All pastes #868781 Raw Edit

Anonymous

public text v1 · immutable
#868781 ·published 2008-01-22 18:13 UTC
rendered paste body
			RTC.ORG REPORT

			DOMAINS AND ADDRESSES

   NAMESERVER LOOKUP:
$ host www.rtc.org
www.rtc.org has address 72.52.9.73

   ARIN WHOIS ON 72.52.9.73:
OrgName:    Prolexic Technologies, Inc. 
OrgID:      PROLE
Address:    Prolexic Technologies
Address:    1930 Harrison Street
City:       Hollywood
StateProv:  FL
PostalCode: 33020
Country:    US

NetRange:   72.52.0.0 - 72.52.63.255 	# whole range owned by Prolexic
					# it is just proxy + filter.
					# this filters requests and 
					# passing them on to REAL rtc.org.
					# so if we try to ddos prolexic,
					# we WON'T do any damage to rtc.org
CIDR:       72.52.0.0/18 
NetName:    PROLEXIC
NetHandle:  NET-72-52-0-0-1
Parent:     NET-72-0-0-0-0
NetType:    Direct Allocation
NameServer: NS1.PROLEXIC.NET
NameServer: NS2.PROLEXIC.NET
Comment:    http://www.prolexic.com / NOC hours are 24/7
RegDate:    2005-07-11
Updated:    2007-06-27

RTechHandle: HOSTM528-ARIN
RTechName:   Hostmaster 
RTechPhone:  +1-866-800-0366
RTechEmail:  hostmaster@prolexic.com 

OrgTechHandle: HOSTM528-ARIN
OrgTechName:   Hostmaster 
OrgTechPhone:  +1-866-800-0366
OrgTechEmail:  hostmaster@prolexic.com

			REQUESTS AND REPLIES

   MANUAL TELNET REQUEST:
$ telnet www.rtc.org 80
Trying 72.52.9.73...
Connected to www.rtc.org (72.52.9.73).
Escape character is '^]'.
GET / HTTP/1.1		# intentional bogus request

HTTP/1.0 403 Forbidden
Server: SI4.LON1/4.0		# wtf is this, guise?
				# btw, this shows software version 
				# of real daemon behind proxy
Mime-Version: 1.0
Date: Tue, 22 Jan 2008 17:23:10 GMT
Content-Type: text/html
Content-Length: 1121
Expires: Tue, 22 Jan 2008 17:23:10 GMT
X-Squid-Error: ERR_ACCESS_DENIED 0	# squid, probably caching pages
					# which means bwraep wouldn't reach 
					# real server
X-Cache: MISS from Prolexic.com
Connection: close

!--- ERROR PAGE
<A HREF="http://10.9.4.73/">http://10.9.4.73/</A>
	# internal subnet, may be subnet for VPN

	# i think 10.9.4.73 is some prolexic inner node 
	# which is selected by default if no Host header 
	# specified
!--- ERROR PAGE

   LEGITIMATE REQUEST WITH WGET:
---request begin---
GET / HTTP/1.0
User-Agent: Wget/1.9+cvs-stable (Red Hat modified)
Host: www.rtc.org
Accept: */*
Connection: Keep-Alive

---request end---
HTTP request sent, awaiting response... HTTP/1.0 200 OK
Server: Resin/3.0.25	# even if this is vulnerable somehow,
			# there is a big possibility that
			# ddos filter will not let anything
			# suspicious (i.e. exploit) through
Content-Type: text/html
Date: Tue, 22 Jan 2008 17:18:24 GMT
X-Cache: MISS from Prolexic.com
Connection: close

			FLOOD PROTECTION MECHANISM

It seems that Prolexic implemented automatic ban of abusers. They are banning for 
too frequent requests as well as bogus ones,  so probing them would be difficult.

			OUR GOAL

Goal is to somehow get server's real IP and proceed to DDoS it. However, real IP
might be firewalled to only accept filtered requests from Prolexic's Squid.