Syn flood to TCP port 21 from priveleged port (80)
Ken Chase
math at sizone.org
Tue Nov 1 22:21:26 UTC 2016
what's the density of open port 21s on the planet though? trying to estimate
the traffic resulting against the two target /21s.
Your dump only has 2 ip's in it though, on your /19 so not representative.
My dump is 500 synacks returned in 14 seconds to 32 ips in a /22. This would give
128M ftp responders across the whole /0 (modulo actual space in use, etc,
so call it 32M responders?). (It's also a short timespan for a dump as well.)
Syn-ack seems to be a 58 byte packet (?ish).
32 * 10^6 * 500/14 * 58*8 / 10^9 = 530 Gbps
even if im off by 4 in density of ftp sites on the internet despite my already
reducing it by 4, we're talking ~100+ Gbps.
/kc
On Tue, Nov 01, 2016 at 03:59:49PM -0600, Selphie Keller said:
>Yeah it is an odd ball attack for sure, here is a 5000 packet sample of
>what I was seeing in connection to this attack
>https://mystagic.io/80to21.pcap , don't think it's the entire /0 for ftp
>port as I am not seeing it on many other subnets, which is why I am
>thinking someone did a pre-scan before conducting this wacky attack,
>otherwise, I would have likely seen other port 21's seeing activity, but so
>far any IP that didn't have 21 as an actual service isn't seeing the syn
>packets. This could be unique to my location, others observing this attack
>may be able to chime in and report what they are seeing if they seen 80 src
>syn to port 21 where 21 isn't an actual ftp running. Yeah this is pretty
>easy to filter.
>
>On 1 November 2016 at 13:48, Ken Chase <math at sizone.org> wrote:
>
>> Not sure why reflected RSTs are the goal here, they're not much of an
>> amplification
>> to the original syn size. Additionally causing a mild dos of my clients'
>> stuff
>> when it begins throttling # of connections, ie noticeable. (not that i
>> want to
>> help scriptkids improve their attacks...). Im guessing port 80 was chosen
>> for improved
>> fw piercing.
>>
>> Sure is widespread though, 5 clients on very different networks all seeing
>> similar
>> saturation. Someone has a nice complete prescanned list of open ftps for
>> the
>> entire internet out there (or are they just saturating the whole /0?)
>>
>> Easy to filter though:
>>
>> tcp and src port 80 and src net '(141.138.128.0/21 or 95.131.184.0/21)'
>> and dst port 21
>>
>> Adapt for your fw rules of choice.
>>
>> /kc
>>
>>
>> On Tue, Nov 01, 2016 at 07:39:40PM +0000, Van Dyk, Donovan said:
>> >I think Ken has nailed it. I think the source addresses are spoofed so
>> you reflect the connection (tcp syn ack) to those source addresses. Get
>> enough of those connections and the server is dead.
>> >
>> >Since your port 21 is open
>> >
>> >telnet 109.72.248.114 21
>> >Trying 109.72.248.114...
>> >Connected to 109.72.248.114.
>> >Escape character is '^]'.
>> >
>> >Your address was probably scanned and saw it could be used in the
>> attack.
>> >
>> >Regards
>> >--
>> >Donovan Van Dyk
>> >
>> >SOC Network Engineer
>> >
>> >Office: +1.954.620.6002 x911
>> >
>> >Fort Lauderdale, FL USA
>> >
>> >
>> >
>> >
>> >The information contained in this electronic mail transmission and its
>> attachments may be privileged and confidential and protected from
>> disclosure. If the reader of this message is not the intended recipient (or
>> an individual responsible for delivery of the message to such person), you
>> are strictly prohibited from copying, disseminating or distributing this
>> communication. If you have received this communication in error, please
>> notify the sender immediately and destroy all electronic, paper or other
>> versions.
>> >
>> >
>> >On 11/1/16, 3:29 PM, "Ken Chase" <math at sizone.org> wrote:
>> >
>> > seeing an awful lot of port 80 hitting port 21. (Why would port 80
>> > ever be used as source?). Also saw a buncha cpanel "FAILED: FTP"
>> alerts flickering
>> > on and off as the service throttled itself at a couple client sites
>> I manage.
>> >
>> > I see 540 unique source IPs hitting 32 destinations on my network
>> in just 1000
>> > packets dumped on one router.
>> >
>> > All from multiple sequential registered /24s in whois, but all from
>> one
>> > management company:
>> >
>> > 141.138.128.0/21 and 95.131.184.0/21
>> >
>> > role: William Hill Network Services
>> > abuse-mailbox: networkservices at williamhill.co.uk
>> > address: Infrastructure Services 2 City Walk Sweet Street
>> Leeds LS11 9AR
>> >
>> > AS49061
>> >
>> > course, synfloods can be spoofed... perhaps they're hoping for a
>> retaliation
>> > against WHNS.
>> >
>> > /kc
>> >
>> > On Tue, Nov 01, 2016 at 09:44:23PM +0300, Oleg A. Arkhangelsky said:
>> > >Hello,
>> > >
>> > >A couple of cuts from tcpdump output:
>> > >
>> > >21:31:54.995170 IP 141.138.131.115.80 > 109.72.248.114.21: Flags
>> [S], seq 1376379765, win 8192, length 0
>> > >21:31:55.231925 IP 194.73.173.154.80 > 109.72.241.198.21: Flags
>> [S], seq 2254756684, win 8192, length 0
>> > >21:27:50.413927 IP 95.131.188.179.80 > 109.72.248.114.21: Flags
>> [S], seq 3619475318, win 8192, length 0
>> > >21:27:50.477014 IP 95.131.191.77.80 > 109.72.248.114.21: Flags
>> [S], seq 2412690982, win 8192, length 0
>> > >
>> > >Does anyone seeing this right now (18:31 UTC)? I see this traffic
>> > >on at least two completely independent ISPs near Moscow. The
>> > >rate is about a few dozen PPS hitting all BGP-announced networks.
>> > >
>> > >--??
>> > >wbr, Oleg.
>> > >
>> > >"Anarchy is about taking complete responsibility for yourself."
>> > >?? ?? ?? Alan Moore.
>> >
--
Ken Chase - math at sizone.org Guelph Canada
More information about the NANOG
mailing list