nanog mailing list archives
Re: where to go to understand DDoS attack vector
From: Stephen Satchell <list () satchell net>
Date: Tue, 26 Aug 2014 06:26:33 -0700
qotd 17/udp quote You're not blocking small services outbound at the edge? On 08/26/2014 05:18 AM, Miles Fidelman wrote:
Roland Dobbins wrote:On Aug 26, 2014, at 6:48 PM, Miles Fidelman <mfidelman () meetinghouse net> wrote:Immediate issue is dealt with (at least for us, target seems to be off the air) - but want to understand this, report it, all of that.IPMI boards are reported as being used in reflection/amplification attacks of various kinds; the ntp one is straightforward, as you note. This may be some sort of chargen-like packet reflector that's either built into the firmware, or that an attacker has managed to insert, somehow. The 'mailto:' bit is interesting; it might work sort of like SNMP reflection/amplification attacks work, where the attacker is using some sort of management functionality to walk the device config or somesuch, packetize it, and blast it out as packet-padding.Can you say a bit more about what I might look for in trying to track this down?Does the target of the attack have flow telemetry records or complete packets? Because the one you posted looked incomplete (29 bytes?) . . .Unfortunately, all I have is what they sent to our abuse address - understandably, they've been a bit busy and not as responsive to further inquiries as one might hope. But, having said that, this looks like all they have. They seem to be getting these from lots of different places around the net, they just sent a filtered excerpt - here's a larger sample: 18:33:58.482193 IP (tos 0x0, ttl 56, id 0, offset 0, flags [DF], proto UDP (17), length 29) x.x.x.x.2072 > x.x.x.x.27015: UDP, length 1 0x0000: 4500 001d 0000 4000 3811 088c cf9a 3b8c E.....@.8 <mailto:E.....@.8>.....;. 0x0010: 405e eebf 0818 6987 0009 10f8 4300 0000 @^....i.....C... 0x0020: 0000 0000 0000 0000 0000 0000 0000 .............. 18:33:58.484625 IP (tos 0x0, ttl 56, id 0, offset 0, flags [DF], proto UDP (17), length 29) x.x.x.x.2072 > x.x.x.x.27015: UDP, length 1 0x0000: 4500 001d 0000 4000 3811 088c cf9a 3b8c E.....@.8 <mailto:E.....@.8>.....;. 0x0010: 405e eebf 0818 6987 0009 10f8 4300 0000 @^....i.....C... 0x0020: 0000 0000 0000 0000 0000 0000 0000 .............. 18:33:58.486137 IP (tos 0x0, ttl 56, id 0, offset 0, flags [DF], proto UDP (17), length 29) x.x.x.x.2072 > x.x.x.x.27015: UDP, length 1 0x0000: 4500 001d 0000 4000 3811 088c cf9a 3b8c E.....@.8 <mailto:E.....@.8>.....;. 0x0010: 405e eebf 0818 6987 0009 10f8 4300 0000 @^....i.....C... 0x0020: 0000 0000 0000 0000 0000 0000 0000 .............. On closer reading, what they captured does seem to be "proto UDP (17), length 29)" and "UDP, length 1" Thanks! Miles
Current thread:
- where to go to understand DDoS attack vector Miles Fidelman (Aug 26)
- Re: where to go to understand DDoS attack vector Roland Dobbins (Aug 26)
- Re: where to go to understand DDoS attack vector Miles Fidelman (Aug 26)
- Re: where to go to understand DDoS attack vector Roland Dobbins (Aug 26)
- Re: where to go to understand DDoS attack vector Stephen Satchell (Aug 26)
- Re: where to go to understand DDoS attack vector Roland Dobbins (Aug 26)
- RE: where to go to understand DDoS attack vector John York (Aug 26)
- Re: where to go to understand DDoS attack vector Roland Dobbins (Aug 26)
- Re: where to go to understand DDoS attack vector me (Aug 26)
- Re: where to go to understand DDoS attack vector Brian Rak (Aug 26)
- Re: where to go to understand DDoS attack vector Miles Fidelman (Aug 26)
- Re: where to go to understand DDoS attack vector John (Aug 26)
- Re: where to go to understand DDoS attack vector Miles Fidelman (Aug 26)
- Re: where to go to understand DDoS attack vector Roland Dobbins (Aug 26)
- Message not available
- Re: where to go to understand DDoS attack vector Larry Sheldon (Aug 26)
- Re: where to go to understand DDoS attack vector Brian Rak (Aug 26)