Full Disclosure mailing list archives

Re: Who's behind limestonenetworks.com AKA DDoS on polipo(8123)

From: Jann Horn <jann () thejh net>
Date: Fri, 16 Aug 2013 19:31:27 +0200

On Thu, Aug 15, 2013 at 05:29:52PM -0300, Luther Blissett wrote:

Hello dear companions,

Two days ago one of my tor exit nodes experienced something I'm now
calling "limestonenetworks DDoS on polipo" ( $WAN_IP:8123 ), since all


DDoS? So you mean your systems were impacted by that?

packets in the storm were flowing from a range of 514 different IP
addresses, all of them inside limestonenetworks IP range and targeting
port 8123 on my tor exit node WAN IP.


Let me google that for you. Hmm. Assigned to "Polipo Web proxy". So maybe
someone tried to connect to them through your exit node and they do proxyscans
on people who connect to them?

Before the packet storm,


Oooh, a storm!

The attack persisted for at least three hours and left this binary (hex
represented):

0000000 0000 0000 0000 0000 0000 0000 0000 0000
*
0000b90 0000 0000 0000 0000 0000 0000 2067 3331
0000ba0 3220 3a30 3135 303a 2034 6174 6567 7573
0000bb0 7568 7520 6573 2e72 6177 6e72 6b20 7265
0000bc0 656e 3a6c 5b20 6168 6d6d 7265 205d 203a
0000bd0 4e49 763d 616c 326e 4f20 5455 203d 414d
0000be0 3d43 3030 323a 3a31 3732 663a 3a61 6464
0000bf0 343a 3a34 3030 313a 3a35 3966 323a 3a61
0000c00 6639 643a 3a39 3830 303a 3a30 3534 303a
0000c10 3a30 3030 333a 2034 5253 3d43 3132 2e36
0000c20 3432 2e35 3232 2e31 3031 2037 5344 3d54
0000c30 3831 2e39 3833 322e 3533 322e 3035 4c20
0000c40 4e45 353d 2032 4f54 3d53 7830 3030 5020
0000c50 4552 3d43 7830 3030 5420 4c54 343d 2038
0000c60 4449 313d 3335 3431 4420 2046 5250 544f
0000c70 3d4f 4354 2050 5053 3d54 3932 3635 4420
0000c80 5450 383d 3231 2033 4957 444e 574f 363d
0000c90 3535 3533 5220 5345 303d 3078 2030 5953
0000ca0 204e 5255 5047 303d 000a               
0000ca9


Maybe your disk is just broken?

Attached is the list of participating IP addresses, line by line, with
the count of packets received. The attacker started sending something
like 4 packets per second and increased to over than 9000!!! - just
kidding, over 30 per second.



Your systems were impacted by a DoS attack with 30 packets per second? You might
want to upgrade to hardware that is a few decades newer.

74.63.255.118: 248 
216.245.193.201: 235 
208.115.232.205: 231 
74.63.255.119: 225 
216.245.193.200: 219

[...]

O=TCP SPT=2216 : 1


You were attacked by "O=TCP SPT=2216"? Cool story.

Attachment: signature.asc
Description: Digital signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Who's behind limestonenetworks.com AKA DDoS on polipo(8123) Luther Blissett (Aug 16)
- Re: Who's behind limestonenetworks.com AKA DDoS on polipo(8123) Bart van Tuil (Aug 16)
  - Re: Who's behind limestonenetworks.com AKA DDoS on polipo(8123) Luther Blissett (Aug 17)
- Re: Who's behind limestonenetworks.com AKA DDoS on polipo(8123) Jann Horn (Aug 16)
  - Re: Who's behind limestonenetworks.com AKA DDoS on polipo(8123) Jeffrey Walton (Aug 16)
    - Re: Who's behind limestonenetworks.com AKA DDoS on polipo(8123) Jann Horn (Aug 16)
    - Re: Who's behind limestonenetworks.com AKA DDoS on polipo(8123) Jeffrey Walton (Aug 16)
    - Re: Who's behind limestonenetworks.com AKA DDoS on polipo(8123) adam (Aug 16)
    - Re: Who's behind limestonenetworks.com AKA DDoS on polipo(8123) Stefan Jon Silverman (Aug 16)
    - Re: Who's behind limestonenetworks.com AKA DDoS on polipo(8123) Daniel Preussker (Aug 16)
    - Re: Who's behind limestonenetworks.com AKA DDoS on polipo(8123) Jann Horn (Aug 17)
    - Re: Who's behind limestonenetworks.com AKA DDoS on polipo(8123) Valdis . Kletnieks (Aug 17)
    - Re: Who's behind limestonenetworks.com AKA DDoS on polipo(8123) Jann Horn (Aug 18)
    - Re: Who's behind limestonenetworks.com AKA DDoS on polipo(8123) Valdis . Kletnieks (Aug 18)

(Thread continues...)