Gulliddos

From 22C3

Hi there,

We now get Step2 of the ddos! We get udp-floods to port 80. We have currently no own router in front of, so we cant block the requests. Services on all websites (antispam, computerbetrug and antispam) down for 1-2 hours. Update: Our ISP is blocking the udp-flood for us.

gulli is the biggest german "underground portal". We and 3 other german customer protection websites (dialerschutz.de, antispam.de and computerbetrug.de) get currently a big ddos by an unknown attacker. We have collected a lot of information, and want to make them public here.

It seems that the attacker build a botnet with about 5.000 zombies. We found a way to identify most of the affected hosts. Now we blacklist all those hosts by hi-pac (an iptables-replacement), so the site is still up.

Here is a list with all clients we currently block: https://events.ccc.de/congress/2005/mediawiki/images/a/a1/Ipliste.txt

(anyone knows how to upload some stuff with no "/images" in the url? :) )

Our current setup includes the following:

mod_security is activated in apache. Then we do the following match:

SecFilterEngine On SecFilterSelective "FOOBAR" "uninteresting" "log,status:500,exec:/usr/local/bin/mod_security/wrapper"

/usr/local/bin/mod_security/wrapper is an modified wrapper, which gets the ip of the attacker as an argument. Those ips are added to our blacklist with iptables.

The most of those hosts should be owned by some rootkit or trojan horse. So feel free to investigate. Maybe something interessting is there ;-)

If you have some questions or informations: contact degirmenci@jabber.ccc.de or icq 169800965 or mail: cd@wavecon.de or visit our homepage: Wavecon

Our new wrapper is available at http://download.wavecon.de - its gpl, so use it! :)