Ah yes, you now know how I spend my Saturday mornings lately.
Posted in DDoS, IKANHAZFIZMA | 
No Comments »
Tags: ddos • denial of service • dos • infosec • lolcats • pwnage • scalability • security
Let me tell you a little story.
So September 17th was Constitution Day and was celebrated by protestors in most major cities across the US with a sizable percentage of folks on Wall Street in NYC. In conjunction with this protest, a new Denial-of-Service tool, #RefRef, was supposed to be released. It supposedly used some SQL Injection techniques to put a file (originally listed as a JavaScript but Java is more believable) on application or database servers that then created massive amounts of OS load, thereby crippling the server. The press coverage of the tool does have the quote of the year: ““Imagine giving a large beast a simple carrot, [and then] watching the best choke itself to death.” Seriously?
Then came the 17th. I checked the site, whoa, there is some perl code there. Then I read it and it sounded nothing like the tool as described. Rumor around the Intertubes was that #RefRef was/is a hoax and that the people responsible were collecting donations for R&D.
This is what we actually have for the tool that was released on the RefRef site does:
GET /%20and%20(select+benchmark(99999999999,0x70726f62616e646f70726f62616e646f70726f62616e646f)) HTTP/1.1
TE: deflate,gzip;q=0.3
Connection: TE, close
Host: localhost
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8.1.12) Gecko/20080201Firefox/2.0.0.12
The way this works is that it requests a large amount of benchmark queries against the database. This is very similar to SQL Injection in that the request contains database commands which are then passed by the application server to the database. In this case, the SQL command is “benchmark” which executes the query multiple times to build test performance of the query. As you would guess, it generates a ton of database server load. However, it’s only applicable to MySQL.
Posted in DDoS, Technical | No Comments »
Tags: ddos • dos • infosec • pwnage • scalability
Here at IKANHAZFIZMA, we’re training the next generation of Apache webserver Denial-of-Service gurus. It involves punching bags, some nomz for the troops, and lots of requests for kibble.
Posted in DDoS, IKANHAZFIZMA | No Comments »
Tags: ddos • infosec • lolcats • pwnage • security
Posts RSS
Subscribe via Email