Announcement

Collapse
No announcement yet.

Under random ssl attack

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Under random ssl attack

    I noticed this the other day in the firewall logs:

    attackip: 59.103.215.235
    reason: The SSL session failed. This may be a configuration error, or it may be an attempt to subvert the protocol. Connection closed.
    information: SSL_accept
    SSL routines:SSL3_GET_CLIENT_HELLO:no ciphers specified

    There were a lot of them.. like hundreds of thousands. Over three hundred thousand in the last day.

    Then I read this on slashdot:

    angry tapir writes "More than 300 Web sites are being pestered by infected computers that are part of the Pushdo botnet. The FBI, Twitter, and PayPal are among the sites being hit, although it doesn't appear the attacks are designed to knock the sites offline. Pusho appears to have been recently updated to cause computers infected with it to make SSL connections to various Web sites — the bots start to create an SSL connection, disconnect, and then repeat."

    SecureWorks's Joe Stewart theorizes that this behavior is designed to obscure Pushdo's command and control in a flurry of bogus SSL traffic.
    Very interesting. Will be working on a way to mitigate it. Bumped up defense sensitivity, I apologize if you accidentally get temporarily blocked.

    Oh aren't we lucky!

    http://www.shadowserver.org/wiki/upl...shdo_sites.txt
    Last edited by The Dark Tangent; February 1, 2010, 21:19.
    PGP Key: https://defcon.org/html/links/dtangent.html

  • #2
    Re: Under random ssl attack

    Originally posted by Dark Tangent View Post
    Very interesting. Will be working on a way to mitigate it.
    Nuke it from Orbit, after all, it's the only way to be sure.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

    Comment


    • #3
      Re: Under random ssl attack

      I say we turn the Internet off. That will stop these attacks.

      I return whatever i wish . Its called FREEDOWM OF RANDOMNESS IN A HECK . CLUSTERED DEFEATED CORn FORUM . Welcome to me

      Comment


      • #4
        Re: Under random ssl attack

        I really wish I'd taken that HAM radio exam at defcon last year now.
        - Null Space Labs

        Comment


        • #5
          Re: Under random ssl attack

          Originally posted by charliex View Post
          I really wish I'd taken that HAM radio exam at defcon last year now.
          Are you saying we should switch to the upper sideband?

          That explains why it's been so difficult to access the site lately, though.

          Comment


          • #6
            Re: Under random ssl attack

            Originally posted by beakmyn View Post
            Are you saying we should switch to the upper sideband?

            That explains why it's been so difficult to access the site lately, though.
            Yes, but you'll also have to give the clarifier a +5khz slide.

            Careful though, there's a smokey in a plain brown wrapper over near 12.120.180.8.
            A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

            Comment


            • #7
              Re: Under random ssl attack

              Originally posted by streaker69 View Post
              Yes, but you'll also have to give the clarifier a +5khz slide.

              Careful though, there's a smokey in a plain brown wrapper over near 12.120.180.8.
              Oh, you just shit on solemn ground right there. Don't ever call a HAM a CB whacker. Dems fighting words.

              Comment

              Working...
              X