Content-type: text/html Set-Cookie: cookiehash=D8TIX1F9GFT8JRUBDNC2DC1UDL31CF7Q; expires=Sun, 22 Nov 2026 00:00:00 GMT; path=/; domain=.drivemeinsane.com DMI News

DMI News

Previous Entry.. Next Entry..

5: The Tomz Incident

August 07, 2012 16:17

April 2002, before the site was called DMI and was only accessed by ip address (206.54.177.105), I had several regulars that hung out in the chat room. One day, some kid shows up and starts chatting, sounding really interested in the page and several of the features. His name was Tomz.

I don't remember if Tomz initially said he was older, indicated that he was older, or never said, but the implication I got was that he was tying to sound several years older than he was, only it became more and more obvious that he was only about 14. Never the less, I never have discriminated against people due to their age unless they comitted a pretty serious faux pas. None the less, he was pretty annoying. His favorite thing to do was to brag, extensively, about his internet connection, which was a OLL (Optimum Online) cable connection that provided 10mbps downstream and 1mpbs upstream. At the time, that was a pretty decent internet connection, particually for a consumer grade ISP. Anyhow, he thought it was necessary to rub everyone's noses in this fact, which was annoying, but not particually depressing. We all have our advantages, so if that was his one shiny penny that he could boast about, fine. Let him have it.

After a couple of weeks of talking to him, one night he's asking a lot of questions about my shoutcast (or possibly icecast, not sure which I was usuing at the time) connection. Being patient, I spent quite a bit of time explaining how to install and configure the software and the plugins, etc, but he was obviously having trouble with it. Eventually he complains that he's going to have to go to bed soon because he has to go to his grandmother's funeral the next day. He then proceeds to say something really horrible about his recently deceased grandmother. I don't remember the exact words, but it was something to the effect that he didn't want to have to go, didn't want to waste the time, wish they'd just flush her down the toilet and be done with it.

I decided that I had had enough of him, told him I don't think I liked him anymore, and banned him from the chatroom. I would have banned him from the site as well, but at the time, I didn't have the easy blocking methods set up that I do now. The only way I could really ban him was to block him in .htaccess, but that took some time to take effect, so he was able to spend the next several minutes sending me messages from the site. At first he was just pleading to be let back in. Eventually he resorted to threats that he was going to "ping flood me off the internet" and so on. The full log is available here.

Best I can figure, he starts flooding me, although not very well. If his statements are accurate, he was pinging me with packets far too small and too slowly to be of any signficant impact to the connection I had, despite the fact his connection was faster. Besides, worst case, his upstream didn't exceed my downstream, so there wasn't much he could really do by himself. He didn't think that though, and spent more time boasting. Apparently, he figured that I would eventaully attempt to retailliate the same way, so he started monitoring his connection, watching all of the packets looking for something suspicious. He found something: a large amount of data coming from my ip address to his, and he assumed that this was an attack on my part. The problem is, he didn't bother to filter out traffic that he should have been expecting.

At the time this was happening, tomz was flooding me with pings, which by the very nature of the protocol returned a response packet. He was viewing my webcam, which sent a constantly updating stream of new images, automatically. He was listening to my live audio stream, which was a consantly updating set of packets. Also, my page had other dynamic features on it, like updating the lightbulb icons to indicate the status of the lamps. This too also generated a stream of data. Point is, my network was sending him a TON of traffic, on several different ports and protocols, all of which were responses to requests he made from his computer. Tomz, however, didn't understand this, and assumed that ANY traffic a traffic monitor showed was traffic that was not authorized.

Anyway, while this was going on, he first boasted about how laggy my internet connection must be by now (it wasn't). After he discovered the "illicit" traffic from my site, he starting complaining about it. Best I can figure, he was recording a full log of all data received for some reason (possibly as evidence) and those files were likely getting pretty large as a result. Knowing full well that I wasn't attempting any abuse, I realized that all data he was receiving from me was legitimate traffic and if he stopped accessing my site and stopped pinging me, he wouldn't get any more responses. I tried explaining this to him several times, including repeated demands to get off of my site, all of which he responded to by not understanding the issue, and refused to leave.

Knowing he was still listening, and figuring I could just scare him off, I looked up contact information for his ISP and started making some phone calls to report the abuse (so he could hear me doing it). His last few comments indicated that he probably heard what I was doing, and he quickly departed. I figured he was gone, finished up the call, and decided that was it for that adventure. However, within a few minutes, I started getting a LOT of traffic to the site. I looked up where it was coming from and discovered a link on dslreports.com where he had started a forum post complaining about being flooded and recruiting others to join him in flooding me back (the whole time neglecting to mention that he started the whole mess and I wasn't flooding him at all). About the same time I started reading this, someone sent me a message asking why I was flooding Tomz. Realizing this might get out of hand, I quickly copy/pasted all of his messages to a text file and linked to it at the top of the page, along with a message that I wasn't flooding anyone, then I continued reading the thread. Once I got caught up with that, I posted my own reply to the thread explaining the situation, and pretty much everyone involved sided with me, although Tomz was apparently gone for the day at that point. I figured it was all done now, or so I thought.

The next day, Tomz posts yet another thread complaining about the flooding and trying to defend his position, i.e., that I started flooding him for no reason and he only flooded me back as a defense measure, once again leaving out the fact that he actually did it first, and I never did it at all. Several people in the thread were aware of this fact, but never the less attempted to help him figure out the issue from his end. They eventually convince him to post a log of the flooding that I was doing and it clearly showed a list of packets, from my ip address on tcp port 80, which he claimed was proof of flooding. This was very quickly explained to him that tcp packets on port 80 were web server RESPONSES, and not attacks. It took several more rounds of explaining things before Tomz finally came to the realization that I wasn't flooding him back, but even then, he still figured that the problem was some type of error on how my system was configured, as to why he was getting all of these packets.

Lost in the whole mess, somehow, was the simple fact that had he not attacked me in the first place, he never would have felt the need to monitor his traffic, and never would have noticed the "self-inflicted webcam connections". Thankfully, the whole issue blew over in a couple of days. What was sad is how many people were very quick to jump to conclusions based on what he said, without having any supporting evidence. I really wish that dlsr didn't support the editing of comments after they were posted. You'll notice reading through it, how many people retracted their comments after they figured out what actually happened. Some 14 year old kid, who was known to have no credibility whatsoever, was instantly believed by everyone when a call went out to join a mob and attack someone.

On the other hand, however, this was greatly amusing. Someone annoying came along. I was as nice to him as I could be until he pushed it too far, and upon removing him, he tried to shame me, but it backfired horribly and my site became more popular as a result of that backfiring. Well, at least it amuses me.

Comments(0)