lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20130816203059.GG11147@debjann.fritz.box>
Date: Fri, 16 Aug 2013 22:30:59 +0200
From: Jann Horn <jann@...jh.net>
To: Jeffrey Walton <noloader@...il.com>
Cc: Full Disclosure List <full-disclosure@...ts.grok.org.uk>
Subject: Re: Who's behind limestonenetworks.com AKA DDoS
 on polipo(8123)

On Fri, Aug 16, 2013 at 01:37:54PM -0400, Jeffrey Walton wrote:
> On Fri, Aug 16, 2013 at 1:31 PM, Jann Horn <jann@...jh.net> wrote:
> > On Thu, Aug 15, 2013 at 05:29:52PM -0300, Luther Blissett wrote:
> >> Hello dear companions,
> >>
> >> Two days ago one of my tor exit nodes experienced something I'm now
> >> calling "limestonenetworks DDoS on polipo" ( $WAN_IP:8123 ), since all
> >
> > DDoS? So you mean your systems were impacted by that?
> He may be running an exit node for the benefit of others on a low
> bandwidth connection.
> 
> Forgive me if you were joking with an old friend, or I missed something.

Let's check how massive that "attack" is.

He said above 30 packets per second, right? I'll just assume it's around 30.
And the sample packet from that "packet storm" contained this part: "LEN=52".
So that's around 1500 bytes per second, or 12 kilobits per second. And those
packets are downstream for him.

Now take a look at <http://en.wikipedia.org/wiki/Modem#List_of_dialup_speeds>.
A good modem connection can give you up to 56kbit/s per direction as far as I
understand. So unless I made some weird calculation errors, someone on a good
modem connection should be able to take that "attack" without any problems.

An "attack" from one (!) bot on a normal DSL line should already be much bigger.

Calling this a DoS attack would be ridiculous, calling it a DDoS even more so.

(Of course, it might still be that he really was hacked and his systems were
attacked in a smarter way, but it's very clear that nobody tried to take him
out with pure bandwidth.)

Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ