Wampum

First, the node returns ICMP requests in a steady 47ms RTT sequence from a machine in Portland, Maine, so the ddos claim is initially doubtful. Second, the node at 69.56.129.130 is non-responsive for tcp connections to ports 25 (SMTP) and 80 (HTTP). I've a machine with just these properties in Portland, its SCSI disk fails every few hours and the in-memory kernel image is happy to bounce ICMP packets, but won't page in the user-space daemons to do anything useful when connecting to ports 25 or 80. Not conclusive, simply anectdotal how the symptoms complained of could also be produced.

There really isn't any log file data in the statement of Dan Geary quoted in Paul Kiel's post at TPMmuck, to support, or detract from, any "distributed" claim as to the point(s) of origin, or the health of the basic system when the network interface is marked "down".

The claim that email is hosed because of an sql injection vulnerability is interesting, as it means the MX record and the A record point to the same (single point of failure) host, and that sendmail, and dbms function, are co-located on one physical host. I don't do that on my budget, let alone all the AIPAC money I could ask for.

The network operator is theplanet.com, the A record is in their CIDR, so that is where the best egress router view of the putative attack, or its absence, can be determined from. I've send a note to the tech contact, a head's up and a suggestion that they share nagios (flow property) data to establish some baseline about the load on the claimed target node. I've also sent mail to Tom Swan, the Lamont CM, pointing him to this post.

ReferralServer: rwhois://rwhois.theplanet.com:4321

NetRange: 69.56.128.0 - 69.56.255.255
CIDR: 69.56.128.0/17
NetName: NETBLK-THEPLANET-BLK-6
NetHandle: NET-69-56-128-0-1
Parent: NET-69-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.THEPLANET.COM
NameServer: NS2.THEPLANET.COM
Comment:
RegDate: 2003-06-10
Updated: 2003-09-29

RTechHandle: PP46-ARIN
RTechName: Pathos, Peter
RTechPhone: +1-214-782-7800
RTechEmail: admins@theplanet.com

Update: Does the campaign presence of a federal candidate on election day meet the intent of a "federal interest computer"? Is an attack on it jurisdictionally indistinguishable from an attack on any non-electoral service on its "performance day"? Is lying about it the same as lying about libral bloggers ate my lunch?

I'm amazed that the claim of agency was made. I've had nodes attacked by DoD machines, granted, they were compromized, presumably by criminal script kiddies, and worked through DoD contacts to get the problem resolved. Turning a log-less assertion into a federal offense, or simply a political campaign's last-day-go-negative message, on some few hours turn-around, is unprecedented, in my experience.

Update: See also robzr's comment.