[nsp-sec] UDP based DDoS attack against 80.65.160.10 (AS21196)

Fri Mar 7 17:37:42 EST 2008

Chris is correct blocking udp 0<->0 could block frags too but in this
case I would say it is worth that potential loss vs the amount of ddos
traffic it will drop.
I didn't do a formal numbers review but the 0<->0 is around 1/2 of the
attack traffic.

209.51.132.250 = united.dnsprotect.com.
They have a default "apache is working on your cpanel and whm server"
page that suggests to me this is a virtualized system with apache and
nobody has really been working to get it configured (a forgotten
server?)

59.105.159.123 is a adsl system in tw that has what appears to be a
virtualized IIS web server on it.

I think if you check you will find these are web servers with
virutalized web services on them. If that is the case I suspect a bot
built using cpanel exploitation or bruteforce password attacks.

$ telnet 59.105.159.123 80
Trying 59.105.159.123...
Connected to 59.105.159.123.
Escape character is '^]'.
get *
HTTP/1.1 404 Object Not Found
Server: Microsoft-IIS/5.0
Date: Sat, 08 Mar 2008 06:26:51 GMT
Content-Type: text/html
Content-Length: 111

<html><head><title>Site Not Found</title></head>
<body>No web site is configured at this address.</body></html>Connection
closed
by foreign host.

$ telnet 209.51.132.250 80
Trying 209.51.132.250...
Connected to 209.51.132.250.
Escape character is '^]'.
get *
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>501 Method Not Implemented</TITLE>
</HEAD><BODY>
<H1>Method Not Implemented</H1>
get to * not supported.<P>
Invalid method in request get *<P>
<HR>
<ADDRESS>Apache/1.3.37 Server at drlittlegreg.apwired.com Port
80</ADDRESS>
</BODY></HTML>
Connection closed by foreign host.

RM=for(1)
{manage_risk(identify_risk(product[i++]) &&
(identify_threat[product[i++]))}
Donald.Smith at qwest.com giac 

> -----Original Message-----
> From: Chris Morrow [mailto:morrowc at ops-netman.net] 
> Sent: Friday, March 07, 2008 1:12 PM
> To: Smith, Donald
> Cc: Nicholas Ianelli; nsp-security NSP
> Subject: Re: [nsp-sec] UDP based DDoS attack against 
> 80.65.160.10 (AS21196)
> 
> 
> 
> On Fri, 7 Mar 2008, Smith, Donald wrote:
> 
> > ----------- nsp-security Confidential --------
> >
> > Nic if they can they should block udp 0 <-> udp 0 somewhere 
> upstream.
> > That accounts for a very large portion of this attack and 
> is invalid:)
> 
> udp 0/0 == frags of udp (sometimes, like nfs servers I've 
> seen do this) 
> though, it's also probably attack traffic in some cases.
> 

This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly 
prohibited and may be unlawful.  If you have received this communication 
in error, please immediately notify the sender by reply e-mail and destroy 
all copies of the communication and any attachments.