Full Disclosure mailing list archives
Re: metasploit.com = 127.0.0.1
From: Peter Besenbruch <prb () lava net>
Date: Wed, 11 Feb 2009 15:46:06 -1000
On Wednesday 11 February 2009 06:51:36 Lehman, Jim wrote:
The incoming connection rate has exceeded 15Mbps of just SYN packets, so we decided to point www.metasploit.com and metasploit.com back to 127.0.0.1 for a little while. This is more to keep our ISP happy than any fear of bandwidth charges. We ran a packet capture of the incoming SYN traffic for about 8 hours; it takes up approximately 60Gb of disk space. In the meantime, if you want to access the Metasploit web site, please use: http://metasploit.org
Also from the Metasploit site: Feb-09-2009 Pathetic DDoS vs Metasploit (round 2) (hdm) It looks like our little DDoS buddy got sent home from school early today -- the flood started up again, this time ignoring the DNS name for the metasploit.com web site and instead targeting both IP addresses configured on the server. While SSL service is still unaffected (including Online Update over SVN), folks who wish to visit the Metasploit web site will need to do so using an alternate port until we roll out the next countermeasure. http://metasploit.com:8000/ We also host the main web server for Attack Research, which can now be accessed at: http://www.attackresearch.com:8000/ Thanks for your patience, Feb-08-2009 Pathetic DDoS vs Security Sites (hdm) On Friday, starting around 9:00pm CST, the main metasploit.com was hit with a highly-annoying, if pretty useless distributed denial of service. The attack consisted of a botnet-sourced connection flood against port 80 for the metasploit.com host name. This flood consisted of about 80,000 connections per second, all from real hosts trying to send a simple HTTP request. At the same time, Packet Storm and Milw0rm were being hit as well. About 95% of the bots would intermittently resolve metasploit.com and follow the target address with the connection flood. The other 5% continued to bang on the main metasploit.com IP address and port even after the host record was changed. Solving this involved parking the metasploit.com host record at 127.0.0.1 and moving the other host names and services to a spare IP address. This allows for www.metasploit.com and most of our other domains and services to work properly. The only drawback is that until the flooding stops, we can't use the metasploit.com A record, which happens to be the default for updating the Metasploit Framework installation. A fun side effect is that they handed us full control of the DDoS stream: we can point the metasploit.com record anywhere we like and the connection flood will follow it. We will continue to find other ways to mitigate the flood; but until we can safely use the metasploit.com name again, our standard online update mechanism is going to fail. If you are trying to check out a fresh copy of Metasploit from subversion, use the https://www.metasploit.com/svn/framework3/ URL for now. As of 9:30am CST, the Immunity web site is being hit as well. If anyone has information on the folks involved, we would love to hear from you :-) -- Hawaiian Astronomical Society: http://www.hawastsoc.org HAS Deepsky Atlas: http://www.hawastsoc.org/deepsky _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: metasploit.com = 127.0.0.1, (continued)
- Message not available
- Re: metasploit.com = 127.0.0.1 sr. (Feb 10)
- Message not available
- Re: metasploit.com = 127.0.0.1 Miller Grey (Feb 10)
- Message not available
- Re: metasploit.com = 127.0.0.1 sr. (Feb 11)
- Re: metasploit.com = 127.0.0.1 Michael Holstein (Feb 11)
- Re: metasploit.com = 127.0.0.1 sr. (Feb 11)
- Re: metasploit.com = 127.0.0.1 Michael Holstein (Feb 11)
- Re: metasploit.com = 127.0.0.1 Michael Holstein (Feb 11)
- Re: metasploit.com = 127.0.0.1 sr. (Feb 11)
- Re: metasploit.com = 127.0.0.1 Jeremy Brown (Feb 11)
- Re: metasploit.com = 127.0.0.1 Lehman, Jim (Feb 11)
- Re: metasploit.com = 127.0.0.1 Peter Besenbruch (Feb 11)
- Message not available