Sunday, February 8, 2009

Pathetic DDoS vs Security Sites

Via Metasploit Blog -

On Friday, starting around 9:00pm CST, the main was hit with a highly-annoying, if pretty useless distributed denial of service. The attack consisted of a botnet-sourced connection flood against port 80 for the host name. This flood consisted of about 80,000 connections per second, all from real hosts trying to send a simple HTTP request. At the same time, Packet Storm and Milw0rm were being hit as well. About 95% of the bots would intermittently resolve and follow the target address with the connection flood. The other 5% continued to bang on the main IP address and port even after the host record was changed.

Solving this involved parking the host record at and moving the other host names and services to a spare IP address. This allows for and most of our other domains and services to work properly. The only drawback is that until the flooding stops, we can't use the A record, which happens to be the default for updating the Metasploit Framework installation. A fun side effect is that they handed us full control of the DDoS stream: we can point the record anywhere we like and the connection flood will follow it.

We will continue to find other ways to mitigate the flood; but until we can safely use the name again, our standard online update mechanism is going to fail. If you are trying to check out a fresh copy of Metasploit from subversion, use the URL for now.

As of 9:30am CST, the
Immunity web site is being hit as well. If anyone has information on the folks involved, we would love to hear from you :-)

No comments:

Post a Comment