Full Disclosure mailing list archives

Re: Who's behind limestonenetworks.com AKA DDoS on polipo(8123)


From: peter_toyota <peter_toyota () hotmail com>
Date: Fri, 16 Aug 2013 16:32:25 -0500

I remember as a youngling in the olden days of these internets you young fellows are so fond of, that a dial up analog 
modem connection actual throughput would max out at 53.3kb. Something about how encapsulation overhead would take a 
portion out of the total possible V.92 modulation and compression scheme.

Ah... the days of old, and the excitement every day to see if the connection would " train" past 50kb...
Such fond memories of yore...

-------- Original message --------
From: Jann Horn <jann () thejh net> 
Date: 08/16/2013  3:31 PM  (GMT-06:00) 
To: Jeffrey Walton <noloader () gmail com> 
Cc: Full Disclosure List <full-disclosure () lists grok org uk> 
Subject: Re: [Full-disclosure] Who's behind limestonenetworks.com AKA DDoS on polipo(8123) 
 
On Fri, Aug 16, 2013 at 01:37:54PM -0400, Jeffrey Walton wrote:
On Fri, Aug 16, 2013 at 1:31 PM, Jann Horn <jann () thejh net> wrote:
On Thu, Aug 15, 2013 at 05:29:52PM -0300, Luther Blissett wrote:
Hello dear companions,

Two days ago one of my tor exit nodes experienced something I'm now
calling "limestonenetworks DDoS on polipo" ( $WAN_IP:8123 ), since all

DDoS? So you mean your systems were impacted by that?
He may be running an exit node for the benefit of others on a low
bandwidth connection.

Forgive me if you were joking with an old friend, or I missed something.

Let's check how massive that "attack" is.

He said above 30 packets per second, right? I'll just assume it's around 30.
And the sample packet from that "packet storm" contained this part: "LEN=52".
So that's around 1500 bytes per second, or 12 kilobits per second. And those
packets are downstream for him.

Now take a look at <http://en.wikipedia.org/wiki/Modem#List_of_dialup_speeds>.
A good modem connection can give you up to 56kbit/s per direction as far as I
understand. So unless I made some weird calculation errors, someone on a good
modem connection should be able to take that "attack" without any problems.

An "attack" from one (!) bot on a normal DSL line should already be much bigger.

Calling this a DoS attack would be ridiculous, calling it a DDoS even more so.

(Of course, it might still be that he really was hacked and his systems were
attacked in a smarter way, but it's very clear that nobody tried to take him
out with pure bandwidth.)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread: