lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <AEEAKGKHCDMLEHCOGIBCAEFLCDAA.list.fulldisclosure@webscreen-technology.com>
From: list.fulldisclosure at webscreen-technology.com (Gareth Blades)
Subject: Attack profiling tool?

Our product detected the attack as a 'connectio flood' which is basically
where you open up lots of connections to a server and leave them idle. This
causes the server to have lots of open connections so that it reaches its
maximum connection limit and therefore nobody else can access the site
resulting in denial of service.

A common tool for this is called naptha but what we are seeing is not
consistant with this tool because as soon as the connection limit is reached
all the connections are then closed. Naptha would keep them all open and
regularly keep trying to open new ones.

Our product monitors the connections to the site and when it begins to reach
its limit denies new connections from clients which have more connections
open than they should/normally would.

> -----Original Message-----
> From: daniel_clemens@...mingham-infragard.org
> [mailto:daniel_clemens@...mingham-infragard.org]On Behalf Of daniel
> uriah clemens
> Sent: Thursday, July 10, 2003 12:47
> To: Gareth Blades
> Cc: Fulldisclosure
> Subject: Re: [Full-Disclosure] Attack profiling tool?
>
>
> > I have seen this a number of times from various IP addresses and it is
> > always exactly the same. Our product which detected this
> prevents against
> > these types of attacks anyway so it is not a problem but I was
> wondering if
> > it is a particular attack tool going round the Internet
> profiling different
> > sites to see how many connections they support.
>
> Out of curiosity to possibly reclarify your definition of an attack...
> What type of attacks do these more than 3 connections fall into?
>
> -Daniel Uriah Clemens
>
> Esse quam videra
>     		(to be, rather than to appear)
> http://www.birmingham-infragard.org   | 2053284200
> fingerprint: EDF0 6566 2A4A 220E 5760  EA1F 0424 6DF6 F662 F5BD
>
>
>
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ