where to go to understand DDoS attack vector

John jw at nuclearfallout.net
Tue Aug 26 19:37:12 UTC 2014


On 8/26/2014 10:40 AM, Miles Fidelman wrote:
> That's about as far as I've gotten.  What has me scratching my head is 
> what is setting the source port.  This has all the earmarks of a 
> reflection attack, except... I'm not running anything that presents as 
> port 2072 (msync) - so either the attack is making very clever use of 
> some other open server, or the board's BMC is infected by a bot. 
> Unfortunately, with the port now blocked, and what was intermittent in 
> any case - it's a little hard to monitor incoming traffic to see what 
> might be trigger traffic.  Sigh...

 From the traffic dump and description, this was highly likely to be a 
direct attack and not an amplification/reflection hit. I don't know of 
reflectors that run on port 2072; but, bots are routinely used to send 
UDP length 29 (payload length 1) packets.

Older Supermicro IPMI devices have multiple published exploits including 
the much-publicized port-49152 vulnerability that provides the admin 
password in the clear (described at 
http://blog.cari.net/carisirt-yet-another-bmc-vulnerability-and-some-added-extras/ 
and other places). Many device owners also never change the default u/p, 
in which case an exploit doesn't even need to be used. The attacker will 
typically use a tool to scan the IPv4 space for vulnerable hosts; the 
tool logs in and installs a bot that connects to a C&C server and is 
later used for attacks. The same procedure is followed with other 
easily-compromised devices, including Hikvision DVRs/NVRs and various 
routers including the Chinese Telecom F420. Resulting botnets can be 
tens or even hundreds of thousands of hosts in size.

IPMI devices have been used quite regularly for attacks for a couple of 
months now -- as soon as that vulnerability was made public, the 
toolmakers started using it. The best defense against current and 
yet-to-be-discovered IPMI vulnerabilities is to make sure that your IPMI 
devices are not open to the public internet, as Roland said.

-John


More information about the NANOG mailing list