Re: [Full-disclosure] n3td3v group calls on RSA to clarify their stance

On Sat, 01 Apr 2006 05:34:20 +0100, n3td3v said:
against fake logins and their databases. Theres no way however they could
carry out world wide attacks on hundreds of fake login targets, without the
use of more than one ip host.

Obviously you've never bothered to look at just how much one spam can be
pumped out a single zombied machine on a cablemodem in one day, have you? ;)

You'd be amazed at what one host can do, given an actual pipe bigger than
the average consumer-grade skinny pipe, and some creative programming to
sustain more network traffic than the average browser can put on the pipe.

Remember they don't have to flood the destination host enough to kick it off
the net - they only need to send it enough bogus data so the phishers can't
find the real one. Several tens of thousands of bogus entries per day till it
gets taken down - even if you guesstimate 10 packets per bogus connection (hint
- use http keepalives to your benefit here :), you're only looking at 100K
packets, over a 24 hour timespan that's only one or two packets per second.

Doing in 2,000 phishing hosts only needs to sustain 2,000 packets per second,
which is <rough back-of-envelope calc> only going to need a 100mbit or so pipe.
You can't do it on a single 10mbit ethernet, that's only going to give you
about 800 1500-byte packets to do the HTTP POST commands with per second.

But even hosing down 2,000 hosts with 10K bad requests each is only going to
take up about 25% of the pipe. If you're only hitting 500 hosts, you can
probably send each one well over 100K bogus ones a day.

Attachment: pgpqI2lqaOyD2.pgp
Description: PGP signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • Re: Do I Have A Firewalled LAN Run By ISP In Between?
    ... from that host while at host ... running a layer within a layer, with a complex network address translation ... application called "Internet Connection Sharing". ... what those packets are for, ...
    (comp.security.firewalls)
  • Re: IP over RS232 serial port under QNX6 (devn-fd.so)
    ... Now i can 'ping' and receive correct answers from the remote host. ... Now i want to setup the TCP/IP stack on top of the serial port. ... When i 'ping' to the destination endpoint 10.0.0.185 from the source ... These packets were correct ARP-Broadcasts ...
    (comp.os.qnx)
  • Re: Duplicate Echo Replies with Channel Bonding
    ... In this mode both interfaces receive packets, ... >When both eth0 and eth1 are up and I ping from Host C to Host A I get ... >The destination network 192.168.120.0/24 exists on both Router A and ... Switch B does not have the MAC address in its MAC address table ...
    (RedHat)
  • Re: Ip spoof from 0.0.0.0
    ... - A passive spoofed portscan with the attacker on the local ... segment watching the response packets go out to the default ... If a host responds to the syn packet sourced from 0.0.0.0 with an ack, ... it goes to the router either with the destination IP address rewritten ...
    (Incidents)
  • Re: Yet another thread on the legality of port scanning
    ... Which portthe packets are sent to is ... If I do a "nice", normal portscan on a host - via TCP, UDP or ICMP I am ... This sort of behavior is ... If I try to flood your host with abnormally LARGE ICMP packets endlessly ...
    (Security-Basics)