UFW log question.

[jonobr]

Hey guys

interesting thread.

Could I ask a silly question for my own education. (BTW I dont work for revolvclothing )

216.144.228.153 / resolveclothing.com looks like a pretty ligit site.
They seem to have valid security certificates. The registrant in whois appears to also be the owner,

I can find the registrant in Linkedin etc

I would be inclined to contact him and tell him to get his ship in order, and that his site appears to be doing DOS attacks.

Do you guys think its best to just firewall and ignore these?
If this was just light probes or ended up being a dodgy site In some weird country I would ignore, but given you appear to be getting undue attention, thats why I thought I would contact them. Again, just asking this question for my own education and looking for your advice / experience.

.
Registration Service Provided By:
Active-Domain LLC
Contact: http://www.active-domain.com


Domain Name: revolveclothing.com

Expiry Date: 20-Jan-2021


Name servers:
ns1.revolveclothing.com
ns2.revolveclothing.com
ns3.revolveclothing.com


Registrant Name: Michael Karanikolas

Registrant Company: Eminent, Inc.

Registrant Email Address: mkaranikolas@eminentinc.com

Registrant Address: 7067 Falcon Drive
Registrant City: Buena Park
Registrant State/Region/Province: CA

Registrant Postal Code: 90620
Registrant
Country: US
Registrant Tel No: 7147973565
Registrant
Fax No: none

Admin Name: Michael Karanikolas
Admin
Company: Eminent, Inc.

Admin Email Address: mkaranikolas@eminentinc.com
Admin Address: 7067 Falcon Drive

Admin City: Buena Park
Admin State/Region/Province: CA

Admin Postal Code: 90620
Admin Country: US

Admin Tel No: 7147973565
Admin Fax No: none

Tech Name: Michael Karanikolas

Tech Company: Eminent, Inc.
Tech Email Address: mkaranikolas@eminentinc.com

Tech Address: 7067 Falcon Drive

Tech City: Buena Park
Tech
State/Region/Province:

Tech Postal Code: 90620

Tech Country: US
Tech
Tel No: 7147973565

PS- I would offer to drive to LA and punch him in the nose, but Im in work and its a long drive

[collisionystm]

Hey guys

interesting thread.

Could I ask a silly question for my own education. (BTW I dont work for revolvclothing )

216.144.228.153 / resolveclothing.com looks like a pretty ligit site.
They seem to have valid security certificates. The registrant in whois appears to also be the owner,

I can find the registrant in Linkedin etc

I would be inclined to contact him and tell him to get his ship in order, and that his site appears to be doing DOS attacks.

Do you guys think its best to just firewall and ignore these?
If this was just light probes or ended up being a dodgy site In some weird country I would ignore, but given you appear to be getting undue attention, thats why I thought I would contact them. Again, just asking this question for my own education and looking for your advice / experience.




PS- I would offer to drive to LA and punch him in the nose, but Im in work and its a long drive

Not sure what my plan is yet... currently rebuilding my firewall. I have all of my tables in place, now I just need to get logging going... fun fun fun.

Once I get logging up, I will check the logs in the morning and see if this place is still hitting me. Then we will have a problem and a phone call.
Im in maryland.. they are a bit of a drive for me haha

[jonobr]

Yep, and LA traffic is a b i atch

[CharlesA]

Well, without actually capturing and reading the traffic, it's hard to say if it's actually a DNS request or something else.

UDP 53 is usually the port reserved for dns lookups/traffic, but it is possible to send other types of traffic on that port but why would you want to unless it's for malicious reasons.

[collisionystm]

there are easily over 1000 entries in there from the past 24 hours.

All of them from 216.144.228.153

All from port 53 to port 53



This box just passes VPN traffic.
The only computer that is accessing the BIND function on it is mine... and I assure you, I have not been to that clothing website lol.

[CharlesA]

there are easily over 1000 entries in there from the past 24 hours.

All of them from 216.144.228.153

All from port 53 to port 53



This box just passes VPN traffic.
The only computer that is accessing the BIND function on it is mine... and I assure you, I have not been to that clothing website lol.

Yikes. I'd definitely get in contact of the person from that site and tell them to take a look at as why their server is sending DNS requests out. Could be that their config is wrong or that it was compromised.

[collisionystm]

oh and did I mention it suddenly vanished? .... strange.

[collisionystm]

well I was thinking that they may have configured something wrong. It was strictly DNS. It wasn't the usual SSH / VNC attempt

[CharlesA]

well I was thinking that they may have configured something wrong. It was strictly DNS. It wasn't the usual SSH / VNC attempt

That's what I am thinking too, especially since it just vanished.

[collisionystm]

nope... nothing today.

Everybody else but resolve clothing lol