
    96.9.169.206
    96.9.149.90
    96.9.149.82
    96.9.149.68
    96.9.149.106
    173.212.213.38
    173.212.213.36
    173.212.213.30
    173.212.213.20
    173.212.254.6
    173.212.197.42
    173.212.197.48
    173.212.197.142
    173.212.195.182
    173.212.195.174
    173.212.195.150
    173.212.195.142
    173.212.195.136

    While we've notified nic@hostnoc.net / abuse@hostnoc.net the attacks continue (now into the 3rd day with the actual number of IP's involved increasing as well as the types of attacks).

    Is anyone else checking their security reports, and seeing a large number of attacks from Burst.net?

    Thank you.
    ---
    Peter M. Abraham
    LinkedIn Profile
      0 Not allowed!

  2. #2
    Join Date
    Aug 2010
    Location
    Sorting Office
    Posts
    9,530
    Quote Originally Posted by dynamicnet View Post
    Is anyone else checking their security reports, and seeing a large number of attacks from Burst.net?
    I'm not seeing any increase in attacks from BurstNET's IP space and, in fact, from our logs and stats that we keep, they are one of the very, very low-abuser hosts we monitor on a daily basis, which is a testament to how they manage things considering they're a budget provider which, by definition, tends to attract some of the less-savoury patrons.

    One suggestion though - Send your abuse reports to abuse [at] burst.net rather than the Hostnoc addresses. That will open a ticket in their system with the abuse guys, who I've found from experience are all over this stuff like a rash.
      0 Not allowed!

  3. #3
    Good day:

    The servers being attacked are at various geographic locations -- Ireland, England, US (various), etc.

    Normally Burst.net is on the low list of data centers hosting attackers which is why this caught me by surprise.

    The responses from the abuse department we've been sending the emails to over the past several days have been "we've notified the customer"

    From our experience, solid providers have close to a no tolerance level for abuse, and typically give a customer 24 hours to clean things up (if that amount of time).

    When I saw the attacks no only continue, but the number of IP's involve double from yesterday to today (3rd day), I was surprised and concerned.

    Thank you for the note about sending to abuse@burst.net (we are using the abuse addresses as provided by Arins -- so you would think Burst.net set up those addresses with some logic behind them... not sure).

    Thank you.
    ---
    Peter M. Abraham
    LinkedIn Profile
      0 Not allowed!

  4. #4
    Join Date
    Aug 2010
    Location
    Sorting Office
    Posts
    9,530
    Quote Originally Posted by dynamicnet View Post
    Normally Burst.net is on the low list of data centers hosting attackers which is why this caught me by surprise.
    That was my exact same reaction - BurstNET are on my list of "good guys" when it comes to handling the stuff that some DCs tend to push to the back of the queue. Not so with Burst, they do do something

    Quote Originally Posted by dynamicnet View Post
    From our experience, solid providers have close to a no tolerance level for abuse, and typically give a customer 24 hours to clean things up (if that amount of time).
    The same applies at BurstNET. I've been on the receiving end of one of their "We'll give you 24 hours to clean it up" notices (fortunately it was an IP we no longer use and a simple error because our old rDNS was still set to it). (Phew!)

    Quote Originally Posted by dynamicnet View Post
    Thank you for the note about sending to abuse@burst.net (we are using the abuse addresses as provided by Arins -- so you would think Burst.net set up those addresses with some logic behind them... not sure).
    What they post at ARIN and "what the personal experience of a long-standing customer has" can be 2 different things. I just gave you a short-cut to their abuse guys. The outcome is the same, but the "speed of delivery" from the issue at hand is a more pleasant experience
      0 Not allowed!

  5. #5
    Join Date
    Aug 2006
    Location
    Ashburn VA, San Diego CA
    Posts
    4,615
    Pretty much every large scale DDOS I've dealt with involved some burst IP's but not unusually high compared to other budget hosts. Chances are the attackers are using proxy pools hosted at burst given how the IP's seem to belong to a few close 'ranges'.
    Fast Serv Networks, LLC | AS29889 | DDOS Protected | Managed Cloud, Streaming, Dedicated Servers, Colo by-the-U
    Since 2003 - Ashburn VA + San Diego CA Datacenters
      0 Not allowed!

  6. #6
    I just wanted to let you know that we are looking into the reported issues. While we might not be able to provide specific details, I assure you that we will do whatever we can to prevent additional abuse. We are very sorry for any inconvenience.
      0 Not allowed!

  7. #7
    Join Date
    Feb 2003
    Location
    hmm..
    Posts
    174
    Yep a ton of hits in our server(s) mod_sec logs from Burst.net IPs.
    Mostly Generic SQL injections originating from the 173.212.x.x range.

    Come-on Burst, please nail this doo-dah.
      0 Not allowed!

  8. #8
    Good day:

    "I just wanted to let you know that we are looking into the reported issues. While we might not be able to provide specific details, I assure you that we will do whatever we can to prevent additional abuse. We are very sorry for any inconvenience."

    While we are still seeing attacks, thank you very much for jumping onto the issue!

    Thank you!
    ---
    Peter M. Abraham
    LinkedIn Profile
      0 Not allowed!

  9. #9
    Good day:

    The issue got more serious with the posting of http://blog.spiderlabs.com/2011/12/h...-detected.html

    Burst.net please address quickly.

    Thank you.
    ---
    Peter M. Abraham
    LinkedIn Profile
      0 Not allowed!

  10. #10
    Join Date
    Jun 2011
    Location
    Internet
    Posts
    2,985
    Burst, same as any other budget provider, will get a lot of abusive customers looking to just get a cheap throwaway server just to ddos people with.

    It's a tough situation. You either leave clients free to do whatever they like and get tonnes of abuse; or you set a limit for UDP, or port speed limit which can be removed if they require more - and then have more support tickets requesting limits to be removed.

    It's a lose-lose situation really. Shame.
      0 Not allowed!

  11. #11
    Hi,
    same for me with those:
    96.9.173.40 96-9-173-40.static.hostnoc.net CIDR:96.9.128.0/18
    64.191.99.110 64-191-99-110.static.hostnoc.net CIDR:64.191.0.0/17

    And since several days
      0 Not allowed!

  12. #12
    Good day:

    If the attacks, which are still occurring, continue into tomorrow, it will be a full week of attacks.

    Burst.net please stop the attacks.

    Thank you.
    ---
    Peter M. Abraham
    LinkedIn Profile
      0 Not allowed!

  13. #13
    Hallo all,

    We are new on this forum and this is my first post.
    Already 3 days our web shop is suffering this SQL attacks.
    We also contact support@burst.net and we send regularly logs to them to examination.
    They say yesterday that attack will stop, but is not stoping.

    We also arange our IP black list inside our protection of IP which is repeating,
    but still attack reports is coming! Atack is still alive.

    One example log is this:

    Code:
    Threat Level: 9 Block Type: critical 
    Attacker IP: 173.212.254.44 Block Count: 264 
    
        
    Why Blocked: (1) You have Black Listed this IP manually #custom_bl (2) MySQL attack #15511603  
    Attack Used: /index.php?option=com_clanlist&clanId=-999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0x33633273366962%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- 
    Referrer: 0  
    Browser:  Mozilla/5.2 (Windows; U; Windows NT 5.2; en-EN) Gecko/20080919 Firefox/3.5.6  
    OS:  Windows
    NT 5.2 (Windows XP x64 Edition or Windows Server 2003)  
    Host:  platon.yapitasi.com  
    ISP:  Network Operations Center  
    Organization:  Network Operations Center  
        
    Country:  United States  
    State:  Pennsylvania  
    City: Scranton  
    Zip:  18501  
    Area Code: 570
    I do not know what to do.
    BURSTNET admin say that they will do everything to stop this. But, how hard is to isolate source of
    attack if you know IP addresses which is always repeating?
      0 Not allowed!

  14. #14
    Join Date
    Sep 2008
    Location
    Seattle, WA
    Posts
    1,323
    Quote Originally Posted by saibos View Post
    Hallo all,

    We are new on this forum and this is my first post.
    Already 3 days our web shop is suffering this SQL attacks.
    We also contact support@burst.net and we send regularly logs to them to examination.
    They say yesterday that attack will stop, but is not stoping.

    We also arange our IP black list inside our protection of IP which is repeating,
    but still attack reports is coming! Atack is still alive.

    One example log is this:

    Code:
    Threat Level: 9 Block Type: critical 
    Attacker IP: 173.212.254.44 Block Count: 264 
    
        
    Why Blocked: (1) You have Black Listed this IP manually #custom_bl (2) MySQL attack #15511603  
    Attack Used: /index.php?option=com_clanlist&clanId=-999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0x33633273366962%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- 
    Referrer: 0  
    Browser:  Mozilla/5.2 (Windows; U; Windows NT 5.2; en-EN) Gecko/20080919 Firefox/3.5.6  
    OS:  Windows
    NT 5.2 (Windows XP x64 Edition or Windows Server 2003)  
    Host:  platon.yapitasi.com  
    ISP:  Network Operations Center  
    Organization:  Network Operations Center  
        
    Country:  United States  
    State:  Pennsylvania  
    City: Scranton  
    Zip:  18501  
    Area Code: 570
    I do not know what to do.
    BURSTNET admin say that they will do everything to stop this. But, how hard is to isolate source of
    attack if you know IP addresses which is always repeating?
    As a temporary solution you could block the three CIDR's on your firewall.
    64.191.0.0/17
    173.212.192.0/18
    96.9.128.0/18
    █ Brian Kearney, Stealthy Hosting/Server Stadium Seattle, WA [AS23033] Skype: StealthyHosting
    Custom Dedicated Servers
    Low Cost Instant Dedicated Servers

    █ Email: Sales@StealthyHosting.com
      0 Not allowed!

  15. #15
    Greetings:

    "BURSTNET admin say that they will do everything to stop this. But, how hard is to isolate source of attack if you know IP addresses which is always repeating?"

    Exactly.

    The IP addresses involved continue to be involved with MORE Bust.net IP's getting involved.

    The IP's involved are 100% under the control of burst.net.

    While they may rent/lease the IP's to their customers, in the end, burst.net has the final say about shutting down access.

    At present, for every server we manage, the number of attacks from Burst.net exceed China, Korea, Brazil, and other common sources of attacks. And when I write exceed, I mean that you can add up the attacks from all other sources, and Burst.net has the number exceeded / beat.

    Burst.net please stop the ongoing attacks.

    Thank you.
    ---
    Peter M. Abraham
    LinkedIn Profile
      0 Not allowed!

  16. #16
    Join Date
    Dec 2011
    Location
    United States
    Posts
    51
    Burst is one of the largest, if not the largest budget provider around today and, I would only expect to have a large number of abusive clients purchasing services for the use of DDoS. I've always expected it, we've had a few hits against our clients services to our network from BURST's Network, and when we contact them with the results or information they usually resolve it pretty quickly and track it down.

    I would just give 'em some time, they can't screen every kiddie that sign's up with their products and uses them for negative things, it just takes time to catch them and terminate them. I love when they then come here crying that BurstNET terminated them for abuse and saying they didn't do nothing, and when Burst responsds they will change their story to, "Oh I let my friend use it but I didn't give him permission to do that" or "My friend asked me to send a flood towards his server to test the bandwidth and connection!", but don't understand your the person paying the bill, your responsible for the actions and things done, and placed on your server, or coming from your server... Kids!

    ----


    By the way, @Burst.NET: Are you guy's having any network issues or problems as of right now, or would know of anything in your Scranton DC?
      0 Not allowed!

  17. #17
    Join Date
    Apr 2009
    Location
    Huntersville, NC
    Posts
    72
    Quote Originally Posted by FinerTech View Post
    By the way, @Burst.NET: Are you guy's having any network issues or problems as of right now, or would know of anything in your Scranton DC?
    None that we are aware of. If you can contact Support, someone will look into it as soon as possible.
    Joe Marr
    BurstNet Technologies, Inc.
      0 Not allowed!

  18. #18
    Join Date
    Aug 2010
    Location
    Sorting Office
    Posts
    9,530
    Quote Originally Posted by FinerTech View Post
    By the way, @Burst.NET: Are you guy's having any network issues or problems as of right now, or would know of anything in your Scranton DC?
    All 4 Burst locations are showing "green lights" from all 6 of my monitoring locations. If you have a problem it's most likely specific to your individual service.
      0 Not allowed!

  19. #19

    *

    Hi,

    Sorry, I am very late to write here, but we had the same attack on more as 4 servers and was must work about to understand and stop the incomming hackings:

    Hacking for only our Server 1 cames between the 6th december until today from:
    2 IPs out of 173.212.194.*
    7 IPs out of 173.212.197.*
    2 IPs out of 173.212.209.*
    2 IPs out of 173.212.213.*
    1 IP out of 173.212.227.*
    4 IPs out of 173.212.235.*
    7 IPs out of 173.212.254.*
    5 IPs out of 96.9.149.*
    3 IPs out of 96.9.169.*
    3 IPs out of 96.9.173.*
    3 IPs out of 64.191.13.*
    2 IPs out of 64.191.49.*
    2 IPs out of 64.191.99.*

    I can report for other servers too!

    We have send at the 7.12. a Abuse information to the operating center HOSTNOC and we get an answer ca. 24 hours later, that the attacks will been stopped. The attacks was not stopped and needs our server capacity! Why the operation center has not stopped until 9.12. we have make an crime complaint over the IC3.GOV (Internet Crime Complaint Center) and I hope, in feature other users will doe the same!

    The last attack I have registered was in this night ca. 4 h (CET)

    I have understand, that normal is not allowed to give a client more as 4 IPs per server! I am not ready with a total sum of differented IPs, can been that more networks from same operation center in my log-files with produce the same problem?! But in moment thats are 43 differented IPs out of 13 differented IP-Segments! So, why one attacker can get shortly 43 differented ore more IPs out of 13 or more differented IP-Segments?

    Why a operation center, they exactly know, where are the clients, have not direct stop this attacks in between of 24 hours?! 5 days the attacks was running - also 4 days to long! Where will been payed the cost to resolve later problems about this action? We cant see today, what the hackers in beetween has changed!

    Sorry, when my english is not the best, I am german

    Thank you

    Detlef
      0 Not allowed!

  20. #20
    we have make an crime complaint over the IC3.GOV (Internet Crime Complaint Center)
    We are about to do the same soon
      0 Not allowed!

  21. #21
    Greetings:

    "I would just give 'em some time"

    One would think seven (7) days is more than enough time.

    This is not like, oh the attack just started, why isn't anyone responding.... or calling you seconds after I sent the email asking if you got it.

    Burst.net has known about this issue for how long?, and is doing what steps they can make public to stop the attacks?

    Unless the FBI changed things, it only takes $50,000 worth of damages to get the FBI involved... does burst.net need to allow the attacks to continue until it would be irresponsible for those being attacked over and over and over again to ignore the FBI and other government involvement?

    Thank you.
    ---
    Peter M. Abraham
    LinkedIn Profile
      0 Not allowed!

  22. #22
    Join Date
    Mar 2002
    Location
    Posts
    785
    When you said attacks in the first post I assumed you mean DDoS.
    These look like just proxies hosted on those boxes which are perfectly legal.
    If you dont want this traffic then why dont you just block the entire burst ip range from your firewall.
    High Quality Web Hosting from Host Ultra
    Visit us online at www.hostultra.com
      0 Not allowed!

  23. #23
    Quote Originally Posted by Host Ultra View Post
    These look like just proxies hosted on those boxes which are perfectly legal.
    If you dont want this traffic then why dont you just block the entire burst ip range from your firewall.
    Look at one of the log lines above.

    Proxies may be legal, but sql injection attacks are usually not welcome.

    Funny thing ... mention burst.net and the WHT premium member alert rings ... and someone from burst.net roars in spitting fire ... except this time.
    edgedirector.com
    managed dns global failover and load balance (gslb)
    exactstate.com
    uptime report for webhostingtalk.com
      0 Not allowed!

  24. #24
    Join Date
    Mar 2005
    Location
    Orlando, Florida
    Posts
    2,625
    Quote Originally Posted by plumsauce View Post
    Funny thing ... mention burst.net and the WHT premium member alert rings ... and someone from burst.net roars in spitting fire ... except this time.
    I thought the same thing. Knowing them, it's likely because it's a Sunday.

    I have noticed several of my VPS's with them having massive performance issues that started a few days ago. First thing I did was back up and download... the last two times I had performance issues this bad and I brought it to their attention (for them to do nothing), the entire VPS had it's raid array go corrupt. Hopefully the slowness is just from idiots SQL attacking remote servers
    Matthew Rosenblatt, and I do lots of things.
    Used to be a full time server administrator, now I help build cruise ships and inspect homes.
    My company, Ferrell Solutions, specializes in home inspections and property management.
    RecallScan is a service for monitoring appliances and vehicles in your home for recalls.
      0 Not allowed!

  25. #25
    Join Date
    Apr 2000
    Location
    Nevada, US
    Posts
    5,550
    Quote Originally Posted by plumsauce View Post
    Look at one of the log lines above.

    Proxies may be legal, but sql injection attacks are usually not welcome.

    Funny thing ... mention burst.net and the WHT premium member alert rings ... and someone from burst.net roars in spitting fire ... except this time.
    Really, I could have sworn I saw posts from atleast two different BurstNET employees in this thread (now three...), stating we are aware, and working on the issue. You must have "selective reading syndrome", a common disease found around WHT.

    Obviously this is not a 1-2-3 issue to fix, otherwise it would have been done already. Just from the sheer amount of IPs involved, common sense should tell you that this is a widespread issue, and needs to be tracked down and stopped on a larger scale. We have been working to stop this on a larger scale, not just one account at a time, which would take forever...as they just sign up for more accounts as soon as old ones are blocked/suspended.

    Regardless, point being, we are not ignoring this, and not doing nothing about it---it is just a complex issue on a mass scale, and going to take time to rid these scum.
    .
    .
    SmartHost™ - Intelligent Hosting! - Multiple Locations - US/EU! - Ultra-Fast NVME SSD VPS!
    http://www.smarthost.net - sales@smarthost.net - Resale/Affiliate Programs
    Cloud Hosting - VPS Hosting - Dedicated Servers - Colocation - Flux Capacitors
      0 Not allowed!

Page 1 of 4 1234 LastLast

Similar Threads

  1. Is burst.net serious company. 12th day and no reply from burst.net / nocster.net
    By dm1375 in forum Colocation, Data Centers, IP Space and Networks
    Replies: 9
    Last Post: 09-09-2011, 01:48 PM
  2. Huge spike in Fraud orders
    By uksysadmin in forum Web Hosting
    Replies: 20
    Last Post: 12-28-2007, 07:57 PM
  3. Huge spike server load of 192 o.O
    By the_go_453 in forum Hosting Security and Technology
    Replies: 9
    Last Post: 07-10-2007, 01:53 AM
  4. Replies: 24
    Last Post: 01-06-2006, 10:13 AM
  5. Replies: 26
    Last Post: 07-11-2003, 01:02 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •