Re: Question about HTTP DDOS attacks.

From: Kyle R. Hofmann (krh@lemniscate.net)
Date: 03/18/02

Previous message: Hugo van der Kooij: "Re: Question about HTTP DDOS attacks."
In reply to: Hugo van der Kooij: "Re: Question about HTTP DDOS attacks."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: Incidents Mailing List <incidents@securityfocus.com>
Date: Mon, 18 Mar 2002 10:26:35 -0800
From: "Kyle R. Hofmann" <krh@lemniscate.net>

On Mon, 18 Mar 2002 07:42:47 +0100, Hugo van der Kooij wrote:
> On Fri, 15 Mar 2002 eax@3xT.org wrote:
>
> > For the last couple days, one of our client's virtual-hosts on one of our webservers has been DDOSed with
> > tons of HTTP requests composed of:
> >
> > GET / HTTP/1.1
> > Host: example.com
>
> These are in fact valid request if I setup a link like: <a
> href="http://example.com/"> or even <a href="http://example.com">

They're not valid if he's not example.com. See RFC 2606:

"3. Reserved Example Second Level Domain Names

   The Internet Assigned Numbers Authority (IANA) also currently has the
   following second level domain names reserved which can be used as
   examples.

        example.com
        example.net
        example.org"

$ dig example.com

; <<>> DiG 2.2 <<>> example.com
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38839
;; flags: qr rd ra; Ques: 1, Ans: 1, Auth: 2, Addit: 0
;; QUESTIONS:
;; example.com, type = A, class = IN

;; ANSWERS:
example.com. 172800 A 192.0.34.72

;; AUTHORITY RECORDS:
example.com. 21600 NS a.iana-servers.net.
example.com. 21600 NS b.iana-servers.net.

;; Total query time: 400 msec
;; FROM: yvonne.lemniscate.net to SERVER: default -- 127.0.0.1
;; WHEN: Mon Mar 18 10:22:35 2002
;; MSG SIZE sent: 29 rcvd: 93

$ lynx -dump http://www.example.com/

   You have reached this web page by typing "example.com", "example.net",
   or "example.org" into your web browser.

   These domain names are reserved for use in documentation and are not
   available for registration.

-- Kyle R. Hofmann <krh@lemniscate.net>

---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

Previous message: Hugo van der Kooij: "Re: Question about HTTP DDOS attacks."
In reply to: Hugo van der Kooij: "Re: Question about HTTP DDOS attacks."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]