where to go to understand DDoS attack vector

Miles Fidelman mfidelman at meetinghouse.net
Tue Aug 26 12:18:39 UTC 2014 

Roland Dobbins wrote:
> On Aug 26, 2014, at 6:48 PM, Miles Fidelman <mfidelman at meetinghouse.net> wrote:
>
>> Immediate issue is dealt with (at least for us, target seems to be off the air) - but want to understand this, report it, all of that.
> IPMI boards are reported as being used in reflection/amplification attacks of various kinds; the ntp one is straightforward, as you note.
>
> This may be some sort of chargen-like packet reflector that's either built into the firmware, or that an attacker has managed to insert, somehow.  The 'mailto:' bit is interesting; it might work sort of like SNMP reflection/amplification attacks work, where the attacker is using some sort of management functionality to walk the device config or somesuch, packetize it, and blast it out as packet-padding.

Can you say a bit more about what I might look for in trying to track 
this down?

>
> Does the target of the attack have flow telemetry records or complete packets?  Because the one you posted looked incomplete (29 bytes?) . . .
>
>

Unfortunately, all I have is what they sent to our abuse address - 
understandably, they've been a bit busy and not as responsive to further 
inquiries as one might hope.

But, having said that, this looks like all they have.  They seem to be 
getting these from lots of different places around the net, they just 
sent a filtered excerpt - here's a larger sample:

18:33:58.482193 IP (tos 0x0, ttl 56, id 0, offset 0, flags [DF], proto 
UDP (17), length 29) x.x.x.x.2072 > x.x.x.x.27015: UDP, length 1
                 0x0000: 4500 001d 0000 4000 3811 088c cf9a 3b8c 
E..... at .8 <mailto:E..... at .8>.....;.
                 0x0010: 405e eebf 0818 6987 0009 10f8 4300 
0000 @^....i.....C...
                 0x0020: 0000 0000 0000 0000 0000 0000 0000       
..............
18:33:58.484625 IP (tos 0x0, ttl 56, id 0, offset 0, flags [DF], proto 
UDP (17), length 29) x.x.x.x.2072 > x.x.x.x.27015: UDP, length 1
                 0x0000: 4500 001d 0000 4000 3811 088c cf9a 3b8c 
E..... at .8 <mailto:E..... at .8>.....;.
                 0x0010: 405e eebf 0818 6987 0009 10f8 4300 
0000 @^....i.....C...
                 0x0020: 0000 0000 0000 0000 0000 0000 0000       
..............
18:33:58.486137 IP (tos 0x0, ttl 56, id 0, offset 0, flags [DF], proto 
UDP (17), length 29) x.x.x.x.2072 > x.x.x.x.27015: UDP, length 1
                 0x0000: 4500 001d 0000 4000 3811 088c cf9a 3b8c 
E..... at .8 <mailto:E..... at .8>.....;.
                 0x0010: 405e eebf 0818 6987 0009 10f8 4300 
0000 @^....i.....C...
                 0x0020: 0000 0000 0000 0000 0000 0000 0000       
..............

On closer reading, what they captured does seem to be "proto UDP (17), 
length 29)" and "UDP, length 1"

Thanks!

Miles

-- 
In theory, there is no difference between theory and practice.
In practice, there is.   .... Yogi Berra

More information about the NANOG mailing list