Posted on Wednesday, February 11th, 2009 | Bookmark on del.icio.us

Metasploit And Other Sites DDoSed

by Jose Nazario

At about 12:52 PM Feb 7th, HD Moore (leader of the Metasploit project) twittered “heh, metasploit.com is being DDoS’d again”. A little while he pointed to a traffic graph and asked, “see if you can pick out the DDoS”. Hint: it’s obvious. He later started blogging the incident:

On Friday, starting around 9:00pm CST, the main metasploit.com was hit with a highly-annoying, if pretty useless distributed denial of service. The attack consisted of a botnet-sourced connection flood against port 80 for the metasploit.com host name. This flood consisted of about 80,000 connections per second, all from real hosts trying to send a simple HTTP request.

Source: Pathetic DDoS vs Security Sites, via the Metasploit blog.

The attack in this case involved hundreds of thousands of IPs and was a mix of a TCP SYN flood and an HTTP GET flood. As HD noted, the Metasploit site was one of a handful, and other sites being targeted included Milw0rm and Packet Storm.

So, what did Metasploit do to weather the attack if they don’t have services available (gathered from watching this and actively mining the domain name, and reading the Twitter account and also a second blog post and a third blog post)? They employ some well known tricks that sometimes work:

  • They moved real services to port 8000, bypassing the TCP SYN flood and the HTTP GET flood which targeted port 80.
  • They moved the domain name to 127.0.0.1 with a short TTL to get the bots to target a useless address.
  • They noticed that the target hit the metasploit.com domain and not www.metasploit.com, so they were able to selectively disable that use.
  • They also moved to another network, presumably with more bandwidth or some filtering capabilities available to the Metasploit site.

He’s also shared a list of sources from the attack. Note that a lot of the very small request chunks are often search engine indexing bots.

In the end while they evaded the attacks for a bit, this didn’t appear to be sufficient.

We’ve been investigating this and cannot share any additional info at this time.

This entry was posted on Wednesday, February 11th, 2009 at 5:36 pm and is filed under Attacks, Botnets. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

2 Responses | Add your own



Comment Post by: t — February 13th, 2009 @ 10:25 am EST  Reply

what about filtering by HTTP header content (user agent, something missing or misspelled) or rate/limiting the same

Comment Post by: Edição 63 - “i sh0t the sheriff” « g0t hacked — February 16th, 2009 @ 9:43 am EST  Reply

[...] post on metasploit ddos by arbor [...]

Leave a Comment