lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 18 Apr 2008 16:11:53 +0100 (BST)
From: news@...donald.net
To: "Joey Mengele" <joey.mengele@...hmail.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: lots of connections to 64.40.117.19 port 80

J,

Eh? The closest thing I can think of to what you're saying is if the cause
of a DDOS was stored XSS on a popular site(s) being used get users
browsers to request information from 64.40.117.19. The XSS would be done
else where, and the DDOS attack itself would contain no 'payload'.

In which case filtering user input on his side isnt going to anything.
Plus, you still have no reason for calling this a textbool case of XSS, or
anything else for that matter. Without seeing the tcpdump, all we can do
is reel of a list of things in might be.

Best,

Renski

> News,
>
> I believe you are missing something. XSS is merely a type of
> vulnerability. It is very common for an XSS payload to include a
> DDoS component. If you had done your research before retorting you
> would have known this.
>
> J
>
> On Fri, 18 Apr 2008 10:25:38 -0400 news@...donald.net wrote:
>>Joey,
>>
>>a text book case? Prehaps im missing something, but see nothing in
>>Genbolds email which makes me consider XSS. XSS is often a small
>>amount of
>>traffic, with HTML and javascript in post request content or get
>>request
>>query strings.
>>
>>Ganbold,
>>
>>In my opinion, it's more likely it's one of the following
>>
>>* brute force or dictionary attack on a login form, prehaps using
>>a botnet
>>to mask the actual attacker
>>* DDOS, again prehaps from a botnet
>>* DOS, prehaps creating half open connects using a random spoofed
>>source
>>addresses (try and check to see if the addresses are random, or
>>come for a
>>fixed set of IPs).
>>* Someone looking for hidden files and directories
>>* An automated script scraping the website for dynamic or a large
>>amount
>>of content, or some other tool which is malfunctioning
>>* The website is just really popular and your client needs to
>>upgrade
>>their kit
>>
>>Attempt to find out what kind of requests (if any) are being sent
>>to the
>>server, prehaps using a tool like wireshark, and that should tell
>>you a
>>little about what is going on.
>>
>>Best,
>>
>>Renski
>>
>>> Ganbold,
>>>
>>> This sounds like a textbook case of Cross Site Scripting (XSS).
>>> Consider filtering user output more carefully.
>>>
>>> J
>>>
>>> On Fri, 18 Apr 2008 03:54:24 -0400 Ganbold
>><ganbold@...om.mng.net>
>>> wrote:
>>>>Hi,
>>>>
>>>>Recently I have seen a lots of connections to 64.40.117.19 port
>>80
>>>>in
>>>>one of our clients network.
>>>>Connections are coming from all over the Internet (various
>>>>different
>>>>IPs) specifically to this IP.
>>>>Due to this problem (I guess it is DDoS) one of our router's CPU
>>>>usage
>>>>grew up to 100% and stopped a service
>>>>for a while.
>>>>What kind of problem this could be?
>>>>Has anybody seen this kind of attack before?
>>>>I appreciate if somebody can enlighten me in this regard.
>>>>
>>>>thanks in advance,
>>>>
>>>>Ganbold
>>>>
>>>>--
>>>>The more control, the more that requires control.
>>>>
>>>>_______________________________________________
>>>>Full-Disclosure - We believe in it.
>>>>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>> --
>>> Click to make millions by owning your own franchise.
>>>
>>http://tagline.hushmail.com/fc/Ioyw6h4eB8rENcAX63OKyEklXhdt1htMFgy2
>>tF8DC8RCA04pNI4uPe/
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>
> --
> Click for free info on java training and make up to $150K/ year.
> http://tagline.hushmail.com/fc/Ioyw6h4dF2hsyexjyN3z3Fpk0ZIJFvkDdT2Hf5OMzTplIBED7r44ry/
>
>


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ