lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 16 Aug 2013 14:40:05 -0300
From: Luther Blissett <lblissett@...anoici.org>
To: Bart van Tuil <BvanTuil@...cartes.com>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>,
 "admin@...estonenetworks.com" <admin@...estonenetworks.com>
Subject: Re: Who's behind limestonenetworks.com AKA DDoS
 on	polipo(8123)

On Fri, 2013-08-16 at 09:54 +0000, Bart van Tuil wrote: 
> Luther,
> 
> Is it just me, or is this ddos of 19045 packets in three hours a really, 
> really sorry attempt at anything at all?? Even the peak of 30 pkts/sec
> wouldn't really disrupt -any- service on a modern system, or disrupt any
> self-respecting internet connection. I agree you shouldn't ignore the 
> action by itself, but what was the actual damage?
> 
> Also, I am not clear about where you found this binary. Was it on your 
> local fs? Was this just the content of the packages? If lfs, could the 
> packet storm be nothing more than a distraction?
> 
> And at least 216.245.220.56 (one of the major participants); and by 
> extension the rest in same subnet is not from limestone networks, and 
> from far outside of USA.
> 
> 
> I am very curious about the binary though :) if circumstance will 
> allow me ill take some time to look closer this weekend.
> 
> 
> Happy hunting,
> 
> Bart
> 
> 

Hello Bart, how's life today?!

Apart from this code I found and some offline hours, I could not
identify any real damage on my system. I agree with you this packet
storm shouldn't have succeeded on driving my machine offline and I still
don't know why it could do it.

To clarify the issue: (i) my ISP is not the most trusted one. The link
speed often changes and sometimes gets real lame. (ii) The attacker
might have tried to reach my tor server, but he could not do it. The
firewall that caught these transmissions is on a different guard
machine. (iii) there are more services and machines protected by this
guard machine and various of them were online at the time the attack
started. (iv) though I said the attack endured at least three hours, it
did not take me three hours to notice it and I unplugged the machine
much earlier, so the total packet count and max packet rate are not the
real picture, but just the representation of what the machine flagged
when it was connected. 

The binary is a corrupted part of "/var/log/messages". From what I know,
it could be the attack triggered some hidden bug and that's all. But it
could also be that the attacker had previously gathered useful info on
my system and new this would happen. So I won't leave much space to
chance.

That said, I'm no expert on assembly, hex and lowlevel computing. So it
may take quite some time before I understand the issue. If you find
something useful on happy hacking times, please do tell me.

Finally, I'm glad you found this address from outside limestone. Since
there were mani IP's, I randomly tested 20 or so and all of them were
inside limestone so I jumped to the conclusion that all addresses were
inside.

Happy debian b-day!

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists