Metasploit mailing list archives
Metasploit, Milw0rm, PacketStorm DDoS'd
From: metafan at intern0t.net (metafan at intern0t.net)
Date: Sun, 08 Feb 2009 04:11:28 -0500
Hi HD, Next time you experience such a serious DoS, One (bogus) way to handle it is to set the A record to 127.0.0.1 temporarily making the attack go straight back to where it came from. However this doesn't solve the problem about being able to serve content so as you did, make a temporary subdomain pointing to the main domain or edit it like you did :) Those methods mentioned above is one way to solve it and yes i know that it is not possible to defend against all ways of DDoS. Though if the connections received are f.ex. more than 50 connections per ip then set up your router (hopefully a good one) to deny traffic from ip's having more than 50 connections. Keep in mind that this wont have any effect in IPTables+IPChains as the traffic will already have reached your server. I am not sure if there is anything else you can do besides that, except by analyzing the attack. Was it targetted for a specific service? Or was it ICMP Echo based? If it was the last then you can disable that, in the router or iptables and if it was targetted for a service, like DNS then you should start look for "evidence" to see if it was a DNS Amplification Attack etc. I hope this has enlightened the case a little, though i somehow doubt that you don't already know all of this as you're after all, HD Moore :) ~ MaXe PS: I am not an expert in DoS attacks, i'm merely just a person interested in security. Some of you may have noticed that the Online Update feature is not working properly right now. We have been the target of a DDoS all day, and although we managed to dodge most of it (the server load has been 0.0), we did have to point the A record for 'metasploit.com' at a bogus address and juggle DNS/IP to get the rest of the domains out of the line of fire. Right now, you can still access the web site via http://www.metasploit.com/ but will not be able to use http://metasploit.com/ until the idiots trying to take us offline get bored. If you are using subversion on the command line to update metasploit, use the following command to switch to a new/untargeted host name: $ cd framework3/ $ svn switch https://www.metasploit.com/svn/framework3/trunk/ . $ svn update The milw0rm.com and packet storm web sites have also been targets for the last 24 hours. If anyone has information pointing to who is running the botnet (~500k unique sources or so), please contact me offlist ;-) -HD _______________________________________________ http://spool.metasploit.com/mailman/listinfo/framework
Current thread:
- Metasploit, Milw0rm, PacketStorm DDoS'd H D Moore (Feb 07)
- Metasploit, Milw0rm, PacketStorm DDoS'd cybydude (Feb 07)
- Metasploit, Milw0rm, PacketStorm DDoS'd H D Moore (Feb 07)
- <Possible follow-ups>
- Metasploit, Milw0rm, PacketStorm DDoS'd metafan at intern0t.net (Feb 08)
- Metasploit, Milw0rm, PacketStorm DDoS'd cybydude (Feb 07)