[j-nsp] Juniper UDP Amplification Attack - UDP port 111 ?
Chris Kawchuk
juniperdude at gmail.com
Thu Mar 15 21:59:20 EDT 2018
Just noticed this today:
chrisk at vmx1.mel-lab1> monitor traffic interface xe-0/0/0 no-resolve size 1500 matching "not port 22"
verbose output suppressed, use <detail> or <extensive> for full protocol decode
Address resolution is OFF.
Listening on ge-0/0/0, capture size 1500 bytes
01:50:20.710920 In IP 207.174.181.174.47550 > 43.247.124.125.111: UDP, length 40
01:50:20.711049 Out IP 43.247.124.125.111 > 207.174.181.174.47550: UDP, length 368
01:50:20.711454 In IP 207.174.181.174.55654 > 43.247.124.125.111: UDP, length 40
01:50:20.711506 Out IP 43.247.124.125.111 > 207.174.181.174.55654: UDP, length 368
01:50:20.721262 In IP 207.174.181.174.22724 > 43.247.124.125.111: UDP, length 40
01:50:20.721307 Out IP 43.247.124.125.111 > 207.174.181.174.22724: UDP, length 368
01:50:20.727638 In IP 207.174.181.173.58698 > 43.247.124.125.111: UDP, length 40
01:50:20.727680 Out IP 43.247.124.125.111 > 207.174.181.173.58698: UDP, length 368
01:50:20.762255 In IP 207.174.181.173.10131 > 43.247.124.125.111: UDP, length 40
01:50:20.762393 Out IP 43.247.124.125.111 > 207.174.181.173.10131: UDP, length 368
01:50:20.777967 In IP 207.174.181.173.17923 > 43.247.124.125.111: UDP, length 40
01:50:20.778010 Out IP 43.247.124.125.111 > 207.174.181.173.17923: UDP, length 368
01:50:20.793727 In IP 207.174.181.173.15406 > 43.247.124.125.111: UDP, length 40
01:50:20.793807 Out IP 43.247.124.125.111 > 207.174.181.173.15406: UDP, length 368
01:50:20.849286 In IP 207.174.181.173.65209 > 43.247.124.125.111: UDP, length 40
01:50:20.849360 Out IP 43.247.124.125.111 > 207.174.181.173.65209: UDP, length 368
01:50:21.073702 In IP 207.174.181.174.22724 > 43.247.124.125.111: UDP, length 40
01:50:21.073843 Out IP 43.247.124.125.111 > 207.174.181.174.22724: UDP, length 368
01:50:21.214115 In IP 207.174.181.173.58698 > 43.247.124.125.111: UDP, length 40
01:50:21.214229 Out IP 43.247.124.125.111 > 207.174.181.173.58698: UDP, length 368
Seems JunOS is listening on port 111 and retuning some big bytes (i.e. in 40 bytes, out 368 bytes) or a 9.2X amplification UDP reflection.
This on vMX .. dunno if hardware MX does the same thing, but likely.
I added this into our loopback lo0.0 filter (as we do deny-then-accept-all-else -- i should really re-write this as accept-and-deny-all-else logic, would've stopped it in it's tracks...).
+ term block-udp-111 {
+ from {
+ protocol udp;
+ destination-port 111;
+ }
+ then {
+ discard;
+ }
+ }
Just a heads up; I'm probably not the first person to see this-- and if you've seen it before, apologies for the noise...
- CK.
More information about the juniper-nsp
mailing list