where to go to understand DDoS attack vector
John
jw at nuclearfallout.net
Tue Aug 26 19:37:12 UTC 2014
On 8/26/2014 10:40 AM, Miles Fidelman wrote:
> That's about as far as I've gotten. What has me scratching my head is
> what is setting the source port. This has all the earmarks of a
> reflection attack, except... I'm not running anything that presents as
> port 2072 (msync) - so either the attack is making very clever use of
> some other open server, or the board's BMC is infected by a bot.
> Unfortunately, with the port now blocked, and what was intermittent in
> any case - it's a little hard to monitor incoming traffic to see what
> might be trigger traffic. Sigh...
From the traffic dump and description, this was highly likely to be a
direct attack and not an amplification/reflection hit. I don't know of
reflectors that run on port 2072; but, bots are routinely used to send
UDP length 29 (payload length 1) packets.
Older Supermicro IPMI devices have multiple published exploits including
the much-publicized port-49152 vulnerability that provides the admin
password in the clear (described at
http://blog.cari.net/carisirt-yet-another-bmc-vulnerability-and-some-added-extras/
and other places). Many device owners also never change the default u/p,
in which case an exploit doesn't even need to be used. The attacker will
typically use a tool to scan the IPv4 space for vulnerable hosts; the
tool logs in and installs a bot that connects to a C&C server and is
later used for attacks. The same procedure is followed with other
easily-compromised devices, including Hikvision DVRs/NVRs and various
routers including the Chinese Telecom F420. Resulting botnets can be
tens or even hundreds of thousands of hosts in size.
IPMI devices have been used quite regularly for attacks for a couple of
months now -- as soon as that vulnerability was made public, the
toolmakers started using it. The best defense against current and
yet-to-be-discovered IPMI vulnerabilities is to make sure that your IPMI
devices are not open to the public internet, as Roland said.
-John
More information about the NANOG
mailing list