Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Incident 25424

From: George Milliken <gmilliken () farm9 com>
Date: Wed, 16 Aug 2000 09:54:08 -0700
Apache Distributed Denial of Service

Revised & Resolved
August 16, 2000
09:15 AM PST

CERT Incident # 25424

On August 10, 2000 we reported a possible Windows-based DDOS attack
against Apache servers involving over 500 hosts.  The attack was an old
Apache DOS but was apparently being generated via some distribution
mechanism.  We requested information and assistance from BUGTRAQ and
several of the apparent attacker sites.

The situation has been resolved with the assistance of the IT personnel
at several of the unwitting attacker sites.

The attack consisted of the following sequence of packets

Sequence #3556
Attacker Client .188  ß-----à    Victim Site .78
------------------------------------------------------------------
<->     1       TCP 3way
->      2       GET ////////// HTTP 11.1     Alert!
<-      4       ACK
<-      5       http 200 OK (web page with  ///////\\\\\\\
<-      6       Web page part 2 ///////\\\\\\\
<-      8       FIN

The attack was widespread and grew fairly rapidly however it only
targeted one particular large web site.

The attack was executed by altering a template web page used by
customers of this site to setup "Under Construction" pages.  Each time
one of these "Under Construction" pages was referenced the attack
sequence would be retrieved and sent back against the victim site.

It was widespread and grew rapidly because this particular site hosts
many web pages, as new customers were added, the number of attacks (from
new IP addresses) increased.

The attack may have been a malicious act.  It may also be attributed to
data corruption of a key HTML template on the site.

The nature of the implementation of the attack was such that it could
not spread outside of this particular site.

Several people have asked how this was detected.  This particular site
uses SNORT, Tripwire and Real Secure, but Real Secure was the IDS
detecting the attack in this case.


Prepared by:
farm9.com, Inc.
Security Operations Center
soc () farm9 com

Contact:   Guy Morgan       gmorgan () farm9 com
           Or  George Milliken gmilliken () farm9 com

http://www.farm9.com

###
Previous By Date Next
Previous By Thread Next

Current thread: