Re: Question about HTTP DDOS attacks.

["Kyle R. Hofmann" <krh () lemniscate net>]

On Mon, 18 Mar 2002 07:42:47 +0100, Hugo van der Kooij wrote:
> On Fri, 15 Mar 2002 eax () 3xT org wrote:
>
> > For the last couple days, one of our client's virtual-hosts on one of our webservers has been DDOSed with
> > tons of HTTP requests composed of:
> >
> > GET / HTTP/1.1
> > Host: example.com
>
> These are in fact valid request if I setup a link like: <a 
> href="http://example.com/";> or even <a href="http://example.com";>

They're not valid if he's not example.com.  See RFC 2606:

"3. Reserved Example Second Level Domain Names

   The Internet Assigned Numbers Authority (IANA) also currently has the
   following second level domain names reserved which can be used as
   examples.

        example.com
        example.net
        example.org"

$ dig example.com

; <<>> DiG 2.2 <<>> example.com 
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38839
;; flags: qr rd ra; Ques: 1, Ans: 1, Auth: 2, Addit: 0
;; QUESTIONS:
;;      example.com, type = A, class = IN

;; ANSWERS:
example.com.    172800  A       192.0.34.72

;; AUTHORITY RECORDS:
example.com.    21600   NS      a.iana-servers.net.
example.com.    21600   NS      b.iana-servers.net.

;; Total query time: 400 msec
;; FROM: yvonne.lemniscate.net to SERVER: default -- 127.0.0.1
;; WHEN: Mon Mar 18 10:22:35 2002
;; MSG SIZE  sent: 29  rcvd: 93

$ lynx -dump http://www.example.com/

   You have reached this web page by typing "example.com", "example.net",
   or "example.org" into your web browser.
   
   These domain names are reserved for use in documentation and are not
   available for registration.

-- 
Kyle R. Hofmann <krh () lemniscate net>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com