[nsp-sec] DDoS to Joomla site
Alfredo Sola
alfredo at solucionesdinamicas.net
Fri Apr 11 07:38:43 EDT 2008
>> 8220 | 212.0.117.46 | COLT COLT Telecommunications
> Do you know if they have a ticket open with us ? I just checked Peakflow
> and the link itself on the router, nothing on our radar (nor now, nor
> in the historical data).
Well, it's completed TCP handshakes to a busy site, so it is difficult
to separate from background noise, especially if you are sampling. Their
Fortigate IPS, however, seems very convinced that the list of IPs I sent
has been completing handshakes at a rate of several thousands each IP
within a few seconds, whilst a normal profile would be tens of
handshakes over a couple of minutes. As this kind of attack is not
bandwidth-intensive, and given that they run a usually busy couple of
sites, this can be just a smal % variation over a normal day.
I am no fan of IPS systems and agree that DDoS reports have to be taken
with care, but all of this seems hard evidence enough to me.
Last update I have (about 30 mins ago) is that the attacker did get
access to their Joomla site and installed a module to take control of
it; they are now cleaning it up. So I am now convinced that the DDoS was
indeed a decoy.
Question - how can they reach you / your team with their ticket number?
Any role e-mail address...? I don't think I can provide much further
help here.
--
Alfredo Sola
ASP5-RIPE
http://alfredo.sola.es/
More information about the nsp-security
mailing list