[nsp-sec] DDoS Attack in progress
David Freedman
david.freedman at uk.clara.net
Fri Dec 23 16:22:08 EST 2011
ACK 8426, looks like a reflection attack, I can see your source supposedly sending traffic
2011-12-23 21:04:56.511 178.251.233.35:53 -> 62.193.196.60:53
2011-12-23 21:05:57.859 178.251.233.35:53 -> 62.193.196.44:53
2011-12-23 21:05:40.453 178.251.233.35:53 -> 62.193.211.236:53
2011-12-23 21:06:57.596 178.251.233.35:53 -> 62.193.219.183:53
2011-12-23 21:05:07.189 178.251.233.35:53 -> 62.193.209.3:53
2011-12-23 21:04:48.725 178.251.233.35:53 -> 62.193.216.104:53
2011-12-23 21:05:00.441 178.251.233.35:53 -> 62.193.208.181:53
2011-12-23 21:06:08.147 178.251.233.35:53 -> 62.193.192.59:53
2011-12-23 21:04:54.825 178.251.233.35:53 -> 62.193.211.170:53
2011-12-23 21:06:13.511 178.251.233.35:53 -> 62.193.210.161:53
We are seeing these sent over the AMS-IX from ECATEL (AS29073), is there anyone from ECATEL on list?
Dan, would you like me to filter these?
Dave.
________________________________________
From: nsp-security-bounces at puck.nether.net [nsp-security-bounces at puck.nether.net] on behalf of Mike Tancsa [mike at sentex.net]
Sent: 23 December 2011 21:05
To: Daniel Goscomb
Cc: nsp-security at puck.nether.net
Subject: Re: [nsp-sec] DDoS Attack in progress
----------- nsp-security Confidential --------
Oh, never mind. I see now, 178.251.233.35 is the one being spoofed and
sent to a bunch of resolvers in my network :(
The stream of spoofed packets are coming in to my network (AS11647) via
AS174. Perhaps Cogent can trace it from there to see who is generating it.
I grabbed a pcap and blocked the inbound udp packets from Cogent to stop
my little corner of this reflection attack.
16:02:19.507604 IP 178.251.233.35.53 > 67.43.130.51.53: 952+ [1au] ANY?
ripe.net. (38)
16:02:19.508076 IP 178.251.233.35.53 > 67.43.140.10.53: 952+ [1au] ANY?
ripe.net. (38)
16:02:19.529879 IP 178.251.233.35.53 > 64.7.147.176.53: 952+ [1au] ANY?
ripe.net. (38)
16:02:19.530093 IP 178.251.233.35.53 > 64.7.157.29.53: 952+ [1au] ANY?
ripe.net. (38)
16:02:19.530329 IP 178.251.233.35.53 > 64.7.147.129.53: 952+ [1au] ANY?
ripe.net. (38)
16:02:19.530436 IP 178.251.233.35.53 > 64.7.152.188.53: 952+ [1au] ANY?
ripe.net. (38)
16:02:19.530484 IP 178.251.233.35.53 > 64.7.157.111.53: 952+ [1au] ANY?
ripe.net. (38)
16:02:19.530489 IP 178.251.233.35.53 > 64.7.141.29.53: 952+ [1au] ANY?
ripe.net. (38)
16:02:19.530493 IP 178.251.233.35.53 > 64.7.141.17.53: 952+ [1au] ANY?
ripe.net. (38)
16:02:19.530511 IP 178.251.233.35.53 > 64.7.152.146.53: 952+ [1au] ANY?
ripe.net. (38)
16:02:19.530630 IP 178.251.233.35.53 > 64.7.135.40.53: 952+ [1au] ANY?
ripe.net. (38)
16:02:19.774002 IP 178.251.233.35.53 > 64.7.147.176.53: 952+ [1au] ANY?
ripe.net. (38)
16:02:19.774232 IP 178.251.233.35.53 > 64.7.157.29.53: 952+ [1au] ANY?
ripe.net. (38)
16:02:19.774286 IP 178.251.233.35.53 > 64.7.157.111.53: 952+ [1au] ANY?
ripe.net. (38)
16:02:19.774301 IP 178.251.233.35.53 > 64.7.147.129.53: 952+ [1au] ANY?
ripe.net. (38)
16:02:19.774303 IP 178.251.233.35.53 > 64.7.152.188.53: 952+ [1au] ANY?
ripe.net. (38)
16:02:19.774459 IP 178.251.233.35.53 > 64.7.152.146.53: 952+ [1au] ANY?
ripe.net. (38)
16:02:19.774473 IP 178.251.233.35.53 > 64.7.141.29.53: 952+ [1au] ANY?
ripe.net. (38)
16:02:19.774478 IP 178.251.233.35.53 > 64.7.141.17.53: 952+ [1au] ANY?
ripe.net. (38)
16:02:19.774596 IP 178.251.233.35.53 > 64.7.135.40.53: 952+ [1au] ANY?
ripe.net. (38)
On 12/23/2011 3:55 PM, Mike Tancsa wrote:
> ----------- nsp-security Confidential --------
>
> I am seeing a steady stream, but I am also seeing responses ? Let me
> see if I can get any access to these customer boxes and see what they
> are doing.
>
>
> 15:53:25.477315 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto:
> UDP (17), length: 533) 64.7.141.17.53 > 178.251.233.35.53: [udp sum ok]
> 952 q: ANY? ripe.net. 3/13/1 ripe.net. Type46, ripe.net. Type43,
> ripe.net. Type43 ns: net. NS d.gtld-servers.net., net. NS
> e.gtld-servers.net., net. NS f.gtld-servers.net., net. NS
> g.gtld-servers.net., net. NS h.gtld-servers.net., net. NS
> i.gtld-servers.net., net. NS j.gtld-servers.net., net. NS
> k.gtld-servers.net., net. NS l.gtld-servers.net., net. NS
> m.gtld-servers.net., net. NS a.gtld-servers.net., net. NS
> b.gtld-servers.net., net. NS c.gtld-servers.net. ar: . OPT UDPsize=4096
> (505)
> 0x0000: 4500 0215 0000 4000 3f11 d0a0 4007 8d11 E..... at .?... at ...
> 0x0010: b2fb e923 0035 0035 0201 4257 03b8 8180 ...#.5.5..BW....
> 0x0020: 0001 0003 000d 0001 0472 6970 6503 6e65 .........ripe.ne
> 0x0030: 7400 00ff 0001 c00c 002e 0001 0000 4592 t.............E.
> 0x0040: 0097 002b 0802 0001 5180 4ef9 5486 4ef0 ...+....Q.N.T.N.
> 0x0050: 099e a055 036e 6574 0032 a8f5 e3e6 b400 ...U.net.2......
> 0x0060: a2d3 6de8 10cd 342c 60dd ce14 3dcb 77e2 ..m...4,`...=.w.
> 0x0070: fde6 e817 4f7a a0f2 16ab adcd de73 2dff ....Oz.......s-.
> 0x0080: b864 e7ee 6ea3 6c82 63ae d5c4 ffd4 9869 .d..n.l.c......i
> 0x0090: 71a8 026f cffd cfb3 6043 3c78 623c 86aa q..o....`C<xb<..
> 0x00a0: 9ceb 9fb6 915f 39f2 8e20 37cc 3759 60be ....._9...7.7Y`.
> 0x00b0: 7e38 96ec 2873 7190 8568 6711 418a 7ec4 ~8..(sq..hg.A.~.
> 0x00c0: ae96 78b3 f6cc c264 4745 d5e4 3ea5 345b ..x....dGE..>.4[
> 0x00d0: 27ff 7a01 be5c 344a ccc0 0c00 2b00 0100 '.z..\4J....+...
> 0x00e0: 0045 9200 18b8 9405 0102 739f 2dd3 9560 .E........s.-..`
> 0x00f0: 789d 7358 1aa6 0f0c db60 73a8 49c0 0c00 x.sX.....`s.I...
> 0x0100: 2b00 0100 0045 9200 24b8 9405 0252 4dbb +....E..$....RM.
> 0x0110: 3b5c d028 da80 9f1a 1b3b afc0 6b62 a170 ;\.(.....;..kb.p
> 0x0120: 644f 729c 4cbd 7e6c ab17 85ab d2c0 3800 dOr.L.~l......8.
> 0x0130: 0200 0100 0045 9100 1101 640c 6774 6c64 .....E....d.gtld
> 0x0140: 2d73 6572 7665 7273 c038 c038 0002 0001 -servers.8.8....
> 0x0150: 0000 4591 0004 0165 c11f c038 0002 0001 ..E....e...8....
> 0x0160: 0000 4591 0004 0166 c11f c038 0002 0001 ..E....f...8....
> 0x0170: 0000 4591 0004 0167 c11f c038 0002 0001 ..E....g...8....
> 0x0180: 0000 4591 0004 0168 c11f c038 0002 0001 ..E....h...8....
> 0x0190: 0000 4591 0004 0169 c11f c038 0002 0001 ..E....i...8....
> 0x01a0: 0000 4591 0004 016a c11f c038 0002 0001 ..E....j...8....
> 0x01b0: 0000 4591 0004 016b c11f c038 0002 0001 ..E....k...8....
> 0x01c0: 0000 4591 0004 016c c11f c038 0002 0001 ..E....l...8....
> 0x01d0: 0000 4591 0004 016d c11f c038 0002 0001 ..E....m...8....
> 0x01e0: 0000 4591 0004 0161 c11f c038 0002 0001 ..E....a...8....
> 0x01f0: 0000 4591 0004 0162 c11f c038 0002 0001 ..E....b...8....
> 0x0200: 0000 4591 0004 0163 c11f 0000 2910 0000 ..E....c....)...
> 0x0210: 0080 0000 00 .....
> 15:53:25.477550 IP (tos 0x0, ttl 63, id 58338, offset 0, flags [DF],
> proto: UDP (17), length: 468) 64.7.141.29.53 > 178.251.233.35.53: [udp
> sum ok] 952 q: ANY? ripe.net. 2/13/9 ripe.net. Type47, ripe.net. A
> 193.0.6.139 ns: net. NS j.gtld-servers.net., net. NS
> k.gtld-servers.net., net. NS l.gtld-servers.net., net. NS
> m.gtld-servers.net., net. NS a.gtld-servers.net., net. NS
> b.gtld-servers.net., net. NS c.gtld-servers.net., net. NS
> d.gtld-servers.net., net. NS e.gtld-servers.net., net. NS
> f.gtld-servers.net., net. NS g.gtld-servers.net., net. NS
> h.gtld-servers.net., net. NS i.gtld-servers.net. ar: c.gtld-servers.net.
> A 192.26.92.30, d.gtld-servers.net. A 192.31.80.30, e.gtld-servers.net.
> A 192.12.94.30, f.gtld-servers.net. A 192.35.51.30, i.gtld-servers.net.
> A 192.43.172.30, j.gtld-servers.net. A 192.48.79.30, k.gtld-servers.net.
> A 192.52.178.30, m.gtld-servers.net. A 192.55.83.30, . OPT UDPsize=4096
> (440)
> 0x0000: 4500 01d4 e3e2 4000 3f11 ecf2 4007 8d1d E..... at .?... at ...
> 0x0010: b2fb e923 0035 0035 01c0 768a 03b8 8180 ...#.5.5..v.....
> 0x0020: 0001 0002 000d 0009 0472 6970 6503 6e65 .........ripe.ne
> 0x0030: 7400 00ff 0001 c00c 002f 0001 0000 1b64 t......../.....d
> 0x0040: 001a 0632 3536 636e 7304 7269 7065 036e ...256cns.ripe.n
> 0x0050: 6574 0000 0762 0100 0800 0380 c00c 0001 et...b..........
> 0x0060: 0001 0000 4594 0004 c100 068b c011 0002 ....E...........
> 0x0070: 0001 0001 178c 0011 016a 0c67 746c 642d .........j.gtld-
> 0x0080: 7365 7276 6572 73c0 11c0 1100 0200 0100 servers.........
> 0x0090: 0117 8c00 0401 6bc0 5ec0 1100 0200 0100 ......k.^.......
> 0x00a0: 0117 8c00 0401 6cc0 5ec0 1100 0200 0100 ......l.^.......
> 0x00b0: 0117 8c00 0401 6dc0 5ec0 1100 0200 0100 ......m.^.......
> 0x00c0: 0117 8c00 0401 61c0 5ec0 1100 0200 0100 ......a.^.......
> 0x00d0: 0117 8c00 0401 62c0 5ec0 1100 0200 0100 ......b.^.......
> 0x00e0: 0117 8c00 0401 63c0 5ec0 1100 0200 0100 ......c.^.......
> 0x00f0: 0117 8c00 0401 64c0 5ec0 1100 0200 0100 ......d.^.......
> 0x0100: 0117 8c00 0401 65c0 5ec0 1100 0200 0100 ......e.^.......
> 0x0110: 0117 8c00 0401 66c0 5ec0 1100 0200 0100 ......f.^.......
> 0x0120: 0117 8c00 0401 67c0 5ec0 1100 0200 0100 ......g.^.......
> 0x0130: 0117 8c00 0401 68c0 5ec0 1100 0200 0100 ......h.^.......
> 0x0140: 0117 8c00 0401 69c0 5ec0 c900 0100 0100 ......i.^.......
> 0x0150: 0117 8b00 04c0 1a5c 1ec0 d900 0100 0100 .......\........
> 0x0160: 008d d500 04c0 1f50 1ec0 e900 0100 0100 .......P........
> 0x0170: 007b ee00 04c0 0c5e 1ec0 f900 0100 0100 .{.....^........
> 0x0180: 00f5 ea00 04c0 2333 1ec1 2900 0100 0100 ......#3..).....
> 0x0190: 007b ee00 04c0 2bac 1ec0 5c00 0100 0100 .{....+...\.....
> 0x01a0: 012f 7c00 04c0 304f 1ec0 7900 0100 0100 ./|...0O..y.....
> 0x01b0: 007b ee00 04c0 34b2 1ec0 9900 0100 0100 .{....4.........
> 0x01c0: 0132 1100 04c0 3753 1e00 0029 1000 0000 .2....7S...)....
> 0x01d0: 0000 0000 ....
> 15:53:25.683529 IP (tos 0x0, ttl 116, id 22787, offset 0, flags [none],
> proto: UDP (17), length: 66) 178.251.233.35.53 > 64.7.141.29.53: [no
> cksum] 952+ [1au] ANY? ripe.net. ar: . OPT UDPsize=4096 (38)
> 0x0000: 4500 0042 5903 0000 7411 8464 b2fb e923 E..BY...t..d...#
> 0x0010: 4007 8d1d 0035 0035 002e 0000 03b8 0100 @....5.5........
> 0x0020: 0001 0000 0000 0001 0472 6970 6503 6e65 .........ripe.ne
> 0x0030: 7400 00ff 0001 0000 2910 0000 0080 0000 t.......).......
> 0x0040: 0000 ..
> 15:53:25.683654 IP (tos 0x0, ttl 116, id 22798, offset 0, flags [none],
> proto: UDP (17), length: 66) 178.251.233.35.53 > 64.7.141.17.53: [no
> cksum] 952+ [1au] ANY? ripe.net. ar: . OPT UDPsize=4096 (38)
> 0x0000: 4500 0042 590e 0000 7411 8465 b2fb e923 E..BY...t..e...#
> 0x0010: 4007 8d11 0035 0035 002e 0000 03b8 0100 @....5.5........
> 0x0020: 0001 0000 0000 0001 0472 6970 6503 6e65 .........ripe.ne
> 0x0030: 7400 00ff 0001 0000 2910 0000 0080 0000 t.......).......
> 0x0040: 0000 ..
>
>
> On 12/23/2011 3:25 PM, Daniel Goscomb wrote:
>> ----------- nsp-security Confidential --------
>>
>> Hi All
>>
>> We have an attack in progress against one of our downstream customers which they have asked us to filter. We're currently filtering 2.2Gbps of UDP destined to 178.251.233.35 (ports 0 and 53). The source and destination ports are always the same (i.e. 0 and 0 or 53 and 53).
>>
>> There is no DNS server on this box; its not legitimate traffic. Sources appear to be spoofed (3-5 hosts in a row from each /24 that seems to be in use).
>>
>> If you could please check for any flows towards 178.251.233.35 it would be appreciated.
>>
>> Cheers
>>
>> Dan
>>
>>
>> _______________________________________________
>> nsp-security mailing list
>> nsp-security at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/nsp-security
>>
>> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
>> community. Confidentiality is essential for effective Internet security counter-measures.
>> _______________________________________________
>>
>>
>
>
--
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike at sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada http://www.tancsa.com/
_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security
Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security counter-measures.
_______________________________________________
More information about the nsp-security
mailing list