where to go to understand DDoS attack vector

Brian Rak brak at gameservers.com
Tue Aug 26 17:31:23 UTC 2014


On 8/26/2014 12:52 PM, me wrote:
>
> On 08/26/2014 07:58 AM, Roland Dobbins wrote:
>> On Aug 26, 2014, at 8:37 PM, John York <johny at griffintechnology.com> 
>> wrote:
>>
>>> In this case, 17 is both the protocol and port number. Confusing 
>>> coincidence :)
>> Not in this output which the OP sent to the list:
>>
>>> 8:33:58.482193 IP (tos 0x0, ttl 56, id 0, offset 0, flags [DF], 
>>> proto UDP (17), length 29) x.x.x.x.2072 > x.x.x.x.27015: UDP, length 1
>>>                 0x0000: 4500 001d 0000 4000 3811 088c cf9a 3b8c 
>>> E..... at .8 <mailto:E..... at .8>.....;.
>>>                 0x0010: 405e eebf 0818 6987 0009 10f8 4300 0000 
>>> @^....i.....C...
>>>                 0x0020: 0000 0000 0000 0000 0000 0000 0000       
>>> ..............
>>
>>> 18:33:58.482193 IP (tos 0x0, ttl 56, id 0, offset 0, flags [DF], 
>>> proto UDP (17), length 29) x.x.x.x.2072 > x.x.x.x.27015: UDP, length 1
>>>                 0x0000: 4500 001d 0000 4000 3811 088c cf9a 3b8c 
>>> E..... at .8 <mailto:E..... at .8>.....;.
>>>                 0x0010: 405e eebf 0818 6987 0009 10f8 4300 0000 
>>> @^....i.....C...
>>>                 0x0020: 0000 0000 0000 0000 0000 0000 0000       
>>> ..............
>>> 18:33:58.484625 IP (tos 0x0, ttl 56, id 0, offset 0, flags [DF], 
>>> proto UDP (17), length 29) x.x.x.x.2072 > x.x.x.x.27015: UDP, length 1
>>>                 0x0000: 4500 001d 0000 4000 3811 088c cf9a 3b8c 
>>> E..... at .8 <mailto:E..... at .8>.....;.
>>>                 0x0010: 405e eebf 0818 6987 0009 10f8 4300 0000 
>>> @^....i.....C...
>>>                 0x0020: 0000 0000 0000 0000 0000 0000 0000       
>>> ..............
>>> 18:33:58.486137 IP (tos 0x0, ttl 56, id 0, offset 0, flags [DF], 
>>> proto UDP (17), length 29) x.x.x.x.2072 > x.x.x.x.27015: UDP, length 1
>>>                 0x0000: 4500 001d 0000 4000 3811 088c cf9a 3b8c 
>>> E..... at .8 <mailto:E..... at .8>.....;.
>>>                 0x0010: 405e eebf 0818 6987 0009 10f8 4300 0000 
>>> @^....i.....C...
>>>                 0x0020: 0000 0000 0000 0000 0000 0000 0000       
>>> ..............
>> Source port 2072, destination port 27015.
>
> Been awhile since I got to dig into hex tcpdump but spent the time 
> anyway. A UDP data segment that is 9 bytes long and only contains a 
> "C" (0x43) ? And looks like to a Steam/Half-life (27015) gaming port. 
> Not sure what the "C" is used for with those systems but guessing it's 
> some sort of request?
>
It's pretty tough to say without knowing exactly what game is running 
there.  While 27015 was originally used for Half Life, it's been used by 
a wide range of games at this point.  Pretty much all the Valve games 
use this port, as well as a number of third party games that are based 
on the Steamworks SDK.

Trying to figure out exactly what the game server thinks the packet is 
is not likely to help you figure out why it's being sent.  You should 
instead be figuring out why your IPMI controller is compromised.  It 
could also be reflection, 2072 is within the port range that is usually 
used for KVM or remote media by the IPMI controllers (though, they're 
usually TCP and not UDP).




More information about the NANOG mailing list