lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 17 Aug 2013 13:39:16 +0200
From: Jann Horn <jann+couchdb-dev@...jh.net>
To: adam <adam@...sy.net>
Cc: Full Disclosure List <full-disclosure@...ts.grok.org.uk>
Subject: Re: Who's behind limestonenetworks.com AKA DDoS
 on polipo(8123)

On Fri, Aug 16, 2013 at 04:49:24PM -0500, adam wrote:
> Jann, you know what's even worse than someone being a dick for no
> reason? Someone being a _stupid_ dick for no reason.

Maybe I'm being a dick, and maybe I'm being a dick for no reason, but I
don't think I'm being a _stupid_ dick.


> In case you're
> unaware, the word "massive" was completely absent from this thread
> until YOU attempted to put it in someone elses' mouth. Beyond that,
> since you want to rip apart an innocent guy's post, let's see what
> happens when someone does it to yours.
> 
> "DDoS? So you mean your systems were impacted by that?"
> 
> Impacted is not the word you were looking for, since the answer to
> that would technically be a yes - not the no you were expecting. That
> aside, a denial of service attack is still a denial of service attack
> regardless of whether it succeeds or not. In fact, if you look up the
> definition - you'll see that it's _an attempt_ to make X unavailable.
> Not necessarily a successful one.

He was talking about a DDoS. Right, a DoS is just an attempt to make some kind
of service unavailable, but a DDoS is an attemt to make a system unavailable
by flooding it with an overwhelming amount of traffic from multiple sources.
IMO mentioning a DDoS implies "massive".

And yes, you're right, a DoS attack can be unsuccessful. My point was that
this small amount of traffic shouldn't be called a DDoS because there's no
way that the intention behind this amount of traffic was to take down that
service with pure bandwidth.


> "Let me google that for you. Hmm. Assigned to "Polipo Web proxy"."
> 
> Psst.. you may want to read the entire thread title.

Heh, you have a point.


> "Oooh, a storm!"
> 
> storm
> Verb
> Move angrily or forcefully in a specified direction: "she stormed off".
> 
> Whether you like it or not, it meets the definition.

Uh, he didn't use it as a verb. He used the noun "storm", and two times, he
said "packet storm". I read "packet storm" as "a storm of packets", so my
interpretation is that he was talking about a storm on the packet level.

If you have a look at the Jargon File, you'll see that in the context of
IT, a "storm" usually means something that is characterized by massive
amounts of network activity. A packet storm then would be something that looks
like a really big amount of activity on the network level, right?


> "Your systems were impacted by a DoS attack with 30 packets per
> second? You might
> want to upgrade to hardware that is a few decades newer."
> 
> How much of the original post did you actually read? Nowhere in it did
> the OP say that this attack succeeded. Again, just like above - YOU
> are the one who first used the word impact[ed]. It's funny how you put
> words in peoples' mouths, and then reply to them as though they
> actually said it.

Why would you call 30 packets per second an attack unless that actually impacts
your system? It was an ironic statement intended to hint at the possibility
that the OP was mistaken about what exactly impacted his system.


> More than that, the only thing the OP mentioned was
> that one of his log files were corrupted in the process of the attack.
> I didn't read that the attack succeeded, shut down the service, his
> machine, his network or anything else - and neither did you.

Right.


> "You were attacked by "O=TCP SPT=2216"? Cool story."
> 
> Oh my God, there was a line in there that didn't have an IP address?
> What a RETARD the OP must be. How can anyone be so stupid? I bet the
> earth stopped spinning when that happened. Think so?

Tough question. No, seriously, to me this means that he piped his firewall logs
or so into some command-line commands without making really sure that the
commands extract exactly the data he wants. Therefore, this line means for me
that there's a high possibility of totally unrelated IPs being in that list
that just happened to communicate with his system at the wrong time. For me,
this line makes the validity of that whole list very questionable.


> "He said above 30 packets per second, right? I'll just assume it's around 30.
> And the sample packet from that "packet storm" contained this part: "LEN=52".
> So that's around 1500 bytes per second, or 12 kilobits per second. And those
> packets are downstream for him."
> 
> You're randomly assuming that all of the packets were the exact same
> length, which makes anything derived from that assumption
> automatically flawed.

That's right. I assumed that the traffic was highly uniform because:
 - as far as I know, traffic usually is relatively uniform in attacks
 - he picked this one line and apparently thought that it was sufficient
   to give us an idea of what the attack traffic looked like (otherwise,
   he would have shown us a bunch of lines and not just one because his
   intent here obviously was to illustrate the nature of the attack,
   right?)
Well, maybe I jumped to conclusions here, but I don't think so.


> "A good modem connection can give you up to 56kbit/s per direction as far as I
> understand."
> 
> You've never used dialup, have you?

Right.


> What you're saying is that "good
> modems" (what exactly is a bad modem?) get 7KB/s down and 7KB/s up -
> that is completely untrue. It's a lot closer to 5KB/s down (if you're
> lucky) and 2KB/s up.

Oh, interesting. So even back then, connections were asymmetric?


> Aside from all of this, again, I reiterate that
> you have no idea what size the other 19,044 packets were. Anyway, yes
> - if your assumption were correct (52*19045 through a 56k modem) then
> it'd take only a few minutes to download all of the data (which
> doesn't even total a meg).
> 
> HOWEVER, there are still a multitude of things wrong with your entire
> stance. Firstly, bandwidth exhaustion is NOT the only way to perform a
> denial of service. In fact, in my opinion, it should be the last
> resort.

True, but he said "DDoS" and "packet storm".


> There are much much better ways to do it, depending on the
> service being targeted. For example, some popular multiplayer games
> can be brought down with a single packet. Some can be kept down with
> that single packet, others require one group of packets to be kept
> down, and then some others require that one packet every X minutes. I
> use game servers only as an example.

Right, that kind of DoS attack is obviously more effective and doesn't require
the attacker to use a "storm" of packets.


> If his log becoming corrupted was intentional, then it's entirely
> possible that the point of the attack wasn't to exhaust bandwidth but
> to crash the actual server application (or worse, exploit it in a way
> that can lead to remote access).

Yes, true, if the log really was currupted in a very weird way.


> No matter what the case though,
> almost every one of your points have been based on seemingly random
> (and likely inapplicable) assumptions you've made.

Well, I've tried to explain those assumptions now.


> So on top of coming
> across as a prick, you're also coming across as a clueless prick. And
> for no reason whatsoever.
> 
> Way to go.

OK, to help with the "clueless" part: Here's the original for that mysterious
binary he posted:

g 13 20:51:04 tagesuhu user.warn kernel: [hammer] : IN=vlan2 OUT= MAC=00:21:27:fa:dd:44:00:15:f9:2a:9f:d9:08:00:45:00:00:34 SRC=216.245.221.107 DST=189.38.235.250 LEN=52 TOS=0x00 PREC=0x00 TTL=48 ID=15314 DF PROTO=TCP SPT=2956 DPT=8123 WINDOW=65535 RES=0x00 SYN URGP=0

He somehow managed to mess up his logfile to be byte-swapped, just as if
someone had sent it through "dd conv=swab". I don't know how
he ended up with that, but that doesn't look like such a malicious, evil attack
to me. :D

Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists