Ransom DDoS attack - need help!

Baldur Norddahl baldur.norddahl at gmail.com
Thu Dec 10 01:38:45 UTC 2015

On 10 December 2015 at 01:48, alvin nanog <nanogml at mail.ddos-mitigator.net>

> what app do yu have that talks to port 1900 ?

UDP 1900 is a "Chargen" UDP reflection attack. The DNS and NTP packets are
also from a reflection attack.

We filter UDP 1900 at our border. Not to protect our network from attack,
although it still helps. The packets might have come down our IP transit
pipes, which are high capacity, but we can still stop it from doing further
damage at the smaller pipes in our access network.

We filter UDP 1900 because too many of our customers run vulnerable CPE
devices that can be abused as a Chargen reflector. We stop that hard by
dropping UDP 1900 both ingress and egress.

He is being hit with a volume based UDP reflection attack. The IP addresses
are not faked. They all lead back to people that run vulnerable CPE
devices, NTP servers or open DNS resolvers.

Reflection attacks require that you have the ability to send out faked IP
addresses. Botnets are generally unable to do that. Their max attack size
is limited by the bandwidth at the server, where they have the ability to
send out faked UDP packets.

Keep attacking you if you do not pay is bad business. They could be
attacking someone who will pay instead. No one has infinite attack
bandwidth available.



More information about the NANOG mailing list