| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 16 Aug 2013 18:12:54 +0200 From: Pascal Ernster <full-disclosure@...dfalcon.net> To: full-disclosure@...ts.grok.org.uk Subject: Re: Who's behind limestonenetworks.com AKA DDoS on polipo(8123) Binary? The only "binary" thing I see in that hexdump are a bunch of null bytes and the \n at the end. regards Pascal On Thu, 15 Aug 2013 17:29:52 -0300 Luther Blissett <lblissett@...anoici.org> wrote: > Hello dear companions, > > Two days ago one of my tor exit nodes experienced something I'm now > calling "limestonenetworks DDoS on polipo" ( $WAN_IP:8123 ), since all > packets in the storm were flowing from a range of 514 different IP > addresses, all of them inside limestonenetworks IP range and targeting > port 8123 on my tor exit node WAN IP. > > Before the packet storm, I could observe a huge increase on attempts > to access my WAN domain through tor. I couldn't relate IP addresses > from this first raise to those responsible for the actual packet > storm nor could I identify some useful pattern there, but they were > all coming from port 9001 and increased just some hours before the > storm, so I'm guessing they are related somehow. > > Also, throughout the storm, one of my log files got corrupted with > some unreadable bin garbage. I do not know if it was intended/targeted > exploit, but I'm reworking secrets and trying to figure out what is > this binary. > > Here is a sample line of a WAN attempt: > > Aug 13 16:50:22 $USER user.warn kernel: [DROP INVALID WAN] : IN=vlan2 > OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx > SRC=77.56.151.190 DST=xxx.xxx.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=43 > ID=38787 DF PROTO=TCP SPT=40888 DPT=9001 SEQ=289854459 ACK=41163 > > Here is a sample line of packet storm: > > Aug 13 20:39:14 $USER user.warn kernel: [hammer] : IN=vlan2 OUT= > MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx > SRC=74.63.216.60 DST=xxx.xxx.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=48 > ID=20269 DF PROTO=TCP SPT=1757 DPT=8123 WINDOW=65535 RES=0x00 SYN > URGP=0 OP > > The attack persisted for at least three hours and left this binary > (hex represented): > > 0000000 0000 0000 0000 0000 0000 0000 0000 0000 > * > 0000b90 0000 0000 0000 0000 0000 0000 2067 3331 > 0000ba0 3220 3a30 3135 303a 2034 6174 6567 7573 > 0000bb0 7568 7520 6573 2e72 6177 6e72 6b20 7265 > 0000bc0 656e 3a6c 5b20 6168 6d6d 7265 205d 203a > 0000bd0 4e49 763d 616c 326e 4f20 5455 203d 414d > 0000be0 3d43 3030 323a 3a31 3732 663a 3a61 6464 > 0000bf0 343a 3a34 3030 313a 3a35 3966 323a 3a61 > 0000c00 6639 643a 3a39 3830 303a 3a30 3534 303a > 0000c10 3a30 3030 333a 2034 5253 3d43 3132 2e36 > 0000c20 3432 2e35 3232 2e31 3031 2037 5344 3d54 > 0000c30 3831 2e39 3833 322e 3533 322e 3035 4c20 > 0000c40 4e45 353d 2032 4f54 3d53 7830 3030 5020 > 0000c50 4552 3d43 7830 3030 5420 4c54 343d 2038 > 0000c60 4449 313d 3335 3431 4420 2046 5250 544f > 0000c70 3d4f 4354 2050 5053 3d54 3932 3635 4420 > 0000c80 5450 383d 3231 2033 4957 444e 574f 363d > 0000c90 3535 3533 5220 5345 303d 3078 2030 5953 > 0000ca0 204e 5255 5047 303d 000a > 0000ca9 > > Attached is the list of participating IP addresses, line by line, with > the count of packets received. The attacker started sending something > like 4 packets per second and increased to over than 9000!!! - just > kidding, over 30 per second. > > JSYK, I welcome any comments. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists