Re: [Full-disclosure] New DDoS attack vector



dear ascii,

On 20 May 2011 15:43, ascii <ascii@xxxxxxxxxxxx> wrote:
On 05/20/2011 02:10 PM, minor float wrote:
not really, because we have seen that they've used more than one smtp
server for this.
minor

Dear minor,

the attack you proposed is very stretched and has an extremely low
efficiency. What follows is my feeling about the issue and I don't
exclude that I could be missing some key concept.

The idea behind well executed DoS attacks is that little resources
on the attacker's side cause big disruption on the victim's assets.

sending a spam campaign does not cost millions on today, right?

This together with the fact that big MTA clusters are likely to use
a caching DNS server to speed up lookups and delivery is enough to
dismiss your research as largely uninteresting.


please note, that the variable 3rd level bypasses the caching.

The call about the urgent need of a task-force to face this nasty and
dangerous attack, in pure dnsinsky hype style, and the advice to
"tighten the rules when reg­is­ter­ing the domains" make the whole thing
hilarious.

imho it's hell about time to do finally something with the point that
somebody at the icann accepts the fact to have a profit from the spam
domain registration and other such things. you can blame me that i am
lame (and this is to all who want to tell that the attack is lame),
but instead of bitching on me, try to think seriously about
possibilities how to avoid this and other shit that is going on every
day. thanks god for all the ppl i've been in touch, we already
discussed some other workarounds. if you want to contribute, you're
welcome.

Best quote: "As we already wrote in this paper, the num­ber of recorded
bots dur­ing the attack obser­va­tion was about 14.000 with more than
100.000 spam mes­sages. The tar­get was just one DNS server and only one
pre-registered domain was used. The white horse sys­tems were able to
dis­rupt the DNS server oper­a­tion for more than one day and the effi­-
ciency of such attack was very high."

14.000 bots to take down one DNS server? UMH.

yes, 14.000 bots took down the DNS server. no kidding! consider that
bot sends spam messages to multiple MX, and they perform a hell of
lookups.


Cordially,
Francesco `ascii` Ongaro
http://www.ush.it/

Original url: http://www.zone-h.org/news/id/4739
Mirror: http://nopaste.info/848d88a621.html

minor

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • [NT] Web Browsers Vulnerable to the Extended HTML Form Attack
    ... inject HTML scripts, which makes use of the same method described in the ... The Original HTML form attack: ... server 7 open ...
    (Securiteam)
  • [UNIX] DoS Attack Against FreeRADIUS (Other RADIUS Servers Affected)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... to create a high-performance and highly configurable GPL'd RADIUS server. ... program with failed requests causing a denial of service attack. ... Access-Request to the RADIUS server, ...
    (Securiteam)
  • Re: I was hacked
    ... > I have a Windows 2000 server that is current w/ the latest patches from MS. ... > It is running an IIS server that is configured w/ Microsoft's URLScan tool. ... > It is also running Terminal Services w/ 128 bit encryption turned on. ... > the first visible process of the attack. ...
    (alt.computer.security)
  • Re: I was hacked
    ... > I have a Windows 2000 server that is current w/ the latest patches from MS. ... > It is running an IIS server that is configured w/ Microsoft's URLScan tool. ... > It is also running Terminal Services w/ 128 bit encryption turned on. ... > the first visible process of the attack. ...
    (microsoft.public.inetserver.iis.security)
  • Re: [Full-disclosure] New DDoS attack vector
    ... the attack you proposed is very stretched and has an extremely low ... a caching DNS server to speed up lookups and delivery is enough to ... bots to take down one DNS server? ...
    (Full-Disclosure)