On Sun, Nov 09, 2014 at 05:31:47AM -0800, coderman wrote: > On 11/9/14, coderman <coderman@xxxxxxxxx> wrote: > > ... > > your ConstrainedSockets experiments are exactly what i would expect to > > see if this technique were used, since reducing socket buffers would > > allow you to have more concurrent connections open (and thus thwart a > > DoS at lower limits). > > someone asked, "then why the names and ..?" > > if i was implementing this attack, i would want the attacked to assume > it was a mis-configured bot. this looks like a mis-configured bot. Yes, and that is what it looks like. The strings 'code', 'old' and 'fail' in the URLs seen in nachash's logs were also present as top-level directories on his site, and he apparently had a 404 redirect to his index page - so a buggy crawler might well produce something like the observed pattern. Who would leave an obviously broken crawler producing nothing of interest like that running for such a long time and O(1M) requests, though? An attack designed to look like skiddie bullshit is starting to sound plausible. -- Andrea Shepard <andrea@xxxxxxxxxxxxxx> PGP fingerprint (ECC): BDF5 F867 8A52 4E4A BECF DE79 A4FF BC34 F01D D536 PGP fingerprint (RSA): 3611 95A4 0740 ED1B 7EA5 DF7E 4191 13D9 D0CF BDA5
Attachment:
pgppYC1FFvXBu.pgp
Description: PGP signature
-- tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk