[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] metasploit.com = 127.0.0.1
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: Re: [Full-disclosure] metasploit.com = 127.0.0.1
- From: Peter Besenbruch <prb@xxxxxxxx>
- Date: Wed, 11 Feb 2009 15:46:06 -1000
On Wednesday 11 February 2009 06:51:36 Lehman, Jim wrote:
> The incoming connection rate has exceeded 15Mbps of just SYN packets, so
> we decided to point www.metasploit.com and metasploit.com back to
> 127.0.0.1 for a little while. This is more to keep our ISP happy than
> any fear of bandwidth charges. We ran a packet capture of the incoming
> SYN traffic for about 8 hours; it takes up approximately 60Gb of disk
> space. In the meantime, if you want to access the Metasploit web site,
> please use: http://metasploit.org
Also from the Metasploit site:
Feb-09-2009 Pathetic DDoS vs Metasploit (round 2) (hdm)
It looks like our little DDoS buddy got sent home from school early
today -- the flood started up again, this time ignoring the DNS name for the
metasploit.com web site and instead targeting both IP addresses configured on
the server. While SSL service is still unaffected (including Online Update
over SVN), folks who wish to visit the Metasploit web site will need to do so
using an alternate port until we roll out the next countermeasure.
http://metasploit.com:8000/
We also host the main web server for Attack Research, which can now be
accessed at:
http://www.attackresearch.com:8000/
Thanks for your patience,
Feb-08-2009 Pathetic DDoS vs Security Sites (hdm)
On Friday, starting around 9:00pm CST, the main metasploit.com was hit
with a highly-annoying, if pretty useless distributed denial of service. The
attack consisted of a botnet-sourced connection flood against port 80 for the
metasploit.com host name. This flood consisted of about 80,000 connections
per second, all from real hosts trying to send a simple HTTP request. At the
same time, Packet Storm and Milw0rm were being hit as well. About 95% of the
bots would intermittently resolve metasploit.com and follow the target
address with the connection flood. The other 5% continued to bang on the main
metasploit.com IP address and port even after the host record was changed.
Solving this involved parking the metasploit.com host record at 127.0.0.1
and moving the other host names and services to a spare IP address. This
allows for www.metasploit.com and most of our other domains and services to
work properly. The only drawback is that until the flooding stops, we can't
use the metasploit.com A record, which happens to be the default for updating
the Metasploit Framework installation. A fun side effect is that they handed
us full control of the DDoS stream: we can point the metasploit.com record
anywhere we like and the connection flood will follow it.
We will continue to find other ways to mitigate the flood; but until we
can safely use the metasploit.com name again, our standard online update
mechanism is going to fail. If you are trying to check out a fresh copy of
Metasploit from subversion, use the
https://www.metasploit.com/svn/framework3/ URL for now. As of 9:30am CST, the
Immunity web site is being hit as well. If anyone has information on the
folks involved, we would love to hear from you :-)
--
Hawaiian Astronomical Society: http://www.hawastsoc.org
HAS Deepsky Atlas: http://www.hawastsoc.org/deepsky
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/