Syn flood to TCP port 21 from priveleged port (80)
Christian Kildau
lists at chrisk.de
Wed Nov 2 08:46:45 UTC 2016
There is some nice research regarding systems "abusable" for reflection by
tcp port and the amplification factor depending on the OS:
http://www.christian-rossow.de/publications/tcpamplification-woot2014.pdf
And in more detail:
https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-
kuhrer.pdf
Best regards,
Chris
On Tue, Nov 1, 2016 at 11:21 PM, Ken Chase <math at sizone.org> wrote:
> what's the density of open port 21s on the planet though? trying to
> estimate
> the traffic resulting against the two target /21s.
>
> Your dump only has 2 ip's in it though, on your /19 so not representative.
>
> My dump is 500 synacks returned in 14 seconds to 32 ips in a /22. This
> would give
> 128M ftp responders across the whole /0 (modulo actual space in use, etc,
> so call it 32M responders?). (It's also a short timespan for a dump as
> well.)
> Syn-ack seems to be a 58 byte packet (?ish).
>
> 32 * 10^6 * 500/14 * 58*8 / 10^9 = 530 Gbps
>
> even if im off by 4 in density of ftp sites on the internet despite my
> already
> reducing it by 4, we're talking ~100+ Gbps.
>
> /kc
>
>
> On Tue, Nov 01, 2016 at 03:59:49PM -0600, Selphie Keller said:
> >Yeah it is an odd ball attack for sure, here is a 5000 packet sample of
> >what I was seeing in connection to this attack
> >https://mystagic.io/80to21.pcap , don't think it's the entire /0 for
> ftp
> >port as I am not seeing it on many other subnets, which is why I am
> >thinking someone did a pre-scan before conducting this wacky attack,
> >otherwise, I would have likely seen other port 21's seeing activity,
> but so
> >far any IP that didn't have 21 as an actual service isn't seeing the syn
> >packets. This could be unique to my location, others observing this
> attack
> >may be able to chime in and report what they are seeing if they seen 80
> src
> >syn to port 21 where 21 isn't an actual ftp running. Yeah this is pretty
> >easy to filter.
> >
> >On 1 November 2016 at 13:48, Ken Chase <math at sizone.org> wrote:
> >
> >> Not sure why reflected RSTs are the goal here, they're not much of an
> >> amplification
> >> to the original syn size. Additionally causing a mild dos of my
> clients'
> >> stuff
> >> when it begins throttling # of connections, ie noticeable. (not that i
> >> want to
> >> help scriptkids improve their attacks...). Im guessing port 80 was
> chosen
> >> for improved
> >> fw piercing.
> >>
> >> Sure is widespread though, 5 clients on very different networks all
> seeing
> >> similar
> >> saturation. Someone has a nice complete prescanned list of open ftps
> for
> >> the
> >> entire internet out there (or are they just saturating the whole /0?)
> >>
> >> Easy to filter though:
> >>
> >> tcp and src port 80 and src net '(141.138.128.0/21 or 95.131.184.0/21
> )'
> >> and dst port 21
> >>
> >> Adapt for your fw rules of choice.
> >>
> >> /kc
> >>
> >>
> >> On Tue, Nov 01, 2016 at 07:39:40PM +0000, Van Dyk, Donovan said:
> >> >I think Ken has nailed it. I think the source addresses are
> spoofed so
> >> you reflect the connection (tcp syn ack) to those source addresses.
> Get
> >> enough of those connections and the server is dead.
> >> >
> >> >Since your port 21 is open
> >> >
> >> >telnet 109.72.248.114 21
> >> >Trying 109.72.248.114...
> >> >Connected to 109.72.248.114.
> >> >Escape character is '^]'.
> >> >
> >> >Your address was probably scanned and saw it could be used in the
> >> attack.
> >> >
> >> >Regards
> >> >--
> >> >Donovan Van Dyk
> >> >
> >> >SOC Network Engineer
> >> >
> >> >Office: +1.954.620.6002 x911
> >> >
> >> >Fort Lauderdale, FL USA
> >> >
> >> >
> >> >
> >> >
> >> >The information contained in this electronic mail transmission and
> its
> >> attachments may be privileged and confidential and protected from
> >> disclosure. If the reader of this message is not the intended
> recipient (or
> >> an individual responsible for delivery of the message to such
> person), you
> >> are strictly prohibited from copying, disseminating or distributing
> this
> >> communication. If you have received this communication in error,
> please
> >> notify the sender immediately and destroy all electronic, paper or
> other
> >> versions.
> >> >
> >> >
> >> >On 11/1/16, 3:29 PM, "Ken Chase" <math at sizone.org> wrote:
> >> >
> >> > seeing an awful lot of port 80 hitting port 21. (Why would
> port 80
> >> > ever be used as source?). Also saw a buncha cpanel "FAILED:
> FTP"
> >> alerts flickering
> >> > on and off as the service throttled itself at a couple client
> sites
> >> I manage.
> >> >
> >> > I see 540 unique source IPs hitting 32 destinations on my
> network
> >> in just 1000
> >> > packets dumped on one router.
> >> >
> >> > All from multiple sequential registered /24s in whois, but all
> from
> >> one
> >> > management company:
> >> >
> >> > 141.138.128.0/21 and 95.131.184.0/21
> >> >
> >> > role: William Hill Network Services
> >> > abuse-mailbox: networkservices at williamhill.co.uk
> >> > address: Infrastructure Services 2 City Walk Sweet
> Street
> >> Leeds LS11 9AR
> >> >
> >> > AS49061
> >> >
> >> > course, synfloods can be spoofed... perhaps they're hoping for
> a
> >> retaliation
> >> > against WHNS.
> >> >
> >> > /kc
> >> >
> >> > On Tue, Nov 01, 2016 at 09:44:23PM +0300, Oleg A. Arkhangelsky
> said:
> >> > >Hello,
> >> > >
> >> > >A couple of cuts from tcpdump output:
> >> > >
> >> > >21:31:54.995170 IP 141.138.131.115.80 > 109.72.248.114.21:
> Flags
> >> [S], seq 1376379765, win 8192, length 0
> >> > >21:31:55.231925 IP 194.73.173.154.80 > 109.72.241.198.21:
> Flags
> >> [S], seq 2254756684, win 8192, length 0
> >> > >21:27:50.413927 IP 95.131.188.179.80 > 109.72.248.114.21:
> Flags
> >> [S], seq 3619475318, win 8192, length 0
> >> > >21:27:50.477014 IP 95.131.191.77.80 > 109.72.248.114.21:
> Flags
> >> [S], seq 2412690982, win 8192, length 0
> >> > >
> >> > >Does anyone seeing this right now (18:31 UTC)? I see this
> traffic
> >> > >on at least two completely independent ISPs near Moscow. The
> >> > >rate is about a few dozen PPS hitting all BGP-announced
> networks.
> >> > >
> >> > >--??
> >> > >wbr, Oleg.
> >> > >
> >> > >"Anarchy is about taking complete responsibility for
> yourself."
> >> > >?? ?? ?? Alan Moore.
> >> >
>
> --
> Ken Chase - math at sizone.org Guelph Canada
>
More information about the NANOG
mailing list