Re: DDoS Attack

From: Andrew Anderson (koserve99_at_hotmail.com)
Date: 05/23/03

  • Next message: Jimi Thompson: "Re: A question for the list..."
    Date: 23 May 2003 16:12:08 -0000
    To: incidents@securityfocus.com
    
    
    ('binary' encoding is not supported, stored as-is) In-Reply-To: <3ECD0537.7050208@valueweb.com>

    - The request strings look like they belong to a GT Bot.
    - As for the erroneous request it looks like it's a parsing error in
    apache.
    - As a suggestion I would filter out any get requests with the @ symbol
    unless you have any file/folders that contain the @ symbol.

    >Our parent company is experiencing a very odd/severe DDoS attack coming
    >from all over the place. For the most part, the attack is occuring at
    >the Apache level. Log files show this request:
    >
    >[Tue May 20 09:13:33 2003] [error] [client 194.xxx.xxx.xxx] request
    >failed: erroneous characters after protocol string: -nb GET
    >!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!!
    @#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!!@#%!
    ^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!-nb
    >GET
    >@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@-nb
    >GET
    >!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!!
    @#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!!@#%!
    ^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!-nb
    >GET +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ +
    >+ATH0+ + +ATH0+ + +ATH0+ + +\x01TH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+
    >+ +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+
    >+ +ATH0+
    >
    >Scans of some of the attacking IP's show BackOrifice installations.
    >
    >Has anyone had this sort of attack and what would be the best way to
    >combat it? Not much luck from the upstream(s) thus far.
    >

    ----------------------------------------------------------------------------
    *** Wireless LAN Policies for Security & Management - NEW White Paper ***
    Just like wired networks, wireless LANs require network security policies
    that are enforced to protect WLANs from known vulnerabilities and threats.
    Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs.

    To get your FREE white paper visit us at:
    http://www.securityfocus.com/AirDefense-incidents
    ----------------------------------------------------------------------------


  • Next message: Jimi Thompson: "Re: A question for the list..."

    Relevant Pages

    • [NT] Vulnerability Report for Windows SMB DoS
      ... cross-platform mechanism for client systems to request file services from ... In order to exploit the vulnerability a user account is needed for the ... is therefore vulnerable to a denial of service attack. ... Later in the processing of the request, at SRV.SYS+33209h another buffer ...
      (Securiteam)
    • RE: HTTPS Web site testing
      ... Exodus will allow you to do this quite easily. ... You can either modify an intercepted request, or generate one manually, by ... that are enforced to protect WLANs from known vulnerabilities and threats. ... implement and enforce WLAN security policies to lockdown enterprise WLANs. ...
      (Pen-Test)
    • RE: "Ticken" web attacks?
      ... I have not seen such an attack. ... Since it was a DoS that got past filters, ... The rest of the request wastes ... server time figuring out the URL - there are standard parsing precedence ...
      (Incidents)
    • Re: New attack or old Vulnerability Scanner?
      ... I don't really need the tcpdump file that badly. ... the attack was *very* similar, if not identical, right down to the TCP ... - whether this is an attack tool written specifically to perform IIS ... - why there was a request for shell.exe ...
      (Incidents)
    • Re: Limit program access for kids
      ... request as if they alone know what's really behind this entreaty and ... To second-guess a parents motivations in this manner is, I believe, ... I don't launch into an attack on these matters everytime I post to ... am I deciding anything other than just giving my opinion? ...
      (microsoft.public.windowsxp.general)