Ok ok, so in the day and age of spoofed IP addresses and such I shouldn't read too much into this but I did think it was kinda funny.

I was going through my access logs on my webserver. It's just a little project box that I but some of my 914/VW content. More VW content than anything else really. Like I say it's just something to help me learn Linux and Apache.

I use PF to block request from IP ranges that I see frequent activity from. FWIW, if you're in most of Asia, parts of France and a few places in northern Europe, you probably can't see my site listed in my signature.

Anyway, checking the logs today I see the following buffer overflow attempt.

"148.203.151.18 - - [14/May/2004:20:14:02 -0400] "SEARCH /\x90\x02±......"

I ran a whois on the IP and got this and thought I'd share...

whois 148.203.151.18
[Querying whois.arin.net]
[Redirected to whois.lacnic.net]
[Querying whois.lacnic.net]
[whois.lacnic.net]

% Copyright LACNIC lacnic.net
% The data below is provided for information purposes
% and to assist persons in obtaining information about or
% related to AS and IP numbers registrations
% By submitting a whois query, you agree to use this data
% only for lawful purposes.
% 2004-05-20 11:19:55 (BRT -03:00)

inetnum: 148.203/16
status: reassigned
owner: Volkswagen de Mexico, S.A. de C.V.
ownerid: MX-VMSC1-LACNIC
address: Autopista Mexico-Puebla Km. 875
address: Apartado Postal 875
address: Puebla, Puebla
country: MX
owner-c: TS1476-ARIN
inetrev: 148.203/16
nserver: IZTA.VW-GEDAS.COM.MX
nsstat: 20040519 AA
nslastaa: 20040519
nserver: PICO.VW-GEDAS.COM.MX
nsstat: 20040519 UH
nslastaa: 20031003
created: 19941020
changed: 19960603
inetnum-up: 148.203/16
source: ARIN-LACNIC-TRANSITION

nic-hdl: TS1476-ARIN
person: Thorsten Sommer
e-mail: tsommer@NOC.UDLAP.MX
address: Volkswagen-Gedas
address: Autopista Mexico-Puebla Km. 875
address: Apartado Postal 875
address: Puebla, Puebla
country: MX
phone: (5222) 234152
source: ARIN-LACNIC-TRANSITION


Looks like the man is trying to put me down.

I am a behind the times computer geek, and was able to follow most of this, but how would that attempted access result in a DOS?

Just trying to get up to speed a little since I do some of our IT stuff here at the Salt mine..

you send a request, like a PING with an unusually large data package size.
the target computer will process that request and start chocking on the large packages, effectively taking up most of it's CPU time.
voila!


DOS = Denial Of Service (for those NON-Geeks out there)

Andy

DOS attacks typically come from mule computers...
Whereby an attacker will put a trojan on the mule computer and the mule will carry out the attack.

you might want to send an email to the admin of that site to let him know he is doing this.

Rich

Interesting reading on the subject The Attacks on the GRC.com

DOS attacks...shortly afterwards they used the same tactics to take down their host (dal.net)

Hi Chris. Looks like Andy explained it better than I could.

I will add that I cut short the offending line but neglected to mention it. The original line was ~50 thousand characters and would create problems on the target computers just like Andy described....on some systems. It's an old method but is still frequently attempted. It doesn't cause a problem on my specific server setup. It's more of a nusance trying to get through the logs than anything else.

HTH

Rick

Good point Rich. I've got so many Buffer Overflow DOS attempts in the logs, I never really considered writing the admins.