RTC.ORG REPORT
DOMAINS AND ADDRESSES
NAMESERVER LOOKUP:
$ host www.rtc.org
www.rtc.org has address 72.52.9.73
ARIN WHOIS ON 72.52.9.73:
OrgName: Prolexic Technologies, Inc.
OrgID: PROLE
Address: Prolexic Technologies
Address: 1930 Harrison Street
City: Hollywood
StateProv: FL
PostalCode: 33020
Country: US
NetRange: 72.52.0.0 - 72.52.63.255 # whole range owned by Prolexic
# it is just proxy + filter.
# this filters requests and
# passing them on to REAL rtc.org.
# so if we try to ddos prolexic,
# we WON'T do any damage to rtc.org
CIDR: 72.52.0.0/18
NetName: PROLEXIC
NetHandle: NET-72-52-0-0-1
Parent: NET-72-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.PROLEXIC.NET
NameServer: NS2.PROLEXIC.NET
Comment: http://www.prolexic.com / NOC hours are 24/7
RegDate: 2005-07-11
Updated: 2007-06-27
RTechHandle: HOSTM528-ARIN
RTechName: Hostmaster
RTechPhone: +1-866-800-0366
RTechEmail: hostmaster@prolexic.com
OrgTechHandle: HOSTM528-ARIN
OrgTechName: Hostmaster
OrgTechPhone: +1-866-800-0366
OrgTechEmail: hostmaster@prolexic.com
REQUESTS AND REPLIES
MANUAL TELNET REQUEST:
$ telnet www.rtc.org 80
Trying 72.52.9.73...
Connected to www.rtc.org (72.52.9.73).
Escape character is '^]'.
GET / HTTP/1.1 # intentional bogus request
HTTP/1.0 403 Forbidden
Server: SI4.LON1/4.0 # wtf is this, guise?
# btw, this shows software version
# of real daemon behind proxy
Mime-Version: 1.0
Date: Tue, 22 Jan 2008 17:23:10 GMT
Content-Type: text/html
Content-Length: 1121
Expires: Tue, 22 Jan 2008 17:23:10 GMT
X-Squid-Error: ERR_ACCESS_DENIED 0 # squid, probably caching pages
# which means bwraep wouldn't reach
# real server
X-Cache: MISS from Prolexic.com
Connection: close
!--- ERROR PAGE
<A HREF="http://10.9.4.73/">http://10.9.4.73/</A>
# internal subnet, may be subnet for VPN
# i think 10.9.4.73 is some prolexic inner node
# which is selected by default if no Host header
# specified
!--- ERROR PAGE
LEGITIMATE REQUEST WITH WGET:
---request begin---
GET / HTTP/1.0
User-Agent: Wget/1.9+cvs-stable (Red Hat modified)
Host: www.rtc.org
Accept: */*
Connection: Keep-Alive
---request end---
HTTP request sent, awaiting response... HTTP/1.0 200 OK
Server: Resin/3.0.25 # even if this is vulnerable somehow,
# there is a big possibility that
# ddos filter will not let anything
# suspicious (i.e. exploit) through
Content-Type: text/html
Date: Tue, 22 Jan 2008 17:18:24 GMT
X-Cache: MISS from Prolexic.com
Connection: close
FLOOD PROTECTION MECHANISM
It seems that Prolexic implemented automatic ban of abusers. They are banning for
too frequent requests as well as bogus ones, so probing them would be difficult.
OUR GOAL
Goal is to somehow get server's real IP and proceed to DDoS it. However, real IP
might be firewalled to only accept filtered requests from Prolexic's Squid.