where to go to understand DDoS attack vector

Miles Fidelman mfidelman at meetinghouse.net
Tue Aug 26 17:40:35 UTC 2014


me wrote:
>
> On 08/26/2014 07:58 AM, Roland Dobbins wrote:
>> On Aug 26, 2014, at 8:37 PM, John York <johny at griffintechnology.com> 
>> wrote:
>>
>>> In this case, 17 is both the protocol and port number. Confusing 
>>> coincidence :)
>> Not in this output which the OP sent to the list:
>>
>>> 8:33:58.482193 IP (tos 0x0, ttl 56, id 0, offset 0, flags [DF], 
>>> proto UDP (17), length 29) x.x.x.x.2072 > x.x.x.x.27015: UDP, length 1
>>>                 0x0000: 4500 001d 0000 4000 3811 088c cf9a 3b8c 
>>> E..... at .8 <mailto:E..... at .8>.....;.
>>>                 0x0010: 405e eebf 0818 6987 0009 10f8 4300 0000 
>>> @^....i.....C...
>>>                 0x0020: 0000 0000 0000 0000 0000 0000 0000       
>>> ..............
>>
>>> 18:33:58.482193 IP (tos 0x0, ttl 56, id 0, offset 0, flags [DF], 
>>> proto UDP (17), length 29) x.x.x.x.2072 > x.x.x.x.27015: UDP, length 1
>>>                 0x0000: 4500 001d 0000 4000 3811 088c cf9a 3b8c 
>>> E..... at .8 <mailto:E..... at .8>.....;.
>>>                 0x0010: 405e eebf 0818 6987 0009 10f8 4300 0000 
>>> @^....i.....C...
>>>                 0x0020: 0000 0000 0000 0000 0000 0000 0000       
>>> ..............
>>> 18:33:58.484625 IP (tos 0x0, ttl 56, id 0, offset 0, flags [DF], 
>>> proto UDP (17), length 29) x.x.x.x.2072 > x.x.x.x.27015: UDP, length 1
>>>                 0x0000: 4500 001d 0000 4000 3811 088c cf9a 3b8c 
>>> E..... at .8 <mailto:E..... at .8>.....;.
>>>                 0x0010: 405e eebf 0818 6987 0009 10f8 4300 0000 
>>> @^....i.....C...
>>>                 0x0020: 0000 0000 0000 0000 0000 0000 0000       
>>> ..............
>>> 18:33:58.486137 IP (tos 0x0, ttl 56, id 0, offset 0, flags [DF], 
>>> proto UDP (17), length 29) x.x.x.x.2072 > x.x.x.x.27015: UDP, length 1
>>>                 0x0000: 4500 001d 0000 4000 3811 088c cf9a 3b8c 
>>> E..... at .8 <mailto:E..... at .8>.....;.
>>>                 0x0010: 405e eebf 0818 6987 0009 10f8 4300 0000 
>>> @^....i.....C...
>>>                 0x0020: 0000 0000 0000 0000 0000 0000 0000       
>>> ..............
>> Source port 2072, destination port 27015.
>
> Been awhile since I got to dig into hex tcpdump but spent the time 
> anyway. A UDP data segment that is 9 bytes long and only contains a 
> "C" (0x43) ? And looks like to a Steam/Half-life (27015) gaming port. 
> Not sure what the "C" is used for with those systems but guessing it's 
> some sort of request?
>
That's about as far as I've gotten.  What has me scratching my head is 
what is setting the source port.  This has all the earmarks of a 
reflection attack, except... I'm not running anything that presents as 
port 2072 (msync) - so either the attack is making very clever use of 
some other open server, or the board's BMC is infected by a bot. 
Unfortunately, with the port now blocked, and what was intermittent in 
any case - it's a little hard to monitor incoming traffic to see what 
might be trigger traffic.  Sigh...

Thanks,

Miles


More information about the NANOG mailing list