where to go to understand DDoS attack vector

Roland Dobbins rdobbins at arbor.net
Tue Aug 26 11:57:27 UTC 2014

On Aug 26, 2014, at 6:48 PM, Miles Fidelman <mfidelman at meetinghouse.net> wrote:

> Immediate issue is dealt with (at least for us, target seems to be off the air) - but want to understand this, report it, all of that.

IPMI boards are reported as being used in reflection/amplification attacks of various kinds; the ntp one is straightforward, as you note.

This may be some sort of chargen-like packet reflector that's either built into the firmware, or that an attacker has managed to insert, somehow.  The 'mailto:' bit is interesting; it might work sort of like SNMP reflection/amplification attacks work, where the attacker is using some sort of management functionality to walk the device config or somesuch, packetize it, and blast it out as packet-padding.

Does the target of the attack have flow telemetry records or complete packets?  Because the one you posted looked incomplete (29 bytes?) . . .

Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

                   Equo ne credite, Teucri.

    		   	  -- Laoco├Ân

More information about the NANOG mailing list