Metasploit, Milw0rm, PacketStorm DDoS'd

[metafan at intern0t.net (metafan at intern0t.net)]

Hi HD,


Next time you experience such a serious DoS, One (bogus) way to handle
it is to set the A record to 127.0.0.1 temporarily making the attack go
straight back to where it came from.

However this doesn't solve the problem about being able to serve content
so as you did, make a temporary subdomain pointing to the main domain or
edit it like you did :)

Those methods mentioned above is one way to solve it and yes i know that
it is not possible to defend against all ways of DDoS. Though if the
connections received are f.ex. more than 50 connections per ip then set
up your router (hopefully a good one) to deny traffic from ip's having
more than 50 connections.

Keep in mind that this wont have any effect in IPTables+IPChains as the
traffic will already have reached your server. I am not sure if there is
anything else you can do besides that, except by analyzing the attack.

Was it targetted for a specific service? Or was it ICMP Echo based?
If it was the last then you can disable that, in the router or iptables
and if it was targetted for a service, like DNS then you should start 
look for "evidence" to see if it was a DNS Amplification Attack etc.


I hope this has enlightened the case a little, though i somehow doubt
that you don't already know all of this as you're after all, HD Moore :)

~ MaXe

PS: I am not an expert in DoS attacks, i'm merely just a person interested in security.


Some of you may have noticed that the Online Update feature is not
working properly right now. We have been the target of a DDoS all day,
and although we managed to dodge most of it (the server load has been
0.0), we did have to point the A record for 'metasploit.com' at a bogus
address and juggle DNS/IP to get the rest of the domains out of the line
of fire. Right now, you can still access the web site via
http://www.metasploit.com/ but will not be able to use
http://metasploit.com/ until the idiots trying to take us offline get
bored. If you are using subversion on the command line to update
metasploit, use the following command to switch to a new/untargeted host
name:

$ cd framework3/
$ svn switch https://www.metasploit.com/svn/framework3/trunk/ .
$ svn update

The milw0rm.com and packet storm web sites have also been targets for
the last 24 hours. If anyone has information pointing to who is running
the botnet (~500k unique sources or so), please contact me offlist ;-)

-HD

_______________________________________________
http://spool.metasploit.com/mailman/listinfo/framework