where to go to understand DDoS attack vector

Stephen Satchell list at satchell.net
Tue Aug 26 13:26:33 UTC 2014


qotd            17/udp          quote

You're not blocking small services outbound at the edge?

On 08/26/2014 05:18 AM, Miles Fidelman wrote:
> Roland Dobbins wrote:
>> On Aug 26, 2014, at 6:48 PM, Miles Fidelman
>> <mfidelman at meetinghouse.net> wrote:
>>
>>> Immediate issue is dealt with (at least for us, target seems to be
>>> off the air) - but want to understand this, report it, all of that.
>> IPMI boards are reported as being used in reflection/amplification
>> attacks of various kinds; the ntp one is straightforward, as you note.
>>
>> This may be some sort of chargen-like packet reflector that's either
>> built into the firmware, or that an attacker has managed to insert,
>> somehow.  The 'mailto:' bit is interesting; it might work sort of like
>> SNMP reflection/amplification attacks work, where the attacker is
>> using some sort of management functionality to walk the device config
>> or somesuch, packetize it, and blast it out as packet-padding.
> 
> Can you say a bit more about what I might look for in trying to track
> this down?
> 
>>
>> Does the target of the attack have flow telemetry records or complete
>> packets?  Because the one you posted looked incomplete (29 bytes?) . . .
>>
>>
> 
> Unfortunately, all I have is what they sent to our abuse address -
> understandably, they've been a bit busy and not as responsive to further
> inquiries as one might hope.
> 
> But, having said that, this looks like all they have.  They seem to be
> getting these from lots of different places around the net, they just
> sent a filtered excerpt - here's a larger sample:
> 
> 18:33:58.482193 IP (tos 0x0, ttl 56, id 0, offset 0, flags [DF], proto
> UDP (17), length 29) x.x.x.x.2072 > x.x.x.x.27015: UDP, length 1
>                 0x0000: 4500 001d 0000 4000 3811 088c cf9a 3b8c
> E..... at .8 <mailto:E..... at .8>.....;.
>                 0x0010: 405e eebf 0818 6987 0009 10f8 4300 0000
> @^....i.....C...
>                 0x0020: 0000 0000 0000 0000 0000 0000 0000      
> ..............
> 18:33:58.484625 IP (tos 0x0, ttl 56, id 0, offset 0, flags [DF], proto
> UDP (17), length 29) x.x.x.x.2072 > x.x.x.x.27015: UDP, length 1
>                 0x0000: 4500 001d 0000 4000 3811 088c cf9a 3b8c
> E..... at .8 <mailto:E..... at .8>.....;.
>                 0x0010: 405e eebf 0818 6987 0009 10f8 4300 0000
> @^....i.....C...
>                 0x0020: 0000 0000 0000 0000 0000 0000 0000      
> ..............
> 18:33:58.486137 IP (tos 0x0, ttl 56, id 0, offset 0, flags [DF], proto
> UDP (17), length 29) x.x.x.x.2072 > x.x.x.x.27015: UDP, length 1
>                 0x0000: 4500 001d 0000 4000 3811 088c cf9a 3b8c
> E..... at .8 <mailto:E..... at .8>.....;.
>                 0x0010: 405e eebf 0818 6987 0009 10f8 4300 0000
> @^....i.....C...
>                 0x0020: 0000 0000 0000 0000 0000 0000 0000      
> ..............
> 
> On closer reading, what they captured does seem to be "proto UDP (17),
> length 29)" and "UDP, length 1"
> 
> Thanks!
> 
> Miles
> 




More information about the NANOG mailing list