Security Incidents mailing list archives
Incident 25424
From: George Milliken <gmilliken () farm9 com>
Date: Wed, 16 Aug 2000 09:54:08 -0700
Apache Distributed Denial of Service Revised & Resolved August 16, 2000 09:15 AM PST CERT Incident # 25424 On August 10, 2000 we reported a possible Windows-based DDOS attack against Apache servers involving over 500 hosts. The attack was an old Apache DOS but was apparently being generated via some distribution mechanism. We requested information and assistance from BUGTRAQ and several of the apparent attacker sites. The situation has been resolved with the assistance of the IT personnel at several of the unwitting attacker sites. The attack consisted of the following sequence of packets Sequence #3556 Attacker Client .188 ß-----à Victim Site .78 ------------------------------------------------------------------ <-> 1 TCP 3way -> 2 GET ////////// HTTP 11.1 Alert! <- 4 ACK <- 5 http 200 OK (web page with ///////\\\\\\\ <- 6 Web page part 2 ///////\\\\\\\ <- 8 FIN The attack was widespread and grew fairly rapidly however it only targeted one particular large web site. The attack was executed by altering a template web page used by customers of this site to setup "Under Construction" pages. Each time one of these "Under Construction" pages was referenced the attack sequence would be retrieved and sent back against the victim site. It was widespread and grew rapidly because this particular site hosts many web pages, as new customers were added, the number of attacks (from new IP addresses) increased. The attack may have been a malicious act. It may also be attributed to data corruption of a key HTML template on the site. The nature of the implementation of the attack was such that it could not spread outside of this particular site. Several people have asked how this was detected. This particular site uses SNORT, Tripwire and Real Secure, but Real Secure was the IDS detecting the attack in this case. Prepared by: farm9.com, Inc. Security Operations Center soc () farm9 com Contact: Guy Morgan gmorgan () farm9 com Or George Milliken gmilliken () farm9 com http://www.farm9.com ###
Current thread:
- Incident 25424 George Milliken (Aug 18)