There is currently a DoS going on with Eigen's Web server brought on by... EV1's Fireslayer anti-DoS system (irony indeed). A nice bug has cropped up such that the target/source IP address belong both to Eigen mysteriously. As a result, the server is being hit hard with SYN-ACK packets.


tcp 0 179 67.15.52.143:80 206.51.233.24:4744 ESTABLISHED
tcp 0 1 67.15.52.145:80 66.98.240.63:37625 FIN_WAIT1
tcp 0 1 67.15.52.145:80 66.98.240.63:49913 LAST_ACK
tcp 0 1 67.15.52.145:80 66.98.240.63:13048 LAST_ACK
tcp 0 1 67.15.52.145:80 66.98.240.63:29944 FIN_WAIT1
tcp 0 1 67.15.52.145:80 66.98.240.63:23544 LAST_ACK
tcp 0 1 67.15.52.145:80 66.98.240.64:13432 LAST_ACK
tcp 0 0 67.15.52.22:110 69.116.71.184:1702 TIME_WAIT
tcp 0 1 67.15.52.145:80 66.98.240.64:57720 LAST_ACK
tcp 0 1 67.15.52.145:80 66.98.240.64:60024 LAST_ACK
tcp 0 0 67.15.52.22:110 69.116.71.184:1703 TIME_WAIT
tcp 0 1 67.15.52.145:80 66.98.240.64:63865 LAST_ACK
tcp 0 0 67.15.52.145:80 66.98.240.64:17786 ESTABLISHED
tcp 0 1 67.15.52.145:80 66.98.240.64:19834 LAST_ACK
tcp 0 0 67.15.52.145:80 66.98.240.64:14714 ESTABLISHED
tcp 0 1 67.15.52.145:80 66.98.240.64:59514 LAST_ACK
tcp 0 1 67.15.52.145:80 66.98.240.64:7803 LAST_ACK
tcp 0 1 67.15.52.145:80 66.98.240.64:11387 LAST_ACK
tcp 0 0 67.15.52.22:80 66.249.65.236:40314 TIME_WAIT
tcp 0 1 67.15.52.145:80 66.98.240.64:21116 LAST_ACK
tcp 0 1 67.15.52.145:80 66.98.240.64:6012 LAST_ACK
tcp 0 1 67.15.52.145:80 66.98.240.64:43900 LAST_ACK
tcp 0 1 67.15.52.145:80 66.98.240.64:31869 FIN_WAIT1
tcp 0 1 67.15.52.145:80 66.98.240.64:2685 LAST_ACK
tcp 0 1 67.15.52.145:80 66.98.240.64:13181 LAST_ACK
tcp 0 1 67.15.52.145:80 66.98.240.64:8317 LAST_ACK
tcp 0 1 67.15.52.145:80 66.98.240.64:21886 LAST_ACK
tcp 0 1 67.15.52.145:80 66.98.240.64:18302 LAST_ACK
tcp 0 1 67.15.52.145:80 66.98.240.64:4222 LAST_ACK
tcp 0 1 67.15.52.145:80 66.98.240.64:2430 LAST_ACK
tcp 0 0 67.15.52.145:80 66.98.240.64:15998 ESTABLISHED
tcp 0 1 67.15.52.145:80 66.98.240.64:61054 LAST_ACK
tcp 0 1 67.15.52.145:80 66.98.240.64:33918 LAST_ACK
tcp 0 1 67.15.52.145:80 66.98.240.64:35710 FIN_WAIT1
tcp 0 1 67.15.52.145:80 66.98.240.64:22143 LAST_ACK
tcp 0 1 67.15.52.145:80 66.98.240.64:49791 LAST_ACK
tcp 0 1 67.15.52.145:80 66.98.240.64:45183 FIN_WAIT1
tcp 0 1 67.15.52.145:80 66.98.240.64:44159 LAST_ACK
tcp 0 1 67.15.52.145:80 66.98.240.64:13168 LAST_ACK
tcp 0 1 67.15.52.145:80 66.98.240.64:56944 FIN_WAIT1
tcp 0 1 67.15.52.145:80 66.98.240.64:25201 FIN_WAIT1
tcp 0 1 67.15.52.145:80 66.98.240.64:13169 LAST_ACK
tcp 0 1 67.15.52.145:80 66.98.240.64:13425 LAST_ACK

On the phone now trying to get this sorted out and I'll keep you guys updated on the issue. Building iptables into Eigen's current kernel (2.6.17) to temporarily mitigate the attacks.

I just got off the phone and they will be disabling Fireslayer on the server shortly. The IP addresses for Fireslayer have also been blocked temporarily.

Worth mentioning is the trigger:

0.0098 seconds ellapsed in capture
11020 inbound PPS to 67.15.52.xxx
1531 outbound PPS from 67.15.52.xxx
5.21 inbound Mbps to 67.15.52.xxx
0.71 outbound Mbps from 67.15.52.xxx

Replace xxx with three digits between 1 and 254 to denote the IP address which just so happens to be the inbound/outbound address and you have a :confused: situation. Everything should be back to normal at this time.

Let me give you a quick status update since everything has been corralled on the server for the past 48 hours. We have an individual that wrote an inflammatory article on a pump and dump penny stock being spamvertised. Over the past five days, the stock prices have tumbled quite a bit ($1.6 -> $1 per share). I suspect the DoS carried out by the individual is a last ditch effort to save his shares to get some sort of value out of them. The attacker distributed a Delphi application to flood the server with SYN packets. Interestingly enough, the target hostname is hardcoded into the application. Whoever the individual is, he wanted the site gone from the search engines.

I will not divulge the company name at this time, because this is still a very hot issue. After things die down a bit I may update you on the company name being advertised... or you can check your inbox for the pennystocks. It should be there ;).