Re: metasploit.com = 127.0.0.1

[Peter Besenbruch <prb () lava net>]

On Wednesday 11 February 2009 06:51:36 Lehman, Jim wrote:
> The incoming connection rate has exceeded 15Mbps of just SYN packets, so
> we decided to point www.metasploit.com and metasploit.com back to
> 127.0.0.1 for a little while. This is more to keep our ISP happy than
> any fear of bandwidth charges. We ran a packet capture of the incoming
> SYN traffic for about 8 hours; it takes up approximately 60Gb of disk
> space. In the meantime, if you want to access the Metasploit web site,
> please use: http://metasploit.org

Also from the Metasploit site:

Feb-09-2009 Pathetic DDoS vs Metasploit (round 2) (hdm)

    It looks like our little DDoS buddy got sent home from school early 
today -- the flood started up again, this time ignoring the DNS name for the 
metasploit.com web site and instead targeting both IP addresses configured on 
the server. While SSL service is still unaffected (including Online Update 
over SVN), folks who wish to visit the Metasploit web site will need to do so 
using an alternate port until we roll out the next countermeasure.

    http://metasploit.com:8000/

    We also host the main web server for Attack Research, which can now be 
accessed at:

    http://www.attackresearch.com:8000/

    Thanks for your patience,

Feb-08-2009 Pathetic DDoS vs Security Sites (hdm)

    On Friday, starting around 9:00pm CST, the main metasploit.com was hit 
with a highly-annoying, if pretty useless distributed denial of service. The 
attack consisted of a botnet-sourced connection flood against port 80 for the 
metasploit.com host name. This flood consisted of about 80,000 connections 
per second, all from real hosts trying to send a simple HTTP request. At the 
same time, Packet Storm and Milw0rm were being hit as well. About 95% of the 
bots would intermittently resolve metasploit.com and follow the target 
address with the connection flood. The other 5% continued to bang on the main 
metasploit.com IP address and port even after the host record was changed.

    Solving this involved parking the metasploit.com host record at 127.0.0.1 
and moving the other host names and services to a spare IP address. This 
allows for www.metasploit.com and most of our other domains and services to 
work properly. The only drawback is that until the flooding stops, we can't 
use the metasploit.com A record, which happens to be the default for updating 
the Metasploit Framework installation. A fun side effect is that they handed 
us full control of the DDoS stream: we can point the metasploit.com record 
anywhere we like and the connection flood will follow it.

    We will continue to find other ways to mitigate the flood; but until we 
can safely use the metasploit.com name again, our standard online update 
mechanism is going to fail. If you are trying to check out a fresh copy of 
Metasploit from subversion, use the 
https://www.metasploit.com/svn/framework3/ URL for now. As of 9:30am CST, the 
Immunity web site is being hit as well. If anyone has information on the 
folks involved, we would love to hear from you :-)
-- 
Hawaiian Astronomical Society: http://www.hawastsoc.org
HAS Deepsky Atlas: http://www.hawastsoc.org/deepsky

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/