where to go to understand DDoS attack vector
mfidelman at meetinghouse.net
Tue Aug 26 11:48:32 UTC 2014
Possibly a little off-topic for nanog, but I couldn't think of anywhere
else to ask this (suggestions please!):
We just discovered a vulnerability the hard way - someone used one of
our IPMI boards as a vector for a DDoS attack (well, I guess the real
hard way would be to have been on the receiving end, but...).
Anyway... aside from some obvious issues, I've been learning a lot about
the vulnerabilities of Supermicro IPMI boards (and busily locking them
down). The one that's tricky, though, is that this was a
Conveniently, the attackee's data center operator managed to capture
incoming packets with tcpdump, and they all looked like this:
8:33:58.482193 IP (tos 0x0, ttl 56, id 0, offset 0, flags [DF], proto
UDP (17), length 29) x.x.x.x.2072 > x.x.x.x.27015: UDP, length 1
0x0000: 4500 001d 0000 4000 3811 088c cf9a 3b8c
E..... at .8 <mailto:E..... at .8>.....;.
0x0010: 405e eebf 0818 6987 0009 10f8 4300
0x0020: 0000 0000 0000 0000 0000 0000 0000
(obviously, with the IP addresses removed).
It could be that someone planted a bot in the IPMI board (just starting
to do some forensics - currently hampered by being on travel, and having
blocked all the ports from the outside world - need to get to the
datacenter and make some hardwired connections) - but it looks a lot
more like a reflection/amplification attack - particularly since the
target seems to have been a game host, and port 27015 is used by the
game halflife. But....
Now I understand reflected DNS and NTP attacks - but the outbound port,
2072 (registered for GlobeCom msync) is neither, nor is it anything that
we're running - which kind of begs the question of how this might be
working. Any thoughts? Any pointers? Any starting points?
Immediate issue is dealt with (at least for us, target seems to be off
the air) - but want to understand this, report it, all of that.
Thanks very much,
In theory, there is no difference between theory and practice.
In practice, there is. .... Yogi Berra
More information about the NANOG