[tech] hydra
Bryden Quirk
mulderq at ucc.gu.uwa.edu.au
Thu Aug 30 20:08:41 WST 2001
> James Andrewartha wrote on Thu August 30, at 16:05 +0800:
> > On Thu, 30 Aug 2001, James Andrewartha wrote:
> >
> > > Hydra has been coming up with "ip_conntrack: maximum limit of 1024 entries
> > > exceeded" all day. I tried quadrupling the maximum, but they were all used
> > > up in about 5 seconds. I couldn't find any reason why it was doing this,
> > > so I've put it down to a kernel bug and compiled a new kernel
> > > (2.4.9-ac3). I am just about to install the new kernel and reboot hydra.
> >
> > Well, that didn't fix the problem. It might be caused by someone flooding,
> > but Grahame had a look and couldn't see anything unusual
> > happening. Anybody got any ideas?
>
> Bryden was running a DNS bomb.
>
> Bryden - stop it or we will tell on you.
Cool that killed hydra ? :)
I was attepting to catoluge the .com.au namespace
(or more to the point find out how far i chould get before the MSD's
became just to mamoth to wait for
I got up to www.afwa.com.au or thereabouts
and have about 100k of valid domain names.
(yes i know there are far eseyer ways of getting a list of domain names
(dns cache squid logs reverse dns etc)
but i was partucly intrested in the efectiveness in that method
(i am allso aware that as the size of the tested names increse the
"population desity" of the namespace decreeses)
What im now finding intensly intresting is why this csaused hydra to fail
given that hydra is not the dns server being queryed the machines
mussel% cat /etc/resolv.conf
search ucc.gu.uwa.edu.au uwa.edu.au rcpt.to gu.uwa.edu.au ee.uwa.edu.au
#nameserver 130.95.13.9
nameserver 130.95.128.2
nameserver 130.95.128.1
nameserver 130.95.128.50
are
(i checked this before starting)
so what gives ?
what is ip_conntrack and what is that buffer refing to ?
the dnsquerys where being made one after another with 5 processes running
in parralell (i doubt it that in excess of 2 requests per second whould
have ever been acchived )
not what you whould relly describe as being particuly
efective Denyal of service attack over a ethernet connection however in
this instance it appears to have had that efect. for which im quite sorry.
am i missing a obvius reson why hydra should have fallen down so
helplessly ?
More information about the tech
mailing list