2011-10-05, 02:34 PM
Hi all my friends,
Today, I have long day to anti flood post method on forum running mybb. Belive me, selection in AdminCP (Configuration > Posting > Post Flood Checking On) doesn't help for admin.
I have ideal and my firend helped me write PHP code flood. It's very easily with him. After fews hours analytics (tcpdump: post,get | test by firewall layer 3), iptables couldn't drop because it is valid connections.
Bellow logs from system had wrote
Yes, with status code 403, i was prevented it successful. In this
_192.168.1.2: IP of attacker
_Mozilla: User-Agent may auto change
Try analytics log (in second)
Wow, with 1 sec, attacker can "fill" hundreds. Then server overload by queries of mysql database.
Attacker dump any request post to apply for attacking, this submit value for flood with method post
_Firefox: add-on Live HTTP Headers
_MacOS: app HTTPSCOOP
_posthash can get easy (yes, althoght this value random)
Here submit value for login
_BBB: password of account
Thank for view, and sorry because my English bad
Today, I have long day to anti flood post method on forum running mybb. Belive me, selection in AdminCP (Configuration > Posting > Post Flood Checking On) doesn't help for admin.
I have ideal and my firend helped me write PHP code flood. It's very easily with him. After fews hours analytics (tcpdump: post,get | test by firewall layer 3), iptables couldn't drop because it is valid connections.
Bellow logs from system had wrote
192.168.1.2 - - [05/Oct/2011:14:00:59 +0700] "POST /newreply.php?ajax=1 HTTP/1.0" 403 214 "http://forum.victim.site" "Mozilla/5.0"
192.168.1.2 - - [05/Oct/2011:14:00:59 +0700] "POST /newreply.php?ajax=1 HTTP/1.0" 403 214 "http://forum.victim.site" "Mozilla/5.0"
192.168.1.2 - - [05/Oct/2011:14:00:59 +0700] "POST /newreply.php?ajax=1 HTTP/1.0" 403 214 "http://forum.victim.site" "Mozilla/5.0"
192.168.1.2 - - [05/Oct/2011:14:00:59 +0700] "POST /newreply.php?ajax=1 HTTP/1.0" 403 214 "http://forum.victim.site" "Mozilla/4.0"
192.168.1.2 - - [05/Oct/2011:14:00:59 +0700] "POST /newreply.php?ajax=1 HTTP/1.0" 403 214 "http://forum.victim.site" "Mozilla/5.0"
Yes, with status code 403, i was prevented it successful. In this
_192.168.1.2: IP of attacker
_Mozilla: User-Agent may auto change
Try analytics log (in second)
[root@mamba logs]# cat custom | grep POST | grep "14:00:58" | wc -l
237
[root@mamba logs]# cat custom | grep POST | grep "14:00:59" | wc -l
171
[root@mamba logs]# cat custom | grep POST | grep "14:01:01" | wc -l
285
[root@mamba logs]# cat custom | grep POST | grep "14:01:02" | wc -l
215
[root@mamba logs]# cat custom | grep POST | grep "14:01:03" | wc -l
105
Wow, with 1 sec, attacker can "fill" hundreds. Then server overload by queries of mysql database.
Attacker dump any request post to apply for attacking, this submit value for flood with method post
_Firefox: add-on Live HTTP Headers
_MacOS: app HTTPSCOOP
"my_post_key=babc2463caead92989030b96e9b4bf53&subject=RE%3A%20can%20mua%201%20kit%20xtray%20hoac%20mugan&action=do_newreply&posthash=".$hash.""ed_ids=&from_page=1&tid=7045&method=quickreply&message=Ch%C3%BAc%20b%C3%A1n%20%C4%91%C6%B0%E1%BB%A3c%20h%C3%A0ng&previewpost=Preview%20Post"
_posthash can get easy (yes, althoght this value random)
Here submit value for login
http://forum.victim.site/member.php', 'action=do_login&url=http%3A%2F%2Fforum.victim.site%2Fmember.php%3Faction%3Dregister&quick_login=1&quick_username=AAA&quick_password=BBB&submit=Login&quick_remember=yes','http://forum.victim.com/check.php
_AAA: any username which attacker can registed_BBB: password of account
Thank for view, and sorry because my English bad