[nsp-sec] UDP based DDoS attack against 80.65.160.10 (AS21196)
Gong, Yiming
yiming.gong at xo.com
Fri Mar 7 16:10:28 EST 2008
I just did a search in my alert database, and found on Mar 01, there was
a half hour UDP flood against this 80.65.160.10
+---------------------+--------------+-------+---------+-------+------+-
-------+------+-----------+
| time | ip | flows | packets | bytes | pps |
bps | bpp | alerttype |
+---------------------+--------------+-------+---------+-------+------+-
-------+------+-----------+
| 2008-03-01 07:33:16 | 80.65.160.10 | 37 | 3915 | 5.1M | 13 |
144506 | 1363 | traffic |
| 2008-03-01 07:43:13 | 80.65.160.10 | 34 | 3761 | 4.9M | 12 |
136922 | 1364 | traffic |
| 2008-03-01 07:53:19 | 80.65.160.10 | 31 | 3391 | 4.4M | 11 |
125536 | 1364 | traffic |
| 2008-03-01 08:03:12 | 80.65.160.10 | 34 | 3855 | 5.0M | 12 |
140132 | 1362 | traffic |
| 2008-03-01 08:03:05 | 80.65.160.10 | 10 | 4685 | 6.1M | 15 |
164475 | 1366 | traffic |
+---------------------+--------------+-------+---------+-------+------+-
-------+------+-----------+
And all the traffic came from one single source IP, 218.239.45.174, src
0, dst 0,
-Snip-
+---------------------+------+----------------+-------+--------------+--
-----+--------+--------+
| time | pro | sip | sport | dip |
dport | flags | bytes |
+---------------------+------+----------------+-------+--------------+--
-----+--------+--------+
| 2008-03-01 08:03:12 | UDP | 218.239.45.174 | 0 | 80.65.160.10 | 0
| ...... | 141775 |
| 2008-03-01 08:03:12 | UDP | 218.239.45.174 | 0 | 80.65.160.10 | 0
| ...... | 139932 |
| 2008-03-01 08:03:12 | UDP | 218.239.45.174 | 0 | 80.65.160.10 | 0
| ...... | 123262 |
| 2008-03-01 08:03:12 | UDP | 218.239.45.174 | 0 | 80.65.160.10 | 0
| ...... | 110965 |
| 2008-03-01 08:03:12 | UDP | 218.239.45.174 | 0 | 80.65.160.10 | 0
| ...... | 135999 |
| 2008-03-01 08:03:12 | UDP | 218.239.45.174 | 0 | 80.65.160.10 | 0
| ...... | 185890 |
| 2008-03-01 08:03:12 | UDP | 218.239.45.174 | 0 | 80.65.160.10 | 0
| ...... | 127072 |
| 2008-03-01 08:03:12 | UDP | 218.239.45.174 | 0 | 80.65.160.10 | 0
| ...... | 135405 |
| 2008-03-01 08:03:12 | UDP | 218.239.45.174 | 0 | 80.65.160.10 | 0
| ...... | 134195 |
| 2008-03-01 08:03:12 | UDP | 218.239.45.174 | 0 | 80.65.160.10 | 0
| ...... | 143014 |
whois -h whois.cymru.com 218.239.45.174
AS | IP | AS Name
9318 | 218.239.45.174 | HANARO-AS Hanaro Telecom Inc.
Also:
I constantly see UDP src 0 dst 0 traffic|session spikes on our network
and therefore get UDP aberrant alerts a lot, I think maybe 1/5 of all
the UDP alerts I get are related to UDP port 0, and most of these alerts
only contain one or a few source Ips. Anyone sees this type of traffic
on your network often?
Regards,
Yiming
> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of
> Chris Morrow
> Sent: Friday, March 07, 2008 2:12 PM
> To: Smith, Donald
> Cc: nsp-security NSP
> Subject: Re: [nsp-sec] UDP based DDoS attack against
> 80.65.160.10 (AS21196)
>
> ----------- nsp-security Confidential --------
>
>
>
> On Fri, 7 Mar 2008, Smith, Donald wrote:
>
> > ----------- nsp-security Confidential --------
> >
> > Nic if they can they should block udp 0 <-> udp 0 somewhere
> upstream.
> > That accounts for a very large portion of this attack and
> is invalid:)
>
> udp 0/0 == frags of udp (sometimes, like nfs servers I've
> seen do this) though, it's also probably attack traffic in some cases.
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the
> nsp-security
> community. Confidentiality is essential for effective
> Internet security counter-measures.
> _______________________________________________
>
More information about the nsp-security
mailing list