[nsp-sec] More UDP 'attention'

Smith, Donald Donald.Smith at qwest.com
Tue Apr 26 13:52:56 EDT 2011 

Sara ran a netflow report based on the victim ips.
I spot checked just 204.74.101.1.
The sif (source interface) for packets FROM 204.74.101.1 was all over the place -> (spoofed or multipath).

Then I looked at a single attacker as the source and see that ALL of the sif's for it are the same (not spoofed) and that the destination interface towards 204.74.101.1 is constant (351). So we don't have multiple return paths for 204.74.101.1.

So it looks like someone is spoofing their IPs and doing a dns reflective attack.
That is what this pattern looks like to me anyways.

You stated "that the src's are spoofed" what did you base that on?
You also mentioned that the packets were malformed again can you provide additional details about that?





Sharing: Author's permission required.
Donald.Smith at qwest.com


> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net [mailto:nsp-security-
> bounces at puck.nether.net] On Behalf Of King, Link
> Sent: Tuesday, April 26, 2011 5:00 AM
> To: nsp-security at puck.nether.net
> Subject: [nsp-sec] More UDP 'attention'
>
> ----------- nsp-security Confidential --------
>
> We're receiving another UDP/53 attack with a new target this time:
>
> Target:               204.69.234.1 & 204.74.101.1
> DST Proto/Port:       UDP/53
> Length:               55 bytes
> Source ports: Various
> Source IP's:  Spoofed/tons
>
> We're seeing around 1.5 Mpps hitting our two west coast data centers
> almost exclusively and the sources are obviously spoofed
> (unfortunately).
> The packet itself is malformed but interestingly includes a domain:
> boxun.com.  Presumably the target.
>
> I realize without sources it's difficult but if any backbone folks
> could
> take a look at flows to the above two destinations and notice anything
> that would help track back source networks and such that might be
> helpful.
>  Thanks!
>
> --
> Link King
> link.king at neustar.com
>
>
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-
> security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________

This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful.  If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.

More information about the nsp-security mailing list