Security Incidents mailing list archives
Re: Interesting new DDoS method?
From: zeno <bugtraq () cgisecurity net>
Date: Wed, 2 Oct 2002 15:37:51 -0400 (EDT)
The idea of webserver/web app holes for use with launching ddos isn't a new idea. Some people have even written cgi programs which are soly made for flooding for later use. I do think this will become a very popular method of launching ddos attacks on the otherhand. - zeno () cgisecurity com
Exerpt from webserver logs: /scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+ping%20-n%20666%20-l%2065500%20-w%200%2065.168.118.157 200 Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+NT+5.0) We had several of these appear in the logs. Decyphering the command that was attempted, it looks like: ping -n 666 -l 65000 -w 0 It looks like someone's attempting to take advantage of code red / nimda infected (or vulnerable) servers to use as a Distributed DoS. Quite clever. All one would have to do is sit and accumulate a list of machines that have attempted to probe you for CR/CRv2/Nimda etc... Scripting an attack like this would be quite simple. However, the machines that were probed here, were not infected or vulnerable. Keith T. Morgan - CISSP, CCSE/CCSA, MCP Terradon Communications Group Office: 304.755.1324 x142 Mobile: 304.415.0238 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Interesting new DDoS method? Keith T. Morgan (Oct 02)
- <Possible follow-ups>
- Re: Interesting new DDoS method? zeno (Oct 03)