Hello dear companions, Two days ago one of my tor exit nodes experienced something I'm now calling "limestonenetworks DDoS on polipo" ( $WAN_IP:8123 ), since all packets in the storm were flowing from a range of 514 different IP addresses, all of them inside limestonenetworks IP range and targeting port 8123 on my tor exit node WAN IP.
Before the packet storm, I could observe a huge increase on attempts to access my WAN domain through tor. I couldn't relate IP addresses from this first raise to those responsible for the actual packet storm nor could I identify some useful pattern there, but they were all coming from port 9001 and increased just some hours before the storm, so I'm guessing they are related somehow. Also, throughout the storm, one of my log files got corrupted with some unreadable bin garbage. I do not know if it was intended/targeted exploit, but I'm reworking secrets and trying to figure out what is this binary. Here is a sample line of a WAN attempt: Aug 13 16:50:22 $USER user.warn kernel: [DROP INVALID WAN] : IN=vlan2 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=77.56.151.190 DST=xxx.xxx.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=43 ID=38787 DF PROTO=TCP SPT=40888 DPT=9001 SEQ=289854459 ACK=41163 Here is a sample line of packet storm: Aug 13 20:39:14 $USER user.warn kernel: [hammer] : IN=vlan2 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=74.63.216.60 DST=xxx.xxx.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=48 ID=20269 DF PROTO=TCP SPT=1757 DPT=8123 WINDOW=65535 RES=0x00 SYN URGP=0 OP The attack persisted for at least three hours and left this binary (hex represented): 0000000 0000 0000 0000 0000 0000 0000 0000 0000 * 0000b90 0000 0000 0000 0000 0000 0000 2067 3331 0000ba0 3220 3a30 3135 303a 2034 6174 6567 7573 0000bb0 7568 7520 6573 2e72 6177 6e72 6b20 7265 0000bc0 656e 3a6c 5b20 6168 6d6d 7265 205d 203a 0000bd0 4e49 763d 616c 326e 4f20 5455 203d 414d 0000be0 3d43 3030 323a 3a31 3732 663a 3a61 6464 0000bf0 343a 3a34 3030 313a 3a35 3966 323a 3a61 0000c00 6639 643a 3a39 3830 303a 3a30 3534 303a 0000c10 3a30 3030 333a 2034 5253 3d43 3132 2e36 0000c20 3432 2e35 3232 2e31 3031 2037 5344 3d54 0000c30 3831 2e39 3833 322e 3533 322e 3035 4c20 0000c40 4e45 353d 2032 4f54 3d53 7830 3030 5020 0000c50 4552 3d43 7830 3030 5420 4c54 343d 2038 0000c60 4449 313d 3335 3431 4420 2046 5250 544f 0000c70 3d4f 4354 2050 5053 3d54 3932 3635 4420 0000c80 5450 383d 3231 2033 4957 444e 574f 363d 0000c90 3535 3533 5220 5345 303d 3078 2030 5953 0000ca0 204e 5255 5047 303d 000a 0000ca9 Attached is the list of participating IP addresses, line by line, with the count of packets received. The attacker started sending something like 4 packets per second and increased to over than 9000!!! - just kidding, over 30 per second. JSYK, I welcome any comments.
74.63.255.118: 248 216.245.193.201: 235 208.115.232.205: 231 74.63.255.119: 225 216.245.193.200: 219 216.245.193.202: 218 216.245.193.198: 214 74.63.255.120: 204 216.245.220.57: 202 64.31.63.156: 201 216.245.193.203: 198 74.63.255.116: 192 69.162.76.137: 189 64.31.63.153: 186 216.245.220.56: 186 208.115.218.170: 184 74.63.255.74: 179 74.63.255.117: 178 74.63.218.58: 177 69.162.71.236: 176 64.31.11.137: 173 69.162.71.232: 172 216.245.220.59: 172 64.31.58.200: 171 216.245.193.199: 165 64.31.63.154: 164 208.115.230.158: 164 69.162.76.138: 161 69.162.119.46: 161 69.162.119.44: 159 69.162.71.235: 157 74.63.244.202: 155 64.31.63.152: 155 64.31.11.142: 155 216.144.253.39: 154 64.31.58.204: 153 64.31.58.203: 153 216.245.220.58: 151 69.162.76.139: 150 69.162.71.233: 150 64.31.58.202: 148 64.31.63.155: 147 64.31.58.201: 143 216.144.253.40: 138 74.63.218.56: 138 216.245.193.197: 132 74.63.252.233: 127 69.162.76.136: 126 208.115.218.173: 125 208.115.229.125: 125 74.63.255.115: 125 64.31.50.99: 125 74.63.252.234: 122 64.31.50.98: 121 64.31.63.158: 119 208.115.240.190: 119 208.115.240.188: 118 208.115.212.73: 116 208.115.232.204: 114 74.63.216.61: 113 74.63.252.235: 112 208.115.240.189: 112 74.63.218.57: 111 216.144.253.41: 111 64.31.63.157: 110 208.115.232.206: 107 216.245.222.114: 105 69.162.76.253: 105 208.115.218.174: 104 64.31.11.136: 104 74.63.216.62: 104 64.31.58.205: 104 69.162.109.29: 103 64.31.11.138: 103 64.31.50.100: 99 74.63.252.232: 97 216.144.253.36: 96 69.162.125.230: 94 69.162.76.140: 93 69.162.119.39: 91 74.63.244.206: 91 208.115.240.187: 91 208.115.229.126: 88 69.162.71.234: 87 208.115.212.72: 84 74.63.255.114: 83 69.162.109.30: 82 64.31.50.101: 81 69.162.125.228: 81 64.31.53.24: 80 74.63.237.194: 78 64.31.53.26: 77 74.63.218.66: 77 69.162.126.27: 77 74.63.237.195: 76 74.63.255.75: 75 216.144.253.42: 75 216.245.221.107: 74 208.115.228.51: 74 64.31.53.25: 73 64.31.53.27: 72 64.31.38.5: 71 208.115.229.46: 70 69.162.71.237: 69 74.63.221.251: 68 69.162.100.87: 68 64.31.38.2: 68 63.143.51.243: 68 208.115.212.71: 66 74.63.216.60: 65 74.63.252.236: 64 208.115.212.74: 61 64.31.63.243: 58 63.143.36.18: 58 216.245.221.105: 57 63.143.51.244: 57 74.63.200.66: 57 64.31.53.28: 56 216.245.221.103: 56 74.63.240.188: 55 216.144.253.43: 55 64.31.63.244: 55 208.115.228.52: 53 64.31.58.206: 52 64.31.50.102: 51 208.115.229.45: 51 74.63.252.237: 50 208.115.200.230: 47 69.162.125.229: 47 74.63.240.190: 46 64.31.11.130: 46 208.115.215.243: 46 64.31.63.245: 45 64.31.53.30: 45 208.115.222.12: 43 64.31.38.6: 43 74.63.252.238: 42 64.31.53.29: 42 63.143.51.246: 41 216.245.221.106: 39 69.162.83.195: 39 216.245.220.52: 38 208.115.226.130: 38 63.143.51.245: 38 69.162.83.196: 37 64.31.50.103: 37 64.31.50.104: 37 208.115.232.214: 37 208.115.226.189: 37 208.115.222.14: 37 208.115.229.124: 36 216.245.221.104: 36 216.245.222.125: 36 69.162.83.198: 35 63.143.49.228: 35 208.115.229.44: 35 216.245.195.233: 34 64.31.38.3: 34 216.245.220.51: 32 208.115.215.245: 32 208.115.200.219: 32 208.115.200.228: 32 74.63.216.59: 32 216.245.213.78: 31 63.143.36.19: 30 216.245.195.234: 30 208.115.218.172: 30 208.115.212.76: 30 69.162.83.197: 29 216.245.222.126: 29 23.19.99.4: 29 63.143.49.230: 28 64.31.52.149: 28 74.63.240.189: 28 216.245.195.237: 28 64.31.52.166: 28 173.234.116.236: 27 23.19.54.153: 27 64.31.28.5: 27 69.162.116.171: 27 23.19.54.157: 27 173.234.116.235: 26 216.245.222.115: 26 208.115.232.213: 26 74.63.237.197: 26 208.115.212.75: 26 216.245.195.238: 26 216.245.221.101: 26 69.162.76.141: 25 216.245.195.235: 24 64.31.63.94: 24 69.162.74.20: 23 216.245.220.53: 23 64.31.63.246: 23 173.234.116.231: 23 23.19.54.189: 23 208.115.226.187: 22 23.19.54.151: 22 64.31.38.4: 22 64.31.63.247: 22 173.234.116.233: 22 64.31.63.169: 21 23.19.54.158: 21 216.144.240.38: 21 173.234.247.26: 21 216.245.222.123: 21 216.245.222.124: 21 74.63.193.12: 20 64.31.28.7: 20 216.245.221.102: 20 64.31.51.210: 19 173.234.116.234: 19 64.31.51.213: 19 69.162.65.196: 18 208.115.215.244: 18 64.31.28.4: 18 208.115.228.54: 18 64.31.52.147: 18 69.162.126.116: 18 208.115.200.235: 18 216.245.222.118: 17 23.19.54.152: 17 23.19.99.5: 17 208.115.215.250: 17 23.19.54.244: 16 208.115.200.237: 16 23.19.54.188: 16 216.245.222.117: 15 208.115.229.114: 15 216.245.222.116: 15 23.19.54.190: 15 173.234.116.237: 15 74.63.193.14: 15 69.162.126.115: 15 173.234.116.238: 15 23.19.99.7: 14 208.115.212.77: 14 216.245.219.70: 14 173.234.116.184: 14 63.143.51.247: 14 74.63.218.68: 14 64.31.28.3: 13 69.162.88.171: 13 23.19.79.51: 13 208.115.228.55: 13 74.63.237.198: 13 208.115.226.188: 13 173.234.116.186: 13 23.19.54.44: 12 69.162.119.38: 12 63.143.36.40: 12 173.234.116.232: 12 74.63.232.211: 11 23.19.79.52: 11 208.115.200.232: 11 216.245.195.236: 11 142.91.245.132: 11 208.115.211.58: 11 23.19.54.43: 11 64.31.28.6: 10 208.115.215.246: 10 108.62.75.7: 10 208.115.215.248: 10 173.234.12.187: 10 23.19.54.156: 10 208.115.200.238: 9 173.234.116.183: 9 108.62.75.6: 9 69.162.126.117: 9 108.62.236.190: 9 173.234.116.188: 9 173.234.116.185: 9 69.162.65.195: 9 173.208.57.54: 9 23.19.54.154: 8 64.31.51.211: 8 142.91.31.251: 8 64.31.63.93: 8 23.19.47.229: 8 23.19.58.236: 8 208.115.200.234: 8 173.234.247.19: 8 64.31.53.23: 8 216.144.247.141: 8 69.162.74.22: 8 173.234.116.189: 7 208.115.200.212: 7 64.31.52.162: 7 69.162.127.172: 7 23.19.50.22: 6 173.234.224.62: 6 108.62.75.8: 6 23.19.63.172: 6 216.144.247.174: 6 64.31.50.106: 6 173.234.60.179: 6 69.162.104.168: 6 63.143.36.45: 6 74.63.193.13: 6 208.115.221.194: 5 208.115.232.215: 5 69.162.65.197: 5 69.162.88.172: 5 208.115.228.56: 5 63.143.36.42: 5 208.115.246.199: 5 23.19.99.14: 5 208.115.211.56: 5 69.162.74.21: 5 173.234.116.187: 5 69.162.77.29: 4 64.31.43.141: 4 64.31.53.18: 4 23.19.54.155: 4 208.115.212.78: 4 23.19.99.11: 4 216.245.220.54: 4 23.19.130.169: 4 74.63.240.187: 4 69.162.64.254: 4 23.19.54.187: 4 69.162.86.84: 4 63.143.36.43: 3 173.234.33.66: 3 74.63.232.217: 3 23.19.54.242: 3 23.19.50.20: 3 173.234.247.21: 3 23.19.50.19: 3 74.63.255.36: 3 23.19.50.23: 3 173.208.85.19: 3 23.19.130.166: 3 23.19.99.8: 3 23.19.50.24: 3 23.19.75.215: 3 173.234.60.182: 3 173.234.41.44: 3 23.19.54.246: 3 69.162.86.85: 3 74.63.237.199: 3 23.19.99.12: 3 74.63.193.4: 3 23.19.75.212: 3 69.162.76.254: 2 64.31.53.20: 2 64.31.52.173: 2 173.208.57.53: 2 69.162.67.70: 2 216.144.243.28: 2 74.63.200.77: 2 74.63.255.35: 2 69.162.126.22: 2 23.19.79.53: 2 173.234.224.61: 2 208.115.218.162: 2 69.162.117.118: 2 208.115.222.13: 2 23.19.63.174: 2 216.245.220.55: 2 74.63.232.212: 2 208.115.229.115: 2 208.115.232.198: 2 208.115.229.119: 2 63.143.36.26: 2 74.63.216.53: 2 23.19.47.227: 2 208.115.240.66: 2 208.115.230.157: 2 23.19.99.2: 2 69.162.86.86: 2 208.115.209.51: 2 69.162.77.30: 2 208.115.226.186: 2 208.115.226.182: 2 216.144.240.43: 1 69.162.83.26: 1 208.115.209.57: 1 69.162.74.19: 1 64.31.62.190: 1 69.162.120.93: 1 173.234.116.11: 1 64.31.28.8: 1 23.19.99.13: 1 216.144.250.20: 1 URGP=0 OPT (02: 1 216.144.247.136: 1 216.245.213.75: 1 69.162.100.86: 1 63.143.51.249: 1 69.162.100.83: 1 64.31.11.131: 1 208.115.246.206: 1 216.245.222.121: 1 63.143.36.30: 1 208.115.226.131: 1 208.115.222.5: 1 208.115.226.142: 1 63.143.36.46: 1 69.162.83.83: 1 69.162.100.84: 1 69.162.126.118: 1 69.162.120.90: 1 208.115.245.251: 1 216.245.221.99: 1 208.115.221.197: 1 208.115.222.2: 1 208.115.221.205: 1 208.115.226.138: 1 64.31.39.150: 1 64.31.50.18: 1 64.31.52.107: 1 63.143.36.24: 1 216.144.252.126: 1 74.63.218.51: 1 63.143.45.115: 1 208.115.246.205: 1 64.31.62.182: 1 OW=65535 RES: 1 69.162.121.12: 1 173.234.116.69: 1 23.19.67.214: 1 69.162.76.252: 1 208.115.232.218: 1 173.234.41.40: 1 108.62.40.236: 1 208.115.215.252: 1 74.63.252.100: 1 63.143.36.34: 1 208.115.200.196: 1 69.162.88.173: 1 74.63.216.52: 1 69.162.126.29: 1 208.115.221.195: 1 69.162.83.28: 1 23.19.47.230: 1 208.115.222.3: 1 208.115.213.14: 1 64.31.39.157: 1 23.19.54.247: 1 74.63.232.214: 1 69.162.119.206: 1 69.162.116.174: 1 208.115.232.220: 1 208.115.240.68: 1 64.31.39.158: 1 69.162.126.21: 1 69.162.124.4: 1 108.62.40.235: 1 69.162.76.142: 1 216.144.253.35: 1 69.162.119.35: 1 20=0x00: 1 208.115.213.12: 1 69.162.113.70: 1 74.63.218.71: 1 64.31.39.147: 1 64.31.39.154: 1 SPT=1480 DP: 1 64.31.11.140: 1 74.63.218.69: 1 64.31.51.219: 1 208.115.211.60: 1 30001010402) : 1 208.115.222.10: 1 208.115.240.67: 1 69.162.100.82: 1 69.162.105.68: 1 23.19.54.181: 1 208.115.232.211: 1 23.19.54.148: 1 74.63.218.78: 1 23.19.54.253: 1 216.245.210.61: 1 64.31.50.108: 1 108.62.185.205: 1 63.143.45.119: 1 64.31.62.185: 1 208.115.212.68: 1 208.115.232.197: 1 216.144.254.195: 1 208.115.226.135: 1 74.63.218.60: 1 64.31.38.116: 1 64.31.51.216: 1 23.19.54.180: 1 69.162.105.70: 1 23.19.130.164: 1 64.31.52.108: 1 208.115.209.60: 1 208.115.218.166: 1 64.31.52.174: 1 63.143.36.35: 1 69.162.120.94: 1 64.120.56.14: 1 208.115.209.58: 1 64.31.48.156: 1 SYN URGP=0 OPT: 1 69.162.127.173: 1 208.115.233.28: 1 216.245.220.166: 1 23.19.130.163: 1 63.143.45.124: 1 64.31.52.158: 1 63.143.36.38: 1 64.31.62.163: 1 63.143.36.29: 1 64.31.39.152: 1 216.144.247.169: 1 74.63.232.213: 1 O=TCP SPT=2216 : 1 208.115.211.50: 1 74.63.200.73: 1
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/