 So I'm Sam Bound from City College, San Francisco, and our snake has agreed to join me, which is wonderful, because I had a talk that was only supposed to be 20 minutes, and they gave me an hour, and coincidentally, three weeks ago, he wrote a wonderful new tool called Slow Lorsch. At least that's when I became aware of it, and I said, we've got to just add you to this talk, and he agreed. So there's two things you're going to get today, and the stuff on the CD is completely out of date. Anyway, the two things I want to show you, and I'm planning to be really quick about this, because I want you to do it. Now, how many people here brought laptops? That's pretty good. Okay, how many of you already have a Linux laptop? Okay, now look, that's good. Now, what you really need for this is you need two machines, or you need a machine and a virtual machine, which is how I wrote the instructions. Anyway, a little bit more about that later. But that's why I call it hands-on training, because I model in this after my classes, and my students do it this way at City College. So that's me. If you want to reach me, that's how to get me. And here's the two attacks we're going to talk about today. SSL strip written by Moxie Marlin Spike, not the new one he just talked about today, or yesterday, which is great, but I'm not ready for that one, the one he talked about last year, which sits in the middle and turns secure connections into insecure connections. And we're going to do that, and I hopefully all of you will also do it, and you can walk out of here with the toy to play with. And then Slow Loris, which is unbelievable, that just shuts down an entire web server with no more bandwidth than just a ping. And it's not the ping of death, it's a steady chain of incomplete HTTP get requests, which fills up a queue, and with very low bandwidth you bring down just the one server you're targeting, instead of a sin flood that's like a flamethrower just blasting everything down between you and the victim. So SSL strip first, I just went on the web, got a list of the most popular web 2.0 sites, and most of them are either completely stupid and use plain text authentication and you'll see them on the wall of sheep, or they're intelligent and they use HTTPS, which is moderately secure, I must say after listening to the talks yesterday, I have less faith in its security than I used to have, but in any case it does go through the motions of encrypting stuff and doing some pretence at checking with a certificate authority, although by no means as well as I used to think it did. But anyway, then there are people like WordPress and Twitter that do something halfway stupid. They're smart enough not to be completely stupid and just use HTTP, but they use mixed mode authentication, and that is a really bad idea. And this has been known for a long time, but telling people it's a bad idea is not as powerful as showing them it's a bad idea, and having you show them right in front of them when your laptop, why it's a bad idea, is even better, so my only contribution to this is theater. I'm just here to make it fun to hijack these sessions. So Facebook, for example, Facebook is an HTTP page, but the button when you click login is HTTPS. My bank used to be this way, and I fought with them for years, and all I could get was lies, and when I got enough complaints, then I would get elevated to next level lies, and I couldn't get past people that would just lie to me. This is totally insecure for a lot of good reasons. But anyway, the particular reason that makes it insecure that we're going to use today is that I can't see that that button is secure. So if an attacker puts themselves in the middle and they proxy the traffic, if I try to go to Facebook, I get the outside HTTP page, and the attacker creates a secure connection to the Facebook server and hands it to me in HTTP. So the page looks the same, the button looks the same, there's no clue the browser will not pop up a warning saying this page is insecure or anything, and I'll log in. I'll never know what happened. Now there is one way to know what would happen, although it's ridiculous to think an end user would do this, which is to look at the source code of the web page and notice that the method that used to be HTTPS is now HTTP, but that's pretty lame. And by the way, in the real world, there are a variety of ways to get in the middle. Now, the simplest way and the way that I believe they use here to make the wall of sheep is they just get in the middle. Some place there's a main access point for all of us getting to the internet at the con, and they just intercept the traffic there or copy it. That's the simplest way to get in the middle, but it requires physical access to the network. The one we're going to use here is totally lame because I'm not actually making exactly an attack tool, although it's very close to it, I'm just making a demonstration so you can see it. So we're just going to set the proxy in the browser to go somewhere instead of directly to the internet, to go to a proxy server, and that'll be the attacker. But of course, if you really want to do this to other people in a wireless network, then you do it with ARP poisoning, and I imagine this is fairly familiar ground with people. If I want to find the gateway out of my network, I have an IP address, and I have to resolve that to a MAC address, so I use ARP. And ARP is a really stupid, simple-minded protocol, and you can just trick it with a lot of fake ARP replies, and it will believe that the gateway is not the real router out of the room, it's the attacker over here. It'll pass my traffic over to them, and it's not hard to detect if you're looking for it, but most machines, client machines will just fall for it and they'll reroute the traffic. So these ARP requests and ARP replies will be tricked into sending your data to the attacker, and if the attacker then forwards it onto the gateway, you will see everything just fine, but the attacker can read everything you do and indeed change it. And the result is you'll see your network slow down a little, but we're also used to that, especially on wireless networks that usually when it freaks out. So let me just show you this thing working, and it got really easy to do because I spent the last couple of days writing scripts to make this more fun. So let me see if this works. Now that is supposed to look like that, by the way. That is not a mistake, but you're going to do, and actually at this point it's probably time to start these instructions going around the room because I know a lot of people tap away on their laptops while they're watching talks because I do it too. And I'm trying to adapt to this instead of resisting it. And so I want you to start doing it. So I brought along printed instructions and I have a couple of students that are going to hand them out. So if you want to copy the printed instructions so you can do it on your laptop, just raise your hand and these guys will try to get them to you. And you can follow along. I'm not going to do it step by step here, but I'm going to give you instructions where you can all totally do this. And it shouldn't be hard, and that's what I want to use the breakout room for. After this talk, there's people that come there that want to do it and have some kind of problem and my students and I will help you really get it working because I want you to walk out of here with a laptop with these attacks running on it. I think that's more cool than watching a talk. A talk without a demo is one thing. A talk with a demo is better and a talk where I can go play with it is what I really want you to have. Anyway, so let me go here. And so what I've done is I've downloaded Moxi Marlin Stripes SSL strip tool here. I just unzipped it and his tool just includes a series of little script files and I've added a few things like these pictures of sheep. So when you do the instructions, first you go to Marksy's site and you download this serious professional tool and then you go to my site and download this silly thing called sheep which you unzip and add to it. And the end result of that is if you get to the right directory and then that directory. Okay, then all you have to do is sudo bash defcon. What's that? What password do you use? Well, it's your... Yeah, that's right. Well, I'm using a really simple password, old Microsoft one, pssw0rd because I got no security. There, the wall of strip sheep is running. Okay, and it should be... Yeah, that's good. Firefox has crashed on me. That's to be expected. In fact, you're warning me about that. So this thing actually exits cleanly now. And that took me hours to make it work. And now I can restart it. It should launch. Ah, life is good. The wall of strip sheep. Okay, now we'll just shove that over to the side. And let's set up our victim here. Now, I said you should put yourself in the middle with some cool sneaky technique like art poisoning. But since I'm in lame, I'm just going to do it right here. The Linux machine is 172. 16, 8, 64. Okay, okay. And now let's move this thing over to the side. Let's try Twitter. And my name is going to be Twitter. My password is going to be CompleteFool. And then I log in. And Twitter noticed I was wrong. And I was wrong more than they thought because it just caught it right there. And that was supposed to be a secure connection. And like I say, these four websites are all vulnerable. Facebook. Facebook has this jazz so I can be FaceMan. And over here I can be Secret and log in. And that's going to go to Facebook. The Facebook server will decide it's no good, but I stole it here. And so I just took that team list of top 15 websites and I found four of them that were apparently the top 15 destinations or not ones I use, and they all work. This attack completely finds the password. If you go to another site that might not work and you want to see it, this is a script I wrote that looks for the format of how they lay the password out. If they don't lay it out that way, you can always hit this button to see the raw data, which is the raw output of the SSL strip tool. And that is here. And that is probably more instructive but not as much fun. Whoops, whoops, whoops. I'm hitting the wrong buttons on my window. There we are. That's what it really looks like. It caught a secure post, which of course should never have been read, but it is read because the proxy in the middle is able to change the connection to the client to HTTP. So it gets it into clear. It's a really simple attack, but it works really well. So I hope you guys have fun with that. And I want to show you the other one and then he can talk about it, which is Slow Loris. And I believe we got it working right before the talk here. So Slow Loris is even more exciting. And I think I'm just going to demonstrate it and not even bother with any more of those PowerPoint slides. I've set up a web server on my Windows host machine and I went to the hosts file and named it example.com for no terribly good reason, but that's what I did. Example.com and I put a file in there called sam.htn. It's just a copy of my web page just so you'd see something kind of pretty. And if I have trouble with this demonstration, we have a backup plan, but it was working before. Let me just put the IP address in here. I think that works better. IP address of my Windows machine, 262. I am proxying, but that shouldn't have any effect from this direction because that's Firefox on the Windows machine. These are good points, good questions though. However, let me just go back here. This is Apache running on Windows and I got it right here and I can control the Apache server and I can just restart it. Let's just do that. This is Vista, by the way. Usually on Windows 7, but this machine had the beta of Windows 7, the RC, so it's starting to freak out on me. Let's see if that did it. One more thing, let's go here. All right. Well then, we'll go to plan B. Let me hand it off to him and I've got another machine here. I'll get this working on this one. He tells you about. Slowlo's on this one. Hi, everybody. Hi, Devgon. I'm kind of in pain here, so I'm moving a little slower than usual, but what's that? Yeah, anyone got a beer? Yeah, come here. Wait, what is this? No. So, while he gets this set up, my name is R Snake. I run hackers.org and slackers.org. I also run a small consultancy in Austin called Sack Theory. So, I created this tool, I don't know, about a month ago maybe, and it got quite a bit of publicity for good and for bad, mostly bad. But I am not the first person to come up with this tool. Apparently it's been out there for, or the concept at least has been out there since like 2005, 2004 maybe even, which makes me look like I'm stealing other people's work, but I assure you I had no idea. It's mostly because I don't read every single page on the internet. I just don't have the time. But, so it was actually, I think it was Ivan Ristik who might have written in his book, and a couple other people mentioned it a long time ago. But anyway, one day I was in the shower, great mental image I'm sure, and I decided this, Patchy kind of does some weird stuff, and maybe it's vulnerable. So, a weekend later I actually had some code that actually seemed to work pretty well. So we shipped it off to Patchy, and Patchy had some very weird response. They said, this is expected behavior, go read this page. It's like, well, thanks. Go read the manual. Which is a fantastic way to kind of shove somebody off into the corner. Not a particularly good way to solve a problem. So if it's expected behavior, that's fine in everything. Cool. That's fine in everything, but it would be awfully nice if they'd fix it since I use a Patchy, and a lot of people I know use a Patchy. I'm going to switch mics here. So, let me start with a little bit of the background and what was actually going on at the time, sort of the ecology of the internet. So, Aran was having this election thing, and I consider myself fairly aware of what's going on in the world. You know, I listened to NPR, but I didn't know a whole lot about what was really going on. Well, it turns out there was this whole election thing going on, and people were pretty upset about it. Apparently there was some ballot stuffing of some sort, and something very close to Civil War, although I don't think it was ever called that, was breaking out. So I knew about this. This is something I was aware of, just because I listened to NPR in the mornings and the way to work. I didn't know about anything else beyond that, though. I probably should have done my homework. So there's a whole bunch of reasons why people think this is voter fraud. The press reason I heard is up at the top there. Impossible tallies. There's actually more votes in certain regions than there are people. So that's a pretty good indicator. So, regardless of whether you believe all this is true or not, this is just the ecology of what was happening at the moment. Around that same time, a lot of people were using Twitter inside Aran to kind of message out what was going on, saying, oh, there's atrocities. People are getting shot or killed or incarcerated or whatever, and there's this guy named Austin Heap, or I'm not sure if that's really his name, but that's what he was going by, who is kind of leading the charge, helping people communicate out, creating proxies. And this is one screenshot where he's helping people create a VM where you can go and proxy through it. Incidentally, the username is root and the password is pound Iran, and the username is Iran, and the password is election. So if you install this, you might want to change that. Otherwise, people can own your network. So this is what was happening at the time before I released this. There was a bunch of people who were taking offense to all this and wanted to tell the Iranian government what they thought. So they were using this thing called page reboot. So you just type in the URL in JavaScript space, it makes a whole bunch of recurring requests, once every 30 seconds in this case, or once a second or whatever. So if you get a couple of thousand machines all at the same time doing this, it turns into a denial service tool that's distributed, which is pretty nice. So there was like hundreds and hundreds and hundreds of these posts all saying, go to page reboot, go hit this thing, and take it down. So meanwhile, I was, you know, totally unaware of all this stuff going on, and I was developing this really cute little tool that I thought was pretty neat it could take down websites. It was interesting because it was low bandwidth. It kept sockets alive, which has some interesting implications I'll talk about in a bit. It only affected certain web servers, so it's not the entire ecosystems of all web servers everywhere, but Apache is pretty big. So that was nice. It didn't work through load balancers, so I felt a little bit better about talking about it, so it's not going to take down like eBay PayPal, it's not going to take down Amazon. You know, it's kind of limited in what its usefulness is. It managed to work around what I thought was probably the best filter at the time, the HB accept filters, because accept filters only work with get and head. So I used post, pretty simple. So this is what the attack looks like. So you make a post request to some URL, carriage return new line. You don't have to put in the real host name. In fact, I didn't have to put in any host name, but this is nice if there's like segmentation of logging. You have logs go to one log file instead of the instead of the attacked one. So if there's virtual hosts, it doesn't look like you're attacking the target you're really going after. User agent, content length, which is just garbage information. And then some random header. So the very last thing should have been a carriage return new line, carriage return new line. Well, I don't put that second carriage return new line in there. I just sort of sit there for, you know, I don't know, a minute, five minutes or whatever, and then submit another header, and then another header. So it just, it's so slow that a patchy just sort of sits there and says, okay, well, I'm ready for the information. You know, whenever you're ready, any day now, I'm all ready. And IIS has the kind of opposite model, which is if you're coming to me and you're requesting data, that's great. If you're not, then you're going to have to step aside so there's somebody behind you in line. So that basically makes a patchy vulnerable. And incidentally, the reason why they are vulnerable is because they're trying to protect themselves from a different type of denial surface attack, which is creating a massive amount of load on the box. So the nice thing about this particular attack is that the load on the box is actually very, very low while this attack is performing. In fact, it's so low that if it's kind of a high traffic website, your load will actually go down in the process, which is kind of nice. So it's nice if you're the one who wants to use the website, right? So this is the secondary side benefit of this. If I have 256 sockets open or whatever the number is to the host, and that's configurable, if I have all those sockets open, why not use them? So if I want to be the only person on the website, why not just reuse one of the existing sockets and here's what it would look like. And then once I'm ready to actually start instantiating and actually performing requests, I'll just kind of use my own slow, lowest tool as a proxy and connect back. I never built that, but it would have been fairly trivial to do. There's a whole bunch of other side benefits to this particular variant of this attack, but ultimately it's pretty low bandwidth. It's about 4,000 packets to take down a web server for about five minutes. So pretty low bandwidth. So you saw Apache's response. Go read the documents on it if you want to. I did, and my team did, and we all went through it, and it really didn't cover this at all. It was pretty bad. Ultimately they are basically saying, we've known about this for years, accepted risk, we're willing to deal with it. So I sort of felt like it was time to go release it. I've done my due diligence, I've talked to Apache, they don't seem to care, it's been out there anyway, so let's go talk about it. Now mind you, I have maybe 20,000 people who visit my website, maybe 1,000 people on Twitter, so if I release it, a third of those people will actually read the post, a third of those people will maybe go download, a third of those people will actually care, a third of those people will actually do something with it. So it's kind of like, to me, it was sort of really not an issue to release this. So what was going on at the time, though, is Anonymous released this gigantic thing where they're manifesto about how they're going to go attack Iran and how they should be punished and so on. There's like a Twitter, I'm sorry, a YouTube video about it. And so the Iranian government was pretty much totally, all of their network was actually being totally saturated. You can kind of see one of their network connections there before and after. So it was pretty bad, it was taking down all of Iran, instead of just the websites that they were actually interested in taking down, the leadership websites. So they needed to be able to, the people inside the country needed to be able to contact outside of the country and because the entire Iranian infrastructure was going down, they weren't able to do that and so they're sort of pleading, please don't do this denial of service attack, you're hurting the people inside the country who actually need to be able to protest. Incidentally, the number of new tour nodes inside the IP space for Iran also shot up about 10,000% in a week. So in this ecosystem, me being unaware of all that junk, I released Solaris. Woohoo, isn't this neat? So I have one little thing, go check out my website, there it is, on Twitter and my own blog post and that's pretty much all it is. Things are pretty quiet for a little while, I would say a good half an hour hour, people were retweeting in here and there. Funny comments, sometimes some issues are face palm, egg on the face, we have accept filtering but not for post. People are kind of getting it, which I thought was kind of amusing. So at the same time, things are kind of flaring up inside Iran, right? And this is from Anonymous, Slow Loris, meet Fort Chan, Fort Chan, Slow Loris, Fort Chan, oh hi, Slow Loris, meet Scientology. Scientology, Scientology. So, yeah, good luck. So it also hit slash dot and this is kind of where it really exploded. I don't know who submitted it, so interestingly enough, I don't think the slash dot guys actually post very much anymore, but they did post on this one, they're like, please don't try it on us, but we think we're not vulnerable. So I think people, it's kind of a little fear factor, even though we weren't really advertising it as a horrible, horrible thing, it's just, hey, why don't we fix this issue? So then Anonymous on their own whyweprotest.net website started mentioning it, conventional DDoS attacks against Iranian targets, is this ways bandwidth needed for all Iranians, rather use something like Slow Loris, which can take down HP servers without using much bandwidth at all. This code just hit the wild and should be quite effective as slash dotted earlier today. Brand new technique, tool to bring down on a GDOD site without running bandwidth with Iranian rebels, blah, blah, blah. Great, okay. So then there starts, kind of gets another explosion on Twitter. Slow Loris is an interesting DDoS attack package, might be useful for Iranian elections without slowing traffic. Hey, our snake just started using Slow Loris to attack leader.ir. Great. And stuff I can't read. And 42 pages later, I think we have about 30,000 downloads from our webpage. Six, 7,000 downloads from Millworm. It's, I mean, I have no idea how many places have been attacked since then. So, yeah. So there's a lot of pages that, a lot of different web servers that are affected, some WAFs, some kind of interesting stuff, but really, I mean, Apache is the big boy, right? I mean, I think somebody was said, you know, it's great that WebSense, you can take down the block pages. I mean, I'm sure that people will find uses for a number of different stuff. And incidentally, this technique can be easily echoed into FTP and send mail and a bunch of other protocols that also have sort of similar issues. Internet StormCenter did three different posts on this and incidentally, they said the threat level was green. So everything's cool on the Internet, even though an entire country is going offline. It's like, okay, I have a feeling if that were happening in the United States, that would not be green, but that's just a wild guess. So other attacks, you know, people like, who the fuck is blah, blah, blah? Who are you? I'm going to kill you, blah, blah, blah. And it turns out that it's low-large. I'm sorry about that. A friend of mine, like, oh, the CEO mentioned, slow, low or something was responsible for one of his attacks. You know, this guy said that IAS seemed to be vulnerable, which it's not in any of our tests that we did, so apparently other people getting hit by it. I have a whole bunch of other examples. I just need to kind of run through this. So Apache, someone issued a bug, I don't even know who it was, and said that was this is a problem, we should go fix it, but it was like immediately marked as resolved and invalid, so not a problem. We're writing this one off. And then, on their own private mailing lists, they're saying we all know our architecture is wrong and they have a wiki page for it now that says it has drawn attention on it to a significant weakness in Apache HVD. All right, so I don't see how those three things all line up with one another, but so there's website jerdab.ir which has a bunch of Iranian rebels on it with a bunch of circles over their faces saying if you have any information about them please contact us. So that's obviously a problem for people living there, so someone created an EXE version called Cyberware for Iran. It's a Q Solaris I don't know, I think someone just ported it over to EXE. If you feel like downloading an EXE and running it, and it's a denial of service tool, go right ahead. Good luck. So there's a Python version now. A PHP version. That questionable EXE version. I heard there's another one called SlugSend that's been out there for a while. And actually there's another Ruby version that just got released. Someone just mentioned it. And there might be more. I'm sure there's personal implementations as well. So Microsoft got in on the action. This is a must read if you use Apache to protect yourself against Solaris. From Michael Howard, there's CISO. I think IAS sales guys probably made quite a hit off of this, right? So mitigating it. So there's a bunch of different ways to mitigate this. One, you could use a different web server, which is pretty scary because now you need to recode everything. You could use a proxy as a worker pool model, but that means you need to put something in line and trust that it also doesn't have its own issues. Or use a firewall, which could create other types of denial of service sending, you know, spoof, sin, flood or whatever. Now it's not taking down in a different way. You can use this mod anti-Laurus, mod no-Laurus, or user MPM. I've heard all of these things work. One of my favorite ones is that this guy is one of the developers and he said, oh, linear time search for each new connection on SHM signage will be modified in place by another process without locking. Awesome. What could possibly go wrong? Ship it. That's a race condition, everyone. That's bad. And then lastly, Apache can fix the problem because that seems like the most easy for me, right? If I don't have to do anything, I mean, IIS isn't vulnerable, why not Apache? Seems good for me. So there's a whole bunch of improvements to TOR. I'll start just a little bit more. You could add TOR into it, and normally putting it through a TOR node really wouldn't give you much lift, but in this case it does since it doesn't need a lot of bandwidth. Normally you don't want to do anything to slow down your DOS attack, but in this case it's not a very fast attack anyway. Proxy support, like I was mentioning earlier, so I can proxy through Slolaura, so I'm the only guy at a very, very large table. That's a great chicken, you know? The ubiquitous obvious next step is to turn it into distributed version, which I will never do. You can make it configurable, have it a user agent that's configurable and so on, which is, I mean, it's already open source so you can just modify it in place anyway, but it might make it easier for somebody. There's a web page I found that actually predates Slolauras with a whole bunch of different variants of attacks, so I could add a whole bunch of different attacks in there, but I'm probably never going to do any of these things simply because I think the point's been made. I think the real thing is that Empachi just needs to fix this, but ultimately I just hope Hezbollah doesn't kill me. Thanks everybody. Well, that's great. You know, I had no idea about any of that. Fabian Rodriguez came and took one of our classes and he told me this new Slolauras thing was great, so I decided to try it out. By the way, my demo didn't work earlier, right? That's because I forgot I left Slolauras on and it was killing my web server. Restarting it did no good. Duh. Anyway, so it's off right now. Okay, so I got a website here. I can refresh it. Blam. That website is on this. Windows Host. It's the Apache server. The Linux is attacking it. And if I attack it with Slolauras here, it's off. And, but what I thought is even cooler is if I stop attacking it with Slolauras, it's back. Now, this is not that this is beautiful and that's why I love this. I mean, I'm not really interested in taking out any websites or promoting any crime or anything. I'm trying to teach people how to do networking. I'm interested in all this hacking stuff because it's exciting. It makes students come to class and do their homework and stuff. I mean, people here people here live this stuff so much you can't make them stop. You're going to throw them in jail and they still won't stop hacking. And I said that's what I want. I want my students to have that much desire to do their homework. So, um, so I try to teach them boring stuff like the OSI model, right? But now this is the point. You're one attack, right? You cut a cable. That's the most common problem. Right? Then you got Layer 4. Layer 4 is the old fashioned SIN flood, right? You're just going to flood the packet with the network with SIN packets. Every SIN that comes in forces a server to pump out a SIN act and then wait for an act that's coming and depending on which type of server software you're using it has different ways of remembering that there's one coming but anyway it has to do some extra work to wait for that. And so that's more effective than just sending in the same number of pings. But it takes a lot of packets to bring down a server because you're at Layer 4. Then I read about a company called Hactix doing a penetration test I think in Israel and they found that if you targeted your attacks at Layer 7 you could bring down a website with almost no bandwidth. Because instead of just flooding a network with useless traffic you hunt on their website and find what will really hurt them. Like you find their search engine and you make a sort search that has 10,000 results. Then you send that every second. And you have to send a little bit and they have to do a lot of work and they found they could bring down almost anything on their target with three laptops with DSL connections. You don't need a botnet but you have to customize the exploit to this website and that's a lot of work and this is the awesome tool. You don't have to customize it it works without any knowledge of the website and it works at Layer 7 so it wastes something they don't have much of at the server and you don't have to pump out any time. So with a 56k modem you can take down a real website. Anyway, so I thought that's cool that gets their attention. Anyway, so if you want to do it some people got printed handouts it's all on my website this is how you if you want to do exactly I've got instructions just step by step showing you exactly what to download what command to put in to do it my way which is on Ubuntu Linux, a virtual machine on Windows but if you have some other kind of Linux or indeed a Linux target as well as a Linux attacker that would be fine and since as I hoped we are finishing up early we will have time to help people do it and they're going to move me to a breakout room which is 103 in a few minutes here and if anybody wants to set this thing up or you want to help or you want to talk about anything you can come meet me there so we have plenty of time for questions you've got a microphone too, right? So I think we have like at least 10 minutes left for questions even like 20 minutes so yeah, go ahead Oh yeah, I did but it even dropped before that because everyone was trying I'm sorry, he said did I see the traffic drop after they stopped using the other tool and started using a slowloris? Well, slowloris doesn't send really that much traffic at all so there would have been really very very little of any sort of spike but it definitely dropped significantly after they stopped doing the other get request flood stuff There you go I'm sure they did I'm positive they did So why didn't they make it? Are you on IAS? I don't talk about my own security anymore The Iranian government did not contact me but I'm sure they will make contact any minute here You see a laser pointer at me just tell me to duck Well, I'm not seeing any more questions I guess we can end early That's alright