[tech] hydra
Duncan Sargeant
dunc-mail-131574E at rcpt.to
Fri Aug 31 11:42:56 WST 2001
Bryden Quirk wrote on Thu August 30, at 20:08 +0800:
> > Bryden was running a DNS bomb.
> >
> > Bryden - stop it or we will tell on you.
>
>
> Cool that killed hydra ? :)
>
> I was attepting to catoluge the .com.au namespace
> (or more to the point find out how far i chould get before the MSD's
> became just to mamoth to wait for
>
> I got up to www.afwa.com.au or thereabouts
> and have about 100k of valid domain names.
> (yes i know there are far eseyer ways of getting a list of domain names
> (dns cache squid logs reverse dns etc)
> but i was partucly intrested in the efectiveness in that method
> (i am allso aware that as the size of the tested names increse the
> "population desity" of the namespace decreeses)
You are so cool.
> What im now finding intensly intresting is why this csaused hydra to fail
> given that hydra is not the dns server being queryed the machines
>
> mussel% cat /etc/resolv.conf
> search ucc.gu.uwa.edu.au uwa.edu.au rcpt.to gu.uwa.edu.au ee.uwa.edu.au
> #nameserver 130.95.13.9
> nameserver 130.95.128.2
> nameserver 130.95.128.1
> nameserver 130.95.128.50
>
> are
>
> (i checked this before starting)
Ah, the nimby justification. I'm sure UCS are thrilled, quite.
> so what gives ?
>
> what is ip_conntrack and what is that buffer refing to ?
When I am asked such questions where 10 minutes of research will
discover the answer, I usually subscribe to the teach a man to fish
philosophy and reply, "RTFM."
But I am unable to supress the rage to shout, "IT TRACKS
CONNECTIONS, YOU IDIOT."
> the dnsquerys where being made one after another with 5 processes running
> in parralell (i doubt it that in excess of 2 requests per second whould
> have ever been acchived )
You may have underestimated things a little. When I straced one, the
connections were flying up the screen.
> not what you whould relly describe as being particuly efective
> Denyal of service attack over a ethernet connection however in this
> instance it appears to have had that efect. for which im quite
> sorry.
>
> am i missing a obvius reson why hydra should have fallen down so
> helplessly ?
I assume the problem with hydra is that ip_conntrack makes an attempt to
track UDP "connections", which don't ever have a formal disconnect. So
I think it must use a timeout, which desn't work if its being flooded.
Of course, why are we using ip_conntrack? Well it probably seemed like
a good idea at the time, but I don't think we actually need it.
,dunc
More information about the tech
mailing list