I recently received an invitation to attend a seminar in “How to protect your business from DDoS attacks” the invitation was sent via an HTML attachment.

So, in my paranoia I opened the file in an editor before trying to load it in a browser.  While in the editor view I saw a link to a web server using an IP address directly.

Again I wanted to investigate further, so I loaded the root of the server (http://1.2.3.4/) on Firefox with “Header Spy” add-on in Firefox, just to see some info on the server.

To my surprise the server loads the default IIS page, and with the Header Spy information and look of the page I confirmed it was running IIS 8.5 on Windows (of course).

So I searched for vulnerabilities on IIS 8.5 and came up with MS15-034 bulletin so to make sure, I did manual check using curl with the following lien of code:

curl -v http(s)://hostname (or ip)/ -H “Host: anything” -H “Range: bytes=018446744073709551615” -k

So I used some vulnerability checks from Offensive Security DB and a PoC on Python to be 100% sure and it was confirmed.

So the funny part: A DDoS prevention announcement on a DoS vulnerable host with a 1 year old vulnerability.  Isn’t it funny? #LOL