| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 16 Aug 2013 14:40:05 -0300 From: Luther Blissett <lblissett@...anoici.org> To: Bart van Tuil <BvanTuil@...cartes.com> Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>, "admin@...estonenetworks.com" <admin@...estonenetworks.com> Subject: Re: Who's behind limestonenetworks.com AKA DDoS on polipo(8123) On Fri, 2013-08-16 at 09:54 +0000, Bart van Tuil wrote: > Luther, > > Is it just me, or is this ddos of 19045 packets in three hours a really, > really sorry attempt at anything at all?? Even the peak of 30 pkts/sec > wouldn't really disrupt -any- service on a modern system, or disrupt any > self-respecting internet connection. I agree you shouldn't ignore the > action by itself, but what was the actual damage? > > Also, I am not clear about where you found this binary. Was it on your > local fs? Was this just the content of the packages? If lfs, could the > packet storm be nothing more than a distraction? > > And at least 216.245.220.56 (one of the major participants); and by > extension the rest in same subnet is not from limestone networks, and > from far outside of USA. > > > I am very curious about the binary though :) if circumstance will > allow me ill take some time to look closer this weekend. > > > Happy hunting, > > Bart > > Hello Bart, how's life today?! Apart from this code I found and some offline hours, I could not identify any real damage on my system. I agree with you this packet storm shouldn't have succeeded on driving my machine offline and I still don't know why it could do it. To clarify the issue: (i) my ISP is not the most trusted one. The link speed often changes and sometimes gets real lame. (ii) The attacker might have tried to reach my tor server, but he could not do it. The firewall that caught these transmissions is on a different guard machine. (iii) there are more services and machines protected by this guard machine and various of them were online at the time the attack started. (iv) though I said the attack endured at least three hours, it did not take me three hours to notice it and I unplugged the machine much earlier, so the total packet count and max packet rate are not the real picture, but just the representation of what the machine flagged when it was connected. The binary is a corrupted part of "/var/log/messages". From what I know, it could be the attack triggered some hidden bug and that's all. But it could also be that the attacker had previously gathered useful info on my system and new this would happen. So I won't leave much space to chance. That said, I'm no expert on assembly, hex and lowlevel computing. So it may take quite some time before I understand the issue. If you find something useful on happy hacking times, please do tell me. Finally, I'm glad you found this address from outside limestone. Since there were mani IP's, I randomly tested 20 or so and all of them were inside limestone so I jumped to the conclusion that all addresses were inside. Happy debian b-day! _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists