Full Disclosure mailing list archives

RE: Attack profiling tool?

From: "Gareth Blades" <list.fulldisclosure () webscreen-technology com>
Date: Fri, 11 Jul 2003 09:38:13 +0100

Our product detected the attack as a 'connectio flood' which is basically
where you open up lots of connections to a server and leave them idle. This
causes the server to have lots of open connections so that it reaches its
maximum connection limit and therefore nobody else can access the site
resulting in denial of service.

A common tool for this is called naptha but what we are seeing is not
consistant with this tool because as soon as the connection limit is reached
all the connections are then closed. Naptha would keep them all open and
regularly keep trying to open new ones.

Our product monitors the connections to the site and when it begins to reach
its limit denies new connections from clients which have more connections
open than they should/normally would.

-----Original Message-----
From: daniel_clemens () birmingham-infragard org
[mailto:daniel_clemens () birmingham-infragard org]On Behalf Of daniel
uriah clemens
Sent: Thursday, July 10, 2003 12:47
To: Gareth Blades
Cc: Fulldisclosure
Subject: Re: [Full-disclosure] Attack profiling tool?

I have seen this a number of times from various IP addresses and it is
always exactly the same. Our product which detected this

prevents against

these types of attacks anyway so it is not a problem but I was

wondering if

it is a particular attack tool going round the Internet

profiling different

sites to see how many connections they support.


Out of curiosity to possibly reclarify your definition of an attack...
What type of attacks do these more than 3 connections fall into?

-Daniel Uriah Clemens

Esse quam videra
              (to be, rather than to appear)
http://www.birmingham-infragard.org   | 2053284200
fingerprint: EDF0 6566 2A4A 220E 5760  EA1F 0424 6DF6 F662 F5BD



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Attack profiling tool? Gareth Blades (Jul 10)
- Re: Attack profiling tool? morning_wood (Jul 10)
- Re: Attack profiling tool? daniel uriah clemens (Jul 10)
  - RE: Attack profiling tool? Gareth Blades (Jul 11)
- <Possible follow-ups>
- RE: Attack profiling tool? Gareth Blades (Jul 11)
- RE: Attack profiling tool? Gareth Blades (Jul 11)
- RE: RE: Attack profiling tool? Gareth Blades (Jul 11)
  - RE: RE: Attack profiling tool? Ron DuFresne (Jul 11)
    - RE: RE: Attack profiling tool? Gareth Blades (Jul 11)
- RE: RE: Attack profiling tool? Gareth Blades (Jul 11)
  - RE: RE: Attack profiling tool? Ron DuFresne (Jul 11)
- RE: RE: Attack profiling tool? Gareth Blades (Jul 11)