For many years I’ve had a need for a module like this — A distributed blocking system which could operate across large web serving clusters and register hits in a central store. With rate limiting, incrementing counters on a single host is fairly useless when you have hundreds of servers behind a load balancer.

An attacker could hit many machines within the limit period before being detected, because there would be no central count. By keeping the counts in a memcache pool, all servers share the same data.

It won’t defend against attacks coming from random proxy addresses (say, Tor), and might unfairly count hundreds of users who live behind a single proxy (like corporate NAT), but it offers some protection against attacks coming from a single source IP.

The software is released under the Apache 2.0 Open Source License.

From the docs:

mod_memcache_block is an Apache module that allows you to block access to your servers using a block list stored in memcache. It also offers distributed rate limiting based on HTTP response code.

FEATURES

Distributed White and Black listing of IPs, ranges, and CIDR blocks
Configurable timeouts, memcache server listings
Support for continuous hasing using libmemcached’s Ketama
Windowded Rate limiting based on Response code (to block brute-force dictionary attacks against .htpasswd, for example)

REQUIREMENTS

libmemcached-0.25 or better
Memcached server
Apache 2.x (tested with 2.2.11)

Source code is available here:
http://github.com/netik/mod_memcache_block

If you would like to work on mod_memcache_block, contact me with your GitHub username and I’ll give you commit access on github.

How do we find the user in question so we can thump them on the head to make them stop?

This is a basic exercise in information gathering. For the most part, we’ll have the user’s IP address, and we’re a mac shop with many users running iTunes. If the user is sharing their library, you can use iTunes as a covert means of determining a user’s name, as iTunes will use the local computer’s name as the library name.

Telnet to the machines DAAP port, and issue:

John-adamss-macbook-pro:~ jna$ telnet x.x.x.x 3689
Trying x.x.x.x...
Connected to x.x.x.x.
Escape character is '^]'.
GET /server-info HTTP/1.1
Host: x.x.x.x
Client-DAAP-Version: 3.7
User-Agent: iTunes/8.0.2 (Macintosh; N; Intel)
Accept-Language: en-us, en;q=0.50

HTTP/1.1 200 OK
Date: Tue, 13 Jan 2009 21:26:38 GMT
DAAP-Server: iTunes/8.0.2 (Mac OS X)
Content-Type: application/x-dmap-tagged
Content-Length: 280

msrvmstt?mproaproaeSVaeFPatedmsedmsmlmsmOk?[minmUSER NAME’s LibrarymslrmstmsalmsasmsupmspimsexmsbrmsqymsixmsrsmsdcmstcImmsto???

Other options for this include attempting to sign on to the server with Apple-K if AFP on TCP port 548 is active (which will reveal the computer’s name) and using nmap with service detection to glean information about the host.

For a conference that is so technically minded, they didn’t post the conference schedule in a useful format (HTML only! ew!), so I converted the web pages to iCal format with quite a bit of scripting and cutting/pasting.

Just download the following zip, import it into iCal, and you should have a (fairly) complete conference schedule to carry with you on your iPod, iPhone, or any device that can read iCal/vCalendar formats.

This schedule includes everything except the contest area and very-long descriptions of each event. I decided not to include the contest area because most events run all day, or most of the days. Since the rooms for each of the conference tracks haven’t been announced yet, there’s very little in the way of room locations in these files. Sorry, but you’ll have to figure it out when you get to the Riveria!

The events are broken out into the five tracks in five seperate files, and a seperate ics file for Defcon Social events and meetups. Unpack the zip, and import each file into iCal.

Click here for the zipfile of .ics files

Once you;ve downloaded the zips, double click to unzip them, then import to iCal. If the system asks you what calendar to put events into, just click ‘New’, and our ICS files will fill in the rest.

The CERT advisory is here.

A partial overview, from the PDF released by Secuonis…

On July 8th, technology vendors from across the industry will simultaneously release  patches for their products to close a major vulnerability in the underpinnings of the Internet. While most home users will be automatically updated, it’s important for all businesses to immediately update their networks. This is the largest synchronized security update in the history of the Internet, and is the result of hard work and dedication across dozens of organizations. 

Earlier this year, professional security research Dan Kaminsky discovered a major issue in how Internet addresses are managed (Domain Name System, or DNS). This issue was in the design of DNS and not limited to any single product. DNS is used by every computer on the Internet to know where to find other computers. Using this issue, an attacker could easily take over portions of the Internet and redirect users to arbitrary, and malicious, locations. For example, an attacker could target an Internet Service Provider (ISP), replacing the entire web — all search engines, social networks, banks, and other sites — with their own malicious content. Against corporate environments, an attacker could disrupt or monitor operations by rerouting network traffic traffic, capturing emails and other sensitive business data. 

Exact details on this are being withheld for the safety of the Internet; I prefer full disclosure, but that doesn’t seem to be the case here given that the hole is so large and vulnerability so widespread. 

This wordlist is a source when performing research on frequency tables and cryptanalysis for use in security, and for wonder

I’m unclear as to the origins of the dictionary (it possibly came from the spell or ispell utilities years ago), but I do know that it’s riddled with inaccuracies and basically, it would fail a spelling bee.

Today I found two projects to create a better English wordlist, and I can only imagine what will happen when domain squatters find it. The plan is to have a list with a hundred million words, spoken, and written.

There’s the American National Corpus, and the British National Corpus. Both contain enough words to keep password cracking software and domain squatters busy for years.

At last count, the ANC held 18 million words. I guess they have a long way to go.

While this is an older article ( from 2004 ), it still addresses many dangerous issues that developers continue to create in production code.

One of our developers here recently wrote a fairly large scripting system to deliver advertising to customers that was vulnerable to at least four XSS attacks, and I spent a fair amount of time sanitizing input and securing her code.

Do you accept input from users? Are you ensuring that you strip_tags (to block XSS/XSRF), escaping strings (to block SQL injection) and sanitizing all user input before storing or displaying it? If not, you might be vulnerable.