Our product detected the attack as a 'connectio flood' which is basically where you open up lots of connections to a server and leave them idle. This causes the server to have lots of open connections so that it reaches its maximum connection limit and therefore nobody else can access the site resulting in denial of service.
A common tool for this is called naptha but what we are seeing is not consistant with this tool because as soon as the connection limit is reached all the connections are then closed. Naptha would keep them all open and regularly keep trying to open new ones. Our product monitors the connections to the site and when it begins to reach its limit denies new connections from clients which have more connections open than they should/normally would. > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of daniel > uriah clemens > Sent: Thursday, July 10, 2003 12:47 > To: Gareth Blades > Cc: Fulldisclosure > Subject: Re: [Full-Disclosure] Attack profiling tool? > > > > I have seen this a number of times from various IP addresses and it is > > always exactly the same. Our product which detected this > prevents against > > these types of attacks anyway so it is not a problem but I was > wondering if > > it is a particular attack tool going round the Internet > profiling different > > sites to see how many connections they support. > > Out of curiosity to possibly reclarify your definition of an attack... > What type of attacks do these more than 3 connections fall into? > > -Daniel Uriah Clemens > > Esse quam videra > (to be, rather than to appear) > http://www.birmingham-infragard.org | 2053284200 > fingerprint: EDF0 6566 2A4A 220E 5760 EA1F 0424 6DF6 F662 F5BD > > > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
