[j-nsp] Juniper UDP Amplification Attack - UDP port 111 ?

Chris Kawchuk juniperdude at gmail.com
Thu Mar 15 21:59:20 EDT 2018 

Just noticed this today:

chrisk at vmx1.mel-lab1> monitor traffic interface xe-0/0/0 no-resolve size 1500 matching "not port 22" 
verbose output suppressed, use <detail> or <extensive> for full protocol decode
Address resolution is OFF.
Listening on ge-0/0/0, capture size 1500 bytes

01:50:20.710920  In IP 207.174.181.174.47550 > 43.247.124.125.111: UDP, length 40
01:50:20.711049 Out IP 43.247.124.125.111 > 207.174.181.174.47550: UDP, length 368
01:50:20.711454  In IP 207.174.181.174.55654 > 43.247.124.125.111: UDP, length 40
01:50:20.711506 Out IP 43.247.124.125.111 > 207.174.181.174.55654: UDP, length 368
01:50:20.721262  In IP 207.174.181.174.22724 > 43.247.124.125.111: UDP, length 40
01:50:20.721307 Out IP 43.247.124.125.111 > 207.174.181.174.22724: UDP, length 368
01:50:20.727638  In IP 207.174.181.173.58698 > 43.247.124.125.111: UDP, length 40
01:50:20.727680 Out IP 43.247.124.125.111 > 207.174.181.173.58698: UDP, length 368
01:50:20.762255  In IP 207.174.181.173.10131 > 43.247.124.125.111: UDP, length 40
01:50:20.762393 Out IP 43.247.124.125.111 > 207.174.181.173.10131: UDP, length 368
01:50:20.777967  In IP 207.174.181.173.17923 > 43.247.124.125.111: UDP, length 40
01:50:20.778010 Out IP 43.247.124.125.111 > 207.174.181.173.17923: UDP, length 368
01:50:20.793727  In IP 207.174.181.173.15406 > 43.247.124.125.111: UDP, length 40
01:50:20.793807 Out IP 43.247.124.125.111 > 207.174.181.173.15406: UDP, length 368
01:50:20.849286  In IP 207.174.181.173.65209 > 43.247.124.125.111: UDP, length 40
01:50:20.849360 Out IP 43.247.124.125.111 > 207.174.181.173.65209: UDP, length 368
01:50:21.073702  In IP 207.174.181.174.22724 > 43.247.124.125.111: UDP, length 40
01:50:21.073843 Out IP 43.247.124.125.111 > 207.174.181.174.22724: UDP, length 368
01:50:21.214115  In IP 207.174.181.173.58698 > 43.247.124.125.111: UDP, length 40
01:50:21.214229 Out IP 43.247.124.125.111 > 207.174.181.173.58698: UDP, length 368

Seems JunOS is listening on port 111 and retuning some big bytes (i.e. in 40 bytes, out 368 bytes) or a 9.2X amplification UDP reflection.
This on vMX .. dunno if hardware MX does the same thing, but likely.

I added this into our loopback lo0.0 filter (as we do deny-then-accept-all-else -- i should really re-write this as accept-and-deny-all-else logic, would've stopped it in it's tracks...).

+              term block-udp-111 {
+                  from {
+                      protocol udp;
+                      destination-port 111;
+                  }
+                  then {
+                      discard;
+                  }
+              }

Just a heads up; I'm probably not the first person to see this-- and if you've seen it before, apologies for the noise...

- CK.

More information about the juniper-nsp mailing list