[nsp-sec] UDP love against AS5539
Jon Lewis
jlewis at lewis.org
Fri Dec 23 09:19:17 EST 2011
On Fri, 23 Dec 2011, Gert Doering wrote:
> one of our customers (large electronics store) seems to have annoyed
> someone, and is now receiving packet love.
>
> Most of the love is extremely dumb and easy to filter - UDP packets (of
> varying size) destined to port 27660.
>
> Total incoming bandwidth is something like 900 mbit/s, and we can stand
> this, so no imminent reactions needed - *but* this is starting to annoy
> me. It started at 17:00 GMT+1 yesterday, and is still ongoing, 16 hours
> later, so maybe a few machines show up on your radar for cleansing...
>
> I'll compile a list of sources that we see and send it to the list
> "real soon now". But we don't know whether this is spoofed - it's UDP,
> after all.
Very interesting. I have a customer who's experienced exactly the same
attack this week, Wednesday starting just before 19:00 GMT, and again
Thursday evening (Friday, 01:10 GMT). Each has been similar in size to what
you've seen.
It's too much for us to just filter, so we've been blackhole routing the
destination IPs to stop the flows. Our target addresses were 209.208.1.162
in Thursday's attack, 209.208.1.163 for Wednesday's attack.
> ... if you see any of this, it's not legit. This is a web server, it has
> nothing but tcp/80 and tcp/443.
Same here...well, there could be other services running, but it's primarily
a web server. The customer is a magazine publisher, so it's not the typical
sort of DDoS target I've seen.
----------------------------------------------------------------------
Jon Lewis, MCP :) | I route
Senior Network Engineer | therefore you are
Atlantic Net |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
More information about the nsp-security
mailing list