lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20130816181254.66fbd556@hardfalcon-3>
Date: Fri, 16 Aug 2013 18:12:54 +0200
From: Pascal Ernster <full-disclosure@...dfalcon.net>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Who's behind limestonenetworks.com AKA DDoS
 on polipo(8123)

Binary? The only "binary" thing I see in that hexdump are a bunch of
null bytes and the \n at the end.

regards
Pascal


On Thu, 15 Aug 2013 17:29:52 -0300
Luther Blissett <lblissett@...anoici.org> wrote:

> Hello dear companions,
> 
> Two days ago one of my tor exit nodes experienced something I'm now
> calling "limestonenetworks DDoS on polipo" ( $WAN_IP:8123 ), since all
> packets in the storm were flowing from a range of 514 different IP
> addresses, all of them inside limestonenetworks IP range and targeting
> port 8123 on my tor exit node WAN IP.
> 
> Before the packet storm, I could observe a huge increase on attempts
> to access my WAN domain through tor. I couldn't relate IP addresses
> from this first raise to those responsible for the actual packet
> storm nor could I identify some useful pattern there, but they were
> all coming from port 9001 and increased just some hours before the
> storm, so I'm guessing they are related somehow.
> 
> Also, throughout the storm, one of my log files got corrupted with
> some unreadable bin garbage. I do not know if it was intended/targeted
> exploit, but I'm reworking secrets and trying to figure out what is
> this binary.
> 
> Here is a sample line of a WAN attempt:
> 
> Aug 13 16:50:22 $USER user.warn kernel: [DROP INVALID WAN] : IN=vlan2
> OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
> SRC=77.56.151.190 DST=xxx.xxx.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=43
> ID=38787 DF PROTO=TCP SPT=40888 DPT=9001 SEQ=289854459 ACK=41163
> 
> Here is a sample line of packet storm:
> 
> Aug 13 20:39:14 $USER user.warn kernel: [hammer] : IN=vlan2 OUT=
> MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
> SRC=74.63.216.60 DST=xxx.xxx.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=48
> ID=20269 DF PROTO=TCP SPT=1757 DPT=8123 WINDOW=65535 RES=0x00 SYN
> URGP=0 OP
> 
> The attack persisted for at least three hours and left this binary
> (hex represented):
> 
> 0000000 0000 0000 0000 0000 0000 0000 0000 0000
> *
> 0000b90 0000 0000 0000 0000 0000 0000 2067 3331
> 0000ba0 3220 3a30 3135 303a 2034 6174 6567 7573
> 0000bb0 7568 7520 6573 2e72 6177 6e72 6b20 7265
> 0000bc0 656e 3a6c 5b20 6168 6d6d 7265 205d 203a
> 0000bd0 4e49 763d 616c 326e 4f20 5455 203d 414d
> 0000be0 3d43 3030 323a 3a31 3732 663a 3a61 6464
> 0000bf0 343a 3a34 3030 313a 3a35 3966 323a 3a61
> 0000c00 6639 643a 3a39 3830 303a 3a30 3534 303a
> 0000c10 3a30 3030 333a 2034 5253 3d43 3132 2e36
> 0000c20 3432 2e35 3232 2e31 3031 2037 5344 3d54
> 0000c30 3831 2e39 3833 322e 3533 322e 3035 4c20
> 0000c40 4e45 353d 2032 4f54 3d53 7830 3030 5020
> 0000c50 4552 3d43 7830 3030 5420 4c54 343d 2038
> 0000c60 4449 313d 3335 3431 4420 2046 5250 544f
> 0000c70 3d4f 4354 2050 5053 3d54 3932 3635 4420
> 0000c80 5450 383d 3231 2033 4957 444e 574f 363d
> 0000c90 3535 3533 5220 5345 303d 3078 2030 5953
> 0000ca0 204e 5255 5047 303d 000a               
> 0000ca9
> 
> Attached is the list of participating IP addresses, line by line, with
> the count of packets received. The attacker started sending something
> like 4 packets per second and increased to over than 9000!!! - just
> kidding, over 30 per second.
> 
> JSYK, I welcome any comments.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ