Scribd
Upload
221 views5 pages

Demystifying Network Attacks DDoS - DoS Edition - by Xyr0x

The document discusses how to identify attackers in DDoS and DoS attacks by examining log files. It provides examples of log entries for attackers and users and explains what details in the logs identify the source. The author also provides biographical information about themselves.

Uploaded by

Dhruv Jain
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as RTF, PDF, TXT or read online on Scribd
221 views5 pages

Demystifying Network Attacks DDoS - DoS Edition - by Xyr0x

The document discusses how to identify attackers in DDoS and DoS attacks by examining log files. It provides examples of log entries for attackers and users and explains what details in the logs identify the source. The author also provides biographical information about themselves.

Uploaded by

Dhruv Jain
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as RTF, PDF, TXT or read online on Scribd
You are on page 1/ 5

Demystifying Network Attacks DDoS / DoS Edition - by xyr0x

--] Demystifying Network Attacks [--


DDoS / DoS Edition

Author: xyr0x
Date: Saturday, September 23rd, 2006 - 9:04pm
Security Focus: Identifying the DDoS/DoS Attacker Source
Copyright: xyr0x security 2006

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%% %%%%%%%

Table of Context

0: Shouts
1: Overview
2: What to look for
3: Idenfitying the attacker(s)
4: Identifying the user(s)
5: About Author
6: Other References

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%% %%%%%%%

0: Shouts:

I'd like to give thanks to firey for encouraging me to write this paper. Murder mouse,
halla, Dark_Benkin, Pal, infektid, n00b, MurderSkillz(g00ns.net), NabZ, 7Sean, all the
members of DarkDevelopments.com, and their twin site, informationleak.net, members
of the Chaostheoryradio.com network, and the recent discovery of the Guinea pig videos.
Get gruesome YO!

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%% %%%%%%%

1: Overview:

This is a short little "security paper" that I'm about to write for those uninformed
webmasters out there, on how to identify the culprit for the innocent. What we're doing
here is we're using comparisons, and already known HTTP 1.1 status code definitions.
For example: 404 = not found, catch my drift? Well anything over 5xx, means that there's
something wrong with the processing of connections, by somebody remotelly. Either
your site's not appropriatelly assigned by it's database, e.g you've disallowed a user to
visit that part of your site, or you're under an attack. I'm a big fan of privacy and whatnot,
but I'm now going to give a slightly modified visual demonstration in text that is, from
the Darkdevelopments packet dump which I recieved from Firey. Thanks firey, glad that
I could be of help for DarkDevelopments. We rock, and the scumfucks that attack us is a
futile move on their behalf. =P

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%% %%%%%%%

2: What to look for, and how to identify:

Here's probably the best trick in my book, "Time Instances between connections"
Normally, a user doesn't connect to a website, 04/Sep/2006, at 20:03:39 "8:03pm" and
then "Reconnect" 10 times more, within the same time limit, unless you're a robot. A user
doesn't goto a website over and over again, just to view the banner. And there are alot of
other descrepancies which may reserve warrent of that it not being accessed by a actual
user.

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%% %%%%%%%

3: Idenfitying the attacker(s)

[Attacker]
65.78.77.182 - - [03/Sep/2006:20:41:00 -0400] "GET
http://www.darkdevelopments.com/images/header.jpg HTTP/1.0" 200 73947 "-" "-"

This is the schematic of what it would look like if you have an attacker, using a
DDoS/DoS program. Notice the directory and file it's trying to pull up? Normally a user
already see's it on the main interface of the website, so the need to dig the image folder,
and pull it up? it's not going to perform much of any usefullness, except maybe to rip,
cause you're a stupid scumbag. Anyway, it's returning an HTTP/1.0" 200 status, which
means the server is Successful, and OK, on returning the website's content to the current
surfer at that time, also meaning that it hasn't been DDoS/DoS'd yet however this can be
confusing, but the attributes should be a dead give away. e.g accessing images/header.jpg
Who care's? You see it when you enter the site., And, it's not returning any OS or
Browser feedback. So we obviously know that this is the attacker. Not some user who's
there to learn. Respectivelly,

Other identifications with proper synapsis implemented by me, explaining what it all
means, for you newbs.
[This is an Attacker. Unfortunetally, he's using AOL. notice the time frame, and it not
getting anything except the header.jpg]
172.131.150.225 - - [04/Sep/2006:14:15:30 -0400] "GET
http://www.darkdevelopments.com/images/header.jpg HTTP/1.0" 500 - "-" "-"
172.131.150.225 - - [04/Sep/2006:14:15:30 -0400] "GET
http://www.darkdevelopments.com/images/header.jpg HTTP/1.0" 500 - "-" "-"
172.131.150.225 - - [04/Sep/2006:14:15:30 -0400] "GET
http://www.darkdevelopments.com/images/header.jpg HTTP/1.0" 500 - "-" "-"
172.131.150.225 - - [04/Sep/2006:14:15:30 -0400] "GET
http://www.darkdevelopments.com/images/header.jpg HTTP/1.0" 500 - "-" "-"
172.131.150.225 - - [04/Sep/2006:14:16:37 -0400] "GET
http://www.darkdevelopments.com/images/header.jpg HTTP/1.0" 500 - "-" "-"
172.131.150.225 - - [04/Sep/2006:14:16:37 -0400] "GET
http://www.darkdevelopments.com/images/header.jpg HTTP/1.0" 500 - "-" "-"
172.131.150.225 - - [04/Sep/2006:14:16:37 -0400] "GET
http://www.darkdevelopments.com/images/header.jpg HTTP/1.0" 500 - "-" "-"
172.131.150.225 - - [04/Sep/2006:14:16:37 -0400] "GET
http://www.darkdevelopments.com/images/header.jpg HTTP/1.0" 500 - "-" "-"
172.131.150.225 - - [04/Sep/2006:14:16:37 -0400] "GET
http://www.darkdevelopments.com/images/header.jpg HTTP/1.0" 500 - "-" "-"

[Another attacker, notice the time frame, and it not getting anything except the
header.jpg]
69.105.20.217 - - [04/Sep/2006:20:03:38 -0400] "GET
http://www.darkdevelopments.com/images/header.jpg HTTP/1.0" 500 - "-" "-"
69.105.20.217 - - [04/Sep/2006:20:03:38 -0400] "GET
http://www.darkdevelopments.com/images/header.jpg HTTP/1.0" 500 - "-" "-"
69.105.20.217 - - [04/Sep/2006:20:03:38 -0400] "GET
http://www.darkdevelopments.com/images/header.jpg HTTP/1.0" 500 - "-" "-"
69.105.20.217 - - [04/Sep/2006:20:03:38 -0400] "GET
http://www.darkdevelopments.com/images/header.jpg HTTP/1.0" 500 - "-" "-"
69.105.20.217 - - [04/Sep/2006:20:03:38 -0400] "GET
http://www.darkdevelopments.com/images/header.jpg HTTP/1.0" 500 - "-" "-"
69.105.20.217 - - [04/Sep/2006:20:03:38 -0400] "GET
http://www.darkdevelopments.com/images/header.jpg HTTP/1.0" 500 - "-" "-"
69.105.20.217 - - [04/Sep/2006:20:03:38 -0400] "GET
http://www.darkdevelopments.com/images/header.jpg HTTP/1.0" 500 - "-" "-"
69.105.20.217 - - [04/Sep/2006:20:03:39 -0400] "GET
http://www.darkdevelopments.com/images/header.jpg HTTP/1.0" 500 - "-" "-"
69.105.20.217 - - [04/Sep/2006:20:03:39 -0400] "GET
http://www.darkdevelopments.com/images/header.jpg HTTP/1.0" 500 - "-" "-"
69.105.20.217 - - [04/Sep/2006:20:03:39 -0400] "GET
http://www.darkdevelopments.com/images/header.jpg HTTP/1.0" 500 - "-" "-"
69.105.20.217 - - [04/Sep/2006:20:03:39 -0400] "GET
http://www.darkdevelopments.com/images/header.jpg HTTP/1.0" 500 - "-" "-"
69.105.20.217 - - [04/Sep/2006:20:03:39 -0400] "GET
http://www.darkdevelopments.com/images/header.jpg HTTP/1.0" 500 - "-" "-"
69.105.20.217 - - [04/Sep/2006:20:03:39 -0400] "GET
http://www.darkdevelopments.com/images/header.jpg HTTP/1.0" 500 - "-" "-"
69.105.20.217 - - [04/Sep/2006:20:03:39 -0400] "GET
http://www.darkdevelopments.com/images/header.jpg HTTP/1.0" 500 - "-" "-"
69.105.20.217 - - [04/Sep/2006:20:03:40 -0400] "GET
http://www.darkdevelopments.com/images/header.jpg HTTP/1.0" 500 - "-" "-"

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%% %%%%%%%

4: Identifying the user(s)

87.228.158.100 - - [04/Sep/2006:13:48:24 -0400] "GET / HTTP/1.1" 500 - "-"


"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915
Firefox/1.0.7"

This is the schematic of what it would look like if you have an user(s) browsing your site,
or viewing a page. Now depending on the end users OS, browser, and whatnot, it may
appear different. However this user's using Mozilla Firefox version 5.0 (Above info), and
what does that tell you? That's telling you, that, that user's using a browser to access your
site. As the attacker format, is entirelly different, and doesn't imply a browser, OS, or
anything. It reads out a null/unidentified charactor formulation of "-" "-" Which is where
the "Browser/OS/etc" would be exhibited, if you look closely to them both.

Other user identifications, with proper synapsis implemented by me, explaining what it
all means, for you newbs.

[This is a user, using Firefox Gecko, v1.0.7 on Windows NT 5.1]


87.228.158.100 - - [04/Sep/2006:13:48:24 -0400] "GET / HTTP/1.1" 500 - "-"
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915
Firefox/1.0.7"

[This is a user, using Opera/9.00 on Windows NT 5.1]


62.103.190.211 - - [04/Sep/2006:13:53:07 -0400] "GET / HTTP/1.1" 500 -
"http://users.otenet.gr/~nicktrig/nsitexz/index.htm" "Opera/9.00 (Windows NT 5.1; U;
en)"

[This is a user, using Gigabot/2.0]


66.154.102.142 - - [04/Sep/2006:13:53:33 -0400] "GET /modules.php?
name=Forums&file=viewtopic&p=8378 HTTP/1.0" 500 - "-" "Gigabot/2.0;
http://www.gigablast.com/spider.html"

[This looks like an attacker, or could be a user trying to snoop the robots.txt]
65.214.44.31 - - [04/Sep/2006:13:58:52 -0400] "GET /robots.txt HTTP/1.0" 500 - "-"
"Mozilla/2.0 (compatible; Ask Jeeves/Teoma;
+http://about.ask.com/en/docs/about/webmasters.shtml)"

[This is a user, using Googlebot/2.1]


66.249.65.34 - - [04/Sep/2006:14:01:11 -0400] "GET /forums/viewforum.php?
f=12&sid=06a8aba4d1ef2f5922a41e6dc74 fb47a HTTP/1.1" 500 - "-" "Mozilla/5.0
(compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

[This is a user trying to view a forum topic, but can't 500'd]


66.249.65.34 - - [04/Sep/2006:14:05:20 -0400] "GET /forums/viewtopic.php?
t=238&sid=c44837a70f8489604d0d1c5c0c 66e677 HTTP/1.1" 500 - "-" "Mozilla/5.0
(compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%% %%%%%%%

5: About Author

This is the about me part, w00t. I'm 23, male, and I live in the U.S.A, I concider myself
an essentric hacker/programmer, or if appropriatly put, Security Enthusiast, and a real
good friend, for those who share equal respect for me, the scene and my favorite
hangouts. Obviously, you know my handle's xyr0x already... uhm, that's about all I have
to say, and if you want to contact me, you may do so, by using the following methods.

AIM: ixi xyr0x ixi


MSN: imaleethacker@hotmail.com (I don't use the email, so don't bother emailing me)

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%% %%%%%%%

6: Other References

Below are some references which furthermore explain about HTTP and DDoS/DoS
Protection, and whatnot, since all my paper does, is tell you how to identify, and possibly
Ban the IP's on your part. I Hope you like what I selected for you. =]

HTTP/1.1 Status code definitions: http://www.w3.org/Protocols/rfc2616/rfc2616-


sec10.html
What's new with next gen DDoS applications:
http://staff.washington.edu/dittrich/misc/ddos/
Hardware to secure yourself from attemped ddos attacks: http://www.riorey.com/
Another service selling anti-ddos/drdos merch: http://www.prolexic.com
Demystifying network attacks "How it works":
http://www.securityfocus.com/infocus/1853

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy