LayeredTech shut me down

It’s finally happened, LayeredTech have disconnected my server. They did this because I failed to respond in 12 hours to an email they sent me at 2334 last night. Like I sit up all night waiting for LayeredTech to contact me!

Below is the content of the shutdown message:

To:

Server ID:
Base IP:

NOTE TO STAFF: DISCONNECT server for abuse issue.

NOTE TO CLIENT: Unfortunately, you have not replied to this issue in the time given, so we are disconnecting this server at this time.

Thank you for your cooperation,

Layered Technologies Abuse Team

Ironic that they should thank me for my cooperation when I haven’t even had chance to do any cooperating. Anyway, the cause of this shutdown was the following 2334 LayeredTech email.

From: abuse@layeredtech.com
To:

Subject: Policy Enforcement of SID6321 at 72.21.33.202 for Spam Web & Infection

NOTES: Cease & Desist the posting of trojanized links from this server.

NOTES: See the Exploit Removal Guide below my signature block.

Dear Client,

We regret that it has become necessary to issue this Policy Enforcement Notice for violation of our Acceptable Use Policy available at http://www.layeredtech.com/aup.shtml based on complaints and/or logs of abuse attached or included below. We will review the complaints and/or logs again if you believe this is an error. However, it is your responsibility to investigate your server and reply promptly to avoid disconnection. You are required to remove all domains, sites, users, and/or exploits causing this issue.

Pending your reply with your comments, questions, or actions to resolve this issue, the server is:

[] Monitored for Additional Violations
[] Accessed for Investigation, Cleaning, Hardening, or Securing
[x] Disconnected in: [] 24-Hours [x] 12-Hours [] 6-Hours [] 3-Hour [] 0-Hours
[] Required Reload Request with: [] New Client Required [] No Data Recovery [] Data Recovery Allowed
at http://support.layeredtech.com under “Open a Ticket”
[] Hard Drives Seized for Investigation
[] Null-Routed
[] Port Shutdown
[] On 30-Day Probation
[] Reviewed for Possible Cancellation
[] Cancelled

For the following reasons:

[] Child Porn C Hosting, Distributing, or Linking to Pornography Involving a Person Under Legal Age
[] Copyright L Hosting, Distributing, or Linking to Copyright Infringed Materials
[] Cracking H Brute Force Access of Secured Network Devices
[] DoS H Denial of Service Attack of Network Devices
[] Forgery M Faking an IP Address, Hostname, E-Mail Address, or Header
[] Fraud Site H Hosting or Linking to a Website Intended to Deceive the Public
[] Hacking H Circumventing Security Systems of Network Devices
[] HYIP Site M Hosting or Linking to a Website of High Yield Investment Program, Ponzi Scheme, or Pyramid Scheme
[] ID Theft H Hosting, Distributing, or Linking to Stolen Account Identification Information
[x] Infection M Hosting, Distributing, or Linking to Exploits, Trojans, Viruses, or Worms
[] IRC Malicious M Malicious Use of Internet Relay Chat
[] IRC Unregistered L Internet Relay Chat Server not Registerd with Layered Technologies
[] Phishing H Identity Theft by Email Under False Pretense
[] ROKSO Spamhaus C ROKSO Blacklisting of an IP at www.spamhaus.org for Malicious Activity
[] Scanning M Probing for Vulnerabilities of Network Devices
[] Shells H Hosting Accounts Primarily for Shell Access
[] Spam Cannon E Sending High Volume Spam (UCE or UBE)
[] Spam Email L Unsolicited Commercial Email (UCE) or Unsolicited Bulk Email (UBE)
[] Spam List M Hosting, Distributing, or Linking to Email Address Lists for Spam
[] Spam Proxy C Hosting an Open Proxy Server Used for Spam
[] Spam Relay C Hosting an Open Mail Rely Used for Spam
[] Spam Hijack C Distributing Spam Through a Third Party Server Vulnerability
[] Spam Site L A Site Advertised by Spam Email or Spam Web
[] Spam Ware M Hosting, Distributing, or Linking to Software Designed for Spamming
[x] Spam Web L Unsolicited, Bulk, or Forged Site Advertisement in Web Logs, Forums, or Guestbooks
[] Terrorist Site C Hosting or Linking to a Site Advocating Terrorism
[] Tools L Hosting, Distributing, or Linking to Cracking, DoS, Forgery, Infection, or Scanning Software or Instruction
[] Trademark L Hosting, Distributing, or Linking to Trade Mark Infringed Materials
[] Wares L Hosting, Distributing, or Linking to Cracks, Hacks, KeyGens, Serials, or Pirated Software

[] OTHER:

Following is a table explaining the typical times allowed for a response from clients informing us of their active investigation into an abuse issue. These times are not a guarantee and may be reduced on a case-by-case basis depending on abuse history, number of current complaints, upstream provider requirements, and other factors:

L = 24-Hour Low Issue
M = 12-Hour Medium Issue
H = 6-Hour High Issue
C = 3-Hour Critical Issue
E = 0-Hour Emergency Issue

Thank you for your cooperation,

Layered Technologies Abuse Team

Date: Thu, 17 Aug 2006 15:28:24 -0500

BlueCross BlueShield of South Carolina Network Security has identified a
user associated with the IP address of 72.21.33.202, that has launched a
malicious attack against one of our IP addresses, 208.60.144.5.

The IP in question attempted to bring down our web server by repeatedly
running an executable located on the server.

Sampling from webserver log:

<>

72.21.33.202 – – [17/Aug/2006:09:22:22 -0400] “POST /scripts/trweb.exe
HTTP/1.1” 200 1188 www3.bcbssc.com –

72.21.33.202 – – [17/Aug/2006:09:22:22 -0400] “POST /scripts/trweb.exe
HTTP/1.1” 200 1188 www3.bcbssc.com –

72.21.33.202 – – [17/Aug/2006:09:22:22 -0400] “POST /scripts/trweb.exe
HTTP/1.1” 200 1188 www3.bcbssc.com –

72.21.33.202 – – [17/Aug/2006:09:22:22 -0400] “POST /scripts/trweb.exe
HTTP/1.1” 200 1188 www3.bcbssc.com –

72.21.33.202 – – [17/Aug/2006:09:22:22 -0400] “POST /scripts/trweb.exe
HTTP/1.1” 200 1188 www3.bcbssc.com –

72.21.33.202 – – [17/Aug/2006:09:22:22 -0400] “POST /scripts/trweb.exe
HTTP/1.1” 500 305 www3.bcbssc.com –

72.21.33.202 – – [17/Aug/2006:09:22:22 -0400] “POST /scripts/trweb.exe
HTTP/1.1” 500 305 www3.bcbssc.com –

72.21.33.202 – – [17/Aug/2006:09:22:22 -0400] “POST /scripts/trweb.exe
HTTP/1.1” 500 305 www3.bcbssc.com –

<>

If further information is required please contact:

network.security@bcbssc.com

Please respond to network.security@bcbssc.com as soon as possible.

Thank you,

Tom
Layered Technologies
Policy Enforcement Technician

So my Tor server is being used to perform a DoS attack over HTTP on 208.60.144.5. Strange, that address in a range belonging to BellSouth.net Inc. and it doesn’t appear to have any web service running on it. To use a Tor server to conduct a DoS attack is ridiculous anyway, the performance of the network is such that Steve Murdoch’s attempts to DoS a 400MHz PII test webserver couldn’t even load it to 1%. My response to LayeredTech was:

Dear LT,

This is a bit harsh. Being located in the UK, you gave me notification
at 2335 last night. This hardly gives me much time to address your
previous email. I’m sorry for not responding sooner but I don’t have
24×7 operations.

In response to the complaint from the bluecross, I assume this “attack”
is the result of someone accessing their website through the Tor server
I operate on 72.21.33.202. The very nature of Tor makes it totally
unsuitable for any kind of DoS attack as the latency within the system
makes it far too slow. I also heavily cap the bandwidth in order to
remain within my LT monthly quota. I can only assume that the script in
question on the bluecross website places an enourmous overhead on their
own system. To prevent a reoccurance of this instance I can block all
outgoing traffic to their domain. In your opinion, is this an
acceptable solution?

Regards
Steve

I’m currently awaiting their response without much hope of them liking my solution. Previous dealings of this nature with LayeredTech suggest they will percieve me as the guilty party and expect me to terminate the service. Whatever the outcome I’m now seriously worried that LayeredTech are unsuitable for running services. They disconnected my server without any serious effort to contact me and without any kind of investigation into the cause of the problem. This being despite previous discussions at length with them regarding the nature of Tor. In addition to taking out Tor, the server in question ran mailing lists, secondary MX’s and DNS services, all of which are now down.

3 comments

  1. that sucks…i think you have gone above and beyond to try to accommodate LT & blueshield.

    It’s my understanding that they can block tor traffic anyway, can’t they?

Leave a comment