Re: [Full-disclosure] metasploit.com = 127.0.0.1
.org is now being affected as well. On Wed, Feb 11, 2009 at 3:11 AM, alessandro telami tel...@hotmail.com wrote: I'm seeing the same on my Network. Cyber-threats Date: Tue, 10 Feb 2009 16:08:38 -0600 From: vigilantgregor...@gmail.com To: static...@gmail.com CC: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] metasploit.com = 127.0.0.1 DDOS On Tue, Feb 10, 2009 at 4:05 PM, sr. static...@gmail.com wrote: anybody else seeing this? can't get to metasploit because it's currently resolving to 127.0.0.1 sr. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Share your photos with Windows Live Photos - Free Try it Now! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] metasploit.com = 127.0.0.1
.org is now being affected as well. Not here .. $ date Wed Feb 11 10:17:01 EST 2009 $ host metasploit.org metasploit.org has address 66.240.213.84 metasploit.org mail is handled by 20 slug.metasploit.com. metasploit.org mail is handled by 1 bogus.metasploit.com. metasploit.org mail is handled by 30 core.metasploit.com. $ host metasploit.com metasploit.com has address 66.240.213.81 metasploit.com mail is handled by 30 core.metasploit.com. metasploit.com mail is handled by 20 slug.metasploit.com. metasploit.com mail is handled by 1 bogus.metasploit.com. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] metasploit.com = 127.0.0.1
that's all fine and dandy. still can't reach port 80. Again .. not here (AS32818 in Cleveland, OH) .. ~$ wget -O - http://www.metasploit.org --10:52:43-- http://www.metasploit.org/ = `-' Resolving www.metasploit.org... 66.240.213.84 Connecting to www.metasploit.org|66.240.213.84|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 8,157 (8.0K) [text/html] 0% [ ] 0 --.--K/s !DOCTYPE html PUBLIC -//W3C//DTD XHTML 1.1//EN http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd; html xmlns=http://www.w3.org/1999/xhtml; xml:lang=en head titleThe Metasploit Project/title ... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] metasploit.com = 127.0.0.1
that's all fine and dandy. still can't reach port 80. Have you tried using OpenDNS, etc. to see if it resolves? eg: host -t a www.metasploit.org *208.67.222.222 Perhaps your school/employeer/ISP has decided that Metasploit is off-limits. ~Mike.* ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] metasploit.com = 127.0.0.1
Well, i can resolve the IP's just fine. just can't connect to port 80. I'm the fw / network person at my job, and i don't remember adding a rule for this :-P I can get there just fine now, seemed inaccessible to me for a short time. thx all... fabrizio On Wed, Feb 11, 2009 at 11:00 AM, Michael Holstein michael.holst...@csuohio.edu wrote: that's all fine and dandy. still can't reach port 80. Have you tried using OpenDNS, etc. to see if it resolves? eg: host -t a www.metasploit.org *208.67.222.222 Perhaps your school/employeer/ISP has decided that Metasploit is off-limits. ~Mike.* ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] metasploit.com = 127.0.0.1
balliwicked2 On Wed, Feb 11, 2009 at 11:05 AM, sr. static...@gmail.com wrote: Well, i can resolve the IP's just fine. just can't connect to port 80. I'm the fw / network person at my job, and i don't remember adding a rule for this :-P I can get there just fine now, seemed inaccessible to me for a short time. thx all... fabrizio On Wed, Feb 11, 2009 at 11:00 AM, Michael Holstein michael.holst...@csuohio.edu wrote: that's all fine and dandy. still can't reach port 80. Have you tried using OpenDNS, etc. to see if it resolves? eg: host -t a www.metasploit.org *208.67.222.222 Perhaps your school/employeer/ISP has decided that Metasploit is off-limits. ~Mike.* ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] metasploit.com = 127.0.0.1
The incoming connection rate has exceeded 15Mbps of just SYN packets, so we decided to point www.metasploit.com and metasploit.com back to 127.0.0.1 for a little while. This is more to keep our ISP happy than any fear of bandwidth charges. We ran a packet capture of the incoming SYN traffic for about 8 hours; it takes up approximately 60Gb of disk space. In the meantime, if you want to access the Metasploit web site, please use: http://metasploit.org -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Jeremy Brown Sent: Wednesday, February 11, 2009 8:34 AM To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] metasploit.com = 127.0.0.1 balliwicked2 On Wed, Feb 11, 2009 at 11:05 AM, sr. static...@gmail.com wrote: Well, i can resolve the IP's just fine. just can't connect to port 80. I'm the fw / network person at my job, and i don't remember adding a rule for this :-P I can get there just fine now, seemed inaccessible to me for a short time. thx all... fabrizio On Wed, Feb 11, 2009 at 11:00 AM, Michael Holstein michael.holst...@csuohio.edu wrote: that's all fine and dandy. still can't reach port 80. Have you tried using OpenDNS, etc. to see if it resolves? eg: host -t a www.metasploit.org *208.67.222.222 Perhaps your school/employeer/ISP has decided that Metasploit is off-limits. ~Mike.* ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ DISCLAIMER: This message (including any files transmitted with it) may contain confidential and / or proprietary information, is the property of Interactive Data Corporation and / or its subsidiaries and is directed only to the addressee(s). If you are not the designated recipient or have reason to believe you received this message in error, please delete this message from your system and notify the sender immediately. An unintended recipient's disclosure, copying, distribution or use of this message, or any attachments, is prohibited and may be unlawful. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] metasploit.com = 127.0.0.1
On Wednesday 11 February 2009 06:51:36 Lehman, Jim wrote: The incoming connection rate has exceeded 15Mbps of just SYN packets, so we decided to point www.metasploit.com and metasploit.com back to 127.0.0.1 for a little while. This is more to keep our ISP happy than any fear of bandwidth charges. We ran a packet capture of the incoming SYN traffic for about 8 hours; it takes up approximately 60Gb of disk space. In the meantime, if you want to access the Metasploit web site, please use: http://metasploit.org Also from the Metasploit site: Feb-09-2009 Pathetic DDoS vs Metasploit (round 2) (hdm) It looks like our little DDoS buddy got sent home from school early today -- the flood started up again, this time ignoring the DNS name for the metasploit.com web site and instead targeting both IP addresses configured on the server. While SSL service is still unaffected (including Online Update over SVN), folks who wish to visit the Metasploit web site will need to do so using an alternate port until we roll out the next countermeasure. http://metasploit.com:8000/ We also host the main web server for Attack Research, which can now be accessed at: http://www.attackresearch.com:8000/ Thanks for your patience, Feb-08-2009 Pathetic DDoS vs Security Sites (hdm) On Friday, starting around 9:00pm CST, the main metasploit.com was hit with a highly-annoying, if pretty useless distributed denial of service. The attack consisted of a botnet-sourced connection flood against port 80 for the metasploit.com host name. This flood consisted of about 80,000 connections per second, all from real hosts trying to send a simple HTTP request. At the same time, Packet Storm and Milw0rm were being hit as well. About 95% of the bots would intermittently resolve metasploit.com and follow the target address with the connection flood. The other 5% continued to bang on the main metasploit.com IP address and port even after the host record was changed. Solving this involved parking the metasploit.com host record at 127.0.0.1 and moving the other host names and services to a spare IP address. This allows for www.metasploit.com and most of our other domains and services to work properly. The only drawback is that until the flooding stops, we can't use the metasploit.com A record, which happens to be the default for updating the Metasploit Framework installation. A fun side effect is that they handed us full control of the DDoS stream: we can point the metasploit.com record anywhere we like and the connection flood will follow it. We will continue to find other ways to mitigate the flood; but until we can safely use the metasploit.com name again, our standard online update mechanism is going to fail. If you are trying to check out a fresh copy of Metasploit from subversion, use the https://www.metasploit.com/svn/framework3/ URL for now. As of 9:30am CST, the Immunity web site is being hit as well. If anyone has information on the folks involved, we would love to hear from you :-) -- Hawaiian Astronomical Society: http://www.hawastsoc.org HAS Deepsky Atlas: http://www.hawastsoc.org/deepsky ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] metasploit.com = 127.0.0.1
anybody else seeing this? can't get to metasploit because it's currently resolving to 127.0.0.1 sr. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] metasploit.com = 127.0.0.1
thanks, metasploit.org is up. reading the blog now... On Tue, Feb 10, 2009 at 5:09 PM, Harry Hoffman hhoff...@ip-solutions.net wrote: yep, [hhoff...@localhost ~]$ host metasploit.com metasploit.com has address 127.0.0.1 metasploit.com mail is handled by 1 bogus.metasploit.com. metasploit.com mail is handled by 20 slug.metasploit.com. metasploit.com mail is handled by 30 core.metasploit.com. [hhoff...@localhost ~]$ host -t NS metasploit.com metasploit.com name server dns02.metasploit.com. metasploit.com name server dns01.metasploit.com. [hhoff...@localhost ~]$ host dns02.metasploit.com dns02.metasploit.com has address 66.240.213.81 [hhoff...@localhost ~]$ host 66.240.213.81 81.213.240.66.in-addr.arpa domain name pointer core.metasploit.com. On Tue, 2009-02-10 at 17:05 -0500, sr. wrote: anybody else seeing this? can't get to metasploit because it's currently resolving to 127.0.0.1 sr. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] metasploit.com = 127.0.0.1
DDOS On Tue, Feb 10, 2009 at 4:05 PM, sr. static...@gmail.com wrote: anybody else seeing this? can't get to metasploit because it's currently resolving to 127.0.0.1 sr. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
