Tweet
Under random ssl attack
I noticed this the other day in the firewall logs:
attackip: 59.103.215.235
reason: The SSL session failed. This may be a configuration error, or it may be an attempt to subvert the protocol. Connection closed.
information: SSL_accept
SSL routines:SSL3_GET_CLIENT_HELLO:no ciphers specified
There were a lot of them.. like hundreds of thousands. Over three hundred thousand in the last day.
Then I read this on slashdot:
Very interesting. Will be working on a way to mitigate it. Bumped up defense sensitivity, I apologize if you accidentally get temporarily blocked.
Oh aren't we lucky!
http://www.shadowserver.org/wiki/upl...shdo_sites.txt
attackip: 59.103.215.235
reason: The SSL session failed. This may be a configuration error, or it may be an attempt to subvert the protocol. Connection closed.
information: SSL_accept
SSL routines:SSL3_GET_CLIENT_HELLO:no ciphers specified
There were a lot of them.. like hundreds of thousands. Over three hundred thousand in the last day.
Then I read this on slashdot:
angry tapir writes "More than 300 Web sites are being pestered by infected computers that are part of the Pushdo botnet. The FBI, Twitter, and PayPal are among the sites being hit, although it doesn't appear the attacks are designed to knock the sites offline. Pusho appears to have been recently updated to cause computers infected with it to make SSL connections to various Web sites — the bots start to create an SSL connection, disconnect, and then repeat."
SecureWorks's Joe Stewart theorizes that this behavior is designed to obscure Pushdo's command and control in a flurry of bogus SSL traffic.
SecureWorks's Joe Stewart theorizes that this behavior is designed to obscure Pushdo's command and control in a flurry of bogus SSL traffic.
Oh aren't we lucky!
http://www.shadowserver.org/wiki/upl...shdo_sites.txt
Comment