where to go to understand DDoS attack vector
Miles Fidelman
mfidelman at meetinghouse.net
Tue Aug 26 17:40:35 UTC 2014
me wrote:
>
> On 08/26/2014 07:58 AM, Roland Dobbins wrote:
>> On Aug 26, 2014, at 8:37 PM, John York <johny at griffintechnology.com>
>> wrote:
>>
>>> In this case, 17 is both the protocol and port number. Confusing
>>> coincidence :)
>> Not in this output which the OP sent to the list:
>>
>>> 8:33:58.482193 IP (tos 0x0, ttl 56, id 0, offset 0, flags [DF],
>>> proto UDP (17), length 29) x.x.x.x.2072 > x.x.x.x.27015: UDP, length 1
>>> 0x0000: 4500 001d 0000 4000 3811 088c cf9a 3b8c
>>> E..... at .8 <mailto:E..... at .8>.....;.
>>> 0x0010: 405e eebf 0818 6987 0009 10f8 4300 0000
>>> @^....i.....C...
>>> 0x0020: 0000 0000 0000 0000 0000 0000 0000
>>> ..............
>>
>>> 18:33:58.482193 IP (tos 0x0, ttl 56, id 0, offset 0, flags [DF],
>>> proto UDP (17), length 29) x.x.x.x.2072 > x.x.x.x.27015: UDP, length 1
>>> 0x0000: 4500 001d 0000 4000 3811 088c cf9a 3b8c
>>> E..... at .8 <mailto:E..... at .8>.....;.
>>> 0x0010: 405e eebf 0818 6987 0009 10f8 4300 0000
>>> @^....i.....C...
>>> 0x0020: 0000 0000 0000 0000 0000 0000 0000
>>> ..............
>>> 18:33:58.484625 IP (tos 0x0, ttl 56, id 0, offset 0, flags [DF],
>>> proto UDP (17), length 29) x.x.x.x.2072 > x.x.x.x.27015: UDP, length 1
>>> 0x0000: 4500 001d 0000 4000 3811 088c cf9a 3b8c
>>> E..... at .8 <mailto:E..... at .8>.....;.
>>> 0x0010: 405e eebf 0818 6987 0009 10f8 4300 0000
>>> @^....i.....C...
>>> 0x0020: 0000 0000 0000 0000 0000 0000 0000
>>> ..............
>>> 18:33:58.486137 IP (tos 0x0, ttl 56, id 0, offset 0, flags [DF],
>>> proto UDP (17), length 29) x.x.x.x.2072 > x.x.x.x.27015: UDP, length 1
>>> 0x0000: 4500 001d 0000 4000 3811 088c cf9a 3b8c
>>> E..... at .8 <mailto:E..... at .8>.....;.
>>> 0x0010: 405e eebf 0818 6987 0009 10f8 4300 0000
>>> @^....i.....C...
>>> 0x0020: 0000 0000 0000 0000 0000 0000 0000
>>> ..............
>> Source port 2072, destination port 27015.
>
> Been awhile since I got to dig into hex tcpdump but spent the time
> anyway. A UDP data segment that is 9 bytes long and only contains a
> "C" (0x43) ? And looks like to a Steam/Half-life (27015) gaming port.
> Not sure what the "C" is used for with those systems but guessing it's
> some sort of request?
>
That's about as far as I've gotten. What has me scratching my head is
what is setting the source port. This has all the earmarks of a
reflection attack, except... I'm not running anything that presents as
port 2072 (msync) - so either the attack is making very clever use of
some other open server, or the board's BMC is infected by a bot.
Unfortunately, with the port now blocked, and what was intermittent in
any case - it's a little hard to monitor incoming traffic to see what
might be trigger traffic. Sigh...
Thanks,
Miles
More information about the NANOG
mailing list