Last Updated: 2010-01-06 04:16:58 UTC
by Johannes Ullrich (Version: 1)
I finally finished the report summarizing what we learned from yesterday's denial of service attack. Luckily it was small and easily defeated. The interesting part with attacks like this is to try to attribute them to a group or individual. In this case, my best guess is that this is an individual living in England. The individual appears to have some ties to Iran. Probably a student going to school in England.
The attack itself was rather simple, and required little skill. We got some great help from some of the administrators of the system attacking us. Most likely, the root cause was unprotected FTP accounts. These unprotected FTP accounts got used to upload a malicious ASP script, which was then used to attack our site. The script was very simple and had no "command and control" channel. Instead, it required a GET request hitting the specific URL to activate the attack.
The full report got a bit long for a diary, so I wrote it up as a PDF for download. I know... yet another PDF ;-).
Link to the PDF: http://isc.sans.org/presentations/jan4ddos.pdf
To make you feel better, here the checksums:
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (Darwin)
-----END PGP SIGNATURE-----