2

During some recent bug bounty testing, I needed to record a pcap using Wireshark, then replay it repeatedly in order to stress test a locally hosted server (which is in-scope of the bounty program).

However, I unfortunately exported the pcap incorrectly, meaning that all sorts of other (internet-bound) traffic was in there. I then fuzzed this pcap using Mutiny.

So when replaying the fuzzed pcap, I accidentally sent out loads of fuzzed traffic to the internet, primarily to CDNs by the looks of it (essentially any website my computer had visited whilst recording the pcap).

This was an honest mistake, and I have now mitigated the problem by running Wireshark and the packet replay tool as a Linux group that has internet access blocked with iptables.

My concern is that I may have broken some form of computer misuse law by sending this traffic. There was obviously no intent as this was a mistake, and I didn't visibly see any results from sending the traffic, however of course there could have been an impact to the remote server - I guess I'll never know.

Has anybody experienced this before? Did the police come knocking or is it nothing to worry about?

rubberband876
  • 193
  • 5

1 Answers1

2

I have a computer with a cloud company where I receive between 300 and 1,000 hacker hits a day. I keep it as a test bed (I wouldn't want it for a production service, although they main access port 25--for free mail relay...)

I talked with the ISP to see whether we could do something about it and they said there was nothing they could do that would be any different than my existing protections.

I'm pretty such that your little mistake was pretty much transparent. Your ISP may have flagged your computer, but I would not see how they could know that your traffic was illegitimate since these were legitimate, albeit repeated, hits anyway.

On my systems, I have ways to detect that someone is trying an attack and block such IPs for a while. I guess that would be the worst you would get. Nothing to worry about, really.

Alexis Wilke
  • 1,007
  • 8
  • 25
  • Thanks for your answer. As you say my traffic is probably a drop in the ocean of other hacker attempts. My concern is that the traffic was fuzzed, with bits flipped, injection attempts, overflow attempts, etc. What do you think? Could this flag up more than repeated legitimate traffic? – rubberband876 Aug 05 '18 at 01:06
  • I think it often happens that people send invalid packets. It can just be a bad connection too. So unless it was being sent for hours, I don't think it's going to cause any trouble. It has happened to me before in various ways (although not fuzzed data) and I'm fine. The main problem, I think, is whether it really looks like you're a black hat. It could also be that the network stack stopped your packets before they reached their destination. – Alexis Wilke Aug 05 '18 at 01:14