where to go to understand DDoS attack vector

• Previous message (by thread): Broken IPv6 firmware on U-Verse 3801HGV
• Next message (by thread): where to go to understand DDoS attack vector
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Folks,

Possibly a little off-topic for nanog, but I couldn't think of anywhere 
else to ask this (suggestions please!):

We just discovered a vulnerability the hard way - someone used one of 
our IPMI boards as a vector for a DDoS attack (well, I guess the real 
hard way would be to have been on the receiving end, but...).

Anyway... aside from some obvious issues, I've been learning a lot about 
the vulnerabilities of Supermicro IPMI boards (and busily locking them 
down).  The one that's tricky, though, is that this was a 
reflection/amplification attack.

Conveniently, the attackee's data center operator managed to capture 
incoming packets with tcpdump, and they all looked like this:

8:33:58.482193 IP (tos 0x0, ttl 56, id 0, offset 0, flags [DF], proto 
UDP (17), length 29) x.x.x.x.2072 > x.x.x.x.27015: UDP, length 1
                 0x0000: 4500 001d 0000 4000 3811 088c cf9a 3b8c 
E..... at .8 <mailto:E..... at .8>.....;.
                 0x0010: 405e eebf 0818 6987 0009 10f8 4300 
0000 @^....i.....C...
                 0x0020: 0000 0000 0000 0000 0000 0000 0000       
..............
(obviously, with the IP addresses removed).

It could be that someone planted a bot in the IPMI board (just starting 
to do some forensics - currently hampered by being on travel, and having 
blocked all the ports from the outside world - need to get to the 
datacenter and make some hardwired connections) - but it looks a lot 
more like a reflection/amplification attack - particularly since the 
target seems to have been a game host, and port 27015 is used by the 
game halflife.  But....

Now I understand reflected DNS and NTP attacks - but the outbound port, 
2072 (registered for GlobeCom msync) is neither, nor is it anything that 
we're running - which kind of begs the question of how this might be 
working.  Any thoughts?  Any pointers? Any starting points?

Immediate issue is dealt with (at least for us, target seems to be off 
the air) - but want to understand this, report it, all of that.

Thanks very much,

Miles Fidelman

-- 
In theory, there is no difference between theory and practice.
In practice, there is.   .... Yogi Berra

• Previous message (by thread): Broken IPv6 firmware on U-Verse 3801HGV
• Next message (by thread): where to go to understand DDoS attack vector
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]