OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: [Full-disclosure] Arbitrary DDoS PoC

From: Laurelai (laurelaioneechan.org)
Date: Tue Feb 14 2012 - 15:31:10 CST


On 2/14/2012 2:58 PM, Sanguinarious Rose wrote:
> I do not understand why you are wasting time on an obvious troll to
> downright, and I don't normally call people names but he well deserves
> it, a retard. I think I ironically illustrated the fundamental flaw in
> that you can't possibly generate more bandwidth by using proxies for
> the python code provided due to it violates the laws of physics
> (literally). In fact, if we want to be technical, we could say it is
> less effective due to the handshake required to initiate the proxy
> connection in fact decreasing efficiency of input compared to input.
> If there was something besides making lots of proxy request there
> might be something there but it, in fact, has nothing.
>
> Taking into account THN retweeted his FD post and his obvious
> inability to understand why everyone is not taking him seriously I
> have concluded he is just trying to seek fame and fortune passing off
> as some kind of sec expert. Maybe get some brownie points with the
> skiddie crowd who wouldn't know better. Throwing fancy terms and
> pretending to know what they are talking about doesn't work up against
> real researchers who understand what they are doing. Poorly written
> scripts also do not impress anyone here considering that I could just
> put into google "HTTP Proxy Flooder" and a find superior equivalent
> (Even with Point and Click!).
>
> To this effect, I propose we look into Unicorns as a possible
> unconventional medium of DDoS due to their mythical properties in a
> network environment over-ruled by Pink Lepricons.
>
> Conclusion: Christian Magick.
>
> On Tue, Feb 14, 2012 at 10:19 AM, Gage Bystrom <themadichib0dgmail.com> wrote:
>> If the design is broken than the implementation is broken. Have you READ
>> your own source code? Do you understand what its actually doing? Rhetorical
>> questions of course but still.
>>
>> Your poc calls curl multiple times via a list of proxies. No more, no less.
>> If you are going to claim that such a thing is an effective general
>> technique YOU have to back up that claim, not me or anyone else on this
>> list. I never bothered running it because anyone who read that simple python
>> code(which was a good thing its simple), can understand what it is doing,
>> and do a mental comparison to what they previously knew about the subject of
>> dos. Your poc does not demonstrate anything new, it demonstrates existing
>> knowledge that is generally known to not be an effective method for dosing
>> for all the reasons I explained in my previous mails.
>>
>> I think its quite pedantic of you to only criticize me for calling out the
>> ineffectiveness of your poc. You did not address anything I or anyone else
>> said about your claim. If you think I am wrong or mistaken in my personal
>> assessment of your claim than you are the one who must show how and why to
>> defend your claim. Belittling someone who criticizes you is not
>> professional, not productive, does not give strength to your claim, and does
>> not make you right.
>>
>> The end of the line is I don't care what you claim your code does, I care
>> about what the code does, and your code is not an effective general
>> technique for denial of service attacks.
>>
>> On Feb 13, 2012 8:48 PM, "Lucas Fernando Amorim" <lf.amorimyahoo.com.br>
>> wrote:
>>> I could argue that an attack targeted at a service, especially HTTP, is
>>> not measured by the band, but the requests, especially the heavier, could
>>> argue that a technique is the most inherent characteristic of multiple
>>> sources of traffic and still relying on trust. I could still say that is an
>>> implementation that relates only to say - Look, it exists!, I could still
>>> prolong explaining about overheads, and using about the same time many sites
>>> that make the requests, thus reducing the wake of a failure, even if you say
>>> easily diagnosable.
>>>
>>> But I'd rather say that it is actually very pedantic of you label
>>> something as inefficient, especially when not done a single test, only the
>>> pedantic observation of someone whose interests it is reprehensible. I will
>>> not say you're one of those, but this is really an attitude typical of this
>>> kind, which is certainly not a hacker. Thanks to people like that, do not
>>> know if you like, there are many flaws yet to be explored.
>>>
>>> If anyone wants more information, obviously I will ask to send an email or
>>> call me to give a presentation, I will not think about anything. My goal in
>>> was invited researchers to study DDoS on this model, because anytime someone
>>> can direct thousands to generate a network congestion.
>>>
>>>
>>> On 13-02-2012 11:17, Gage Bystrom wrote:
>>>
>>> Uhh...looks pretty standard boss. You aren't going to DoS a halfway decent
>>> server with that using a single box. Sending your request through multiple
>>> proxies does not magically increase the resource usage of the target, its
>>> still your output power vs their input pipe. Sure it gives a slight boost in
>>> anonymity and obfuscation but does not actually increase effectiveness. It
>>> would even decrease effectiveness because you bear the burden of having to
>>> send to a proxy, giving them ample time to recover from a given request.
>>>
>>> Even if you look at it as a tactic to bypass blacklisting, you still
>>> aren't going to overwhelm the server. That means you need more pawns to do
>>> your bidding. This creates a bit of a problem however as then all your
>>> slaves are running through a limited selection of proxies, reducing the
>>> amount of threats the server needs to blacklist. The circumvention is quite
>>> obvious, which is to not utilize proxies for the pawns....and rely on shear
>>> numbers and/or superior resource exhaustion methods....
>>>
>>> On Feb 13, 2012 4:37 AM, "Lucas Fernando Amorim" <lf.amorimyahoo.com.br>
>>> wrote:
>>>> With the recent wave of DDoS, a concern that was not taken is the model
>>>> where the zombies were not compromised by a Trojan. In the standard
>>>> modeling of DDoS attack, the machines are purchased, usually in a VPS,
>>>> or are obtained through Trojans, thus forming a botnet. But the
>>>> arbitrary shape doesn't need acquire a collection of computers.
>>>> Programs, servers and protocols are used to arbitrarily make requests on
>>>> the target. P2P programs are especially vulnerable, DNS, internet
>>>> proxies, and many sites that make requests of user like Facebook or W3C,
>>>> also are.
>>>>
>>>> Precisely I made a proof-of-concept script of 60 lines hitting most of
>>>> HTTP servers on the Internet, even if they have protections likely
>>>> mod_security, mod_evasive. This can be found on this link [1] at GitHub.
>>>> The solution of the problem depends only on the reformulation of
>>>> protocols and limitations on the number of concurrent requests and
>>>> totals by proxies and programs for a given site, when exceeded returning
>>>> a cached copy of the last request.
>>>>
>>>> [1] https://github.com/lfamorim/barrelroll
>>>>
>>>> Cheers,
>>>> Lucas Fernando Amorim
>>>> http://twitter.com/lfamorim
>>>>
>>>> _______________________________________________
>>>> Full-Disclosure - We believe in it.
>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
You know its bad when even Sanguinarious calls you a troll.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/