[nsp-sec] DDoS Attack in progress
Daniel Schwalbe
dfs at uw.edu
Fri Dec 23 17:16:57 EST 2011
Ack AS73. Filtering replies to 178.251.233.35.
-Daniel
--
Daniel Schwalbe, CISSP, CISM, CIPP
Assistant Director of Security Services
Office of the CISO
University of Washington
Phone +1(206) 685-8210 | Email dfs at uw.edu
> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net [mailto:nsp-security-
> bounces at puck.nether.net] On Behalf Of Daniel Goscomb
> Sent: Friday, December 23, 2011 1:13 PM
> To: Mike Tancsa
> Cc: nsp-security at puck.nether.net
> Subject: Re: [nsp-sec] DDoS Attack in progress
>
> ----------- nsp-security Confidential --------
>
> OK, thanks for the info.
>
> Given its a reflection attack I have a list of sources used in the last 5 minutes.
> Its too big for this email so I have put it here.
>
> http://admin0.sov.uk.goscomb.net/~dang/srcs.txt
>
>
> Cheers
>
> Dan
>
>
>
> On 23 Dec 2011, at 21:05, Mike Tancsa wrote:
>
> >
> > Oh, never mind. I see now, 178.251.233.35 is the one being spoofed and
> > sent to a bunch of resolvers in my network :(
> >
> > The stream of spoofed packets are coming in to my network (AS11647)
> > via AS174. Perhaps Cogent can trace it from there to see who is generating
> it.
> >
> > I grabbed a pcap and blocked the inbound udp packets from Cogent to
> > stop my little corner of this reflection attack.
> >
> >
> > 16:02:19.507604 IP 178.251.233.35.53 > 67.43.130.51.53: 952+ [1au] ANY?
> > ripe.net. (38)
> > 16:02:19.508076 IP 178.251.233.35.53 > 67.43.140.10.53: 952+ [1au] ANY?
> > ripe.net. (38)
> > 16:02:19.529879 IP 178.251.233.35.53 > 64.7.147.176.53: 952+ [1au] ANY?
> > ripe.net. (38)
> > 16:02:19.530093 IP 178.251.233.35.53 > 64.7.157.29.53: 952+ [1au] ANY?
> > ripe.net. (38)
> > 16:02:19.530329 IP 178.251.233.35.53 > 64.7.147.129.53: 952+ [1au] ANY?
> > ripe.net. (38)
> > 16:02:19.530436 IP 178.251.233.35.53 > 64.7.152.188.53: 952+ [1au] ANY?
> > ripe.net. (38)
> > 16:02:19.530484 IP 178.251.233.35.53 > 64.7.157.111.53: 952+ [1au] ANY?
> > ripe.net. (38)
> > 16:02:19.530489 IP 178.251.233.35.53 > 64.7.141.29.53: 952+ [1au] ANY?
> > ripe.net. (38)
> > 16:02:19.530493 IP 178.251.233.35.53 > 64.7.141.17.53: 952+ [1au] ANY?
> > ripe.net. (38)
> > 16:02:19.530511 IP 178.251.233.35.53 > 64.7.152.146.53: 952+ [1au] ANY?
> > ripe.net. (38)
> > 16:02:19.530630 IP 178.251.233.35.53 > 64.7.135.40.53: 952+ [1au] ANY?
> > ripe.net. (38)
> > 16:02:19.774002 IP 178.251.233.35.53 > 64.7.147.176.53: 952+ [1au] ANY?
> > ripe.net. (38)
> > 16:02:19.774232 IP 178.251.233.35.53 > 64.7.157.29.53: 952+ [1au] ANY?
> > ripe.net. (38)
> > 16:02:19.774286 IP 178.251.233.35.53 > 64.7.157.111.53: 952+ [1au] ANY?
> > ripe.net. (38)
> > 16:02:19.774301 IP 178.251.233.35.53 > 64.7.147.129.53: 952+ [1au] ANY?
> > ripe.net. (38)
> > 16:02:19.774303 IP 178.251.233.35.53 > 64.7.152.188.53: 952+ [1au] ANY?
> > ripe.net. (38)
> > 16:02:19.774459 IP 178.251.233.35.53 > 64.7.152.146.53: 952+ [1au] ANY?
> > ripe.net. (38)
> > 16:02:19.774473 IP 178.251.233.35.53 > 64.7.141.29.53: 952+ [1au] ANY?
> > ripe.net. (38)
> > 16:02:19.774478 IP 178.251.233.35.53 > 64.7.141.17.53: 952+ [1au] ANY?
> > ripe.net. (38)
> > 16:02:19.774596 IP 178.251.233.35.53 > 64.7.135.40.53: 952+ [1au] ANY?
> > ripe.net. (38)
> >
> >
> >
> > On 12/23/2011 3:55 PM, Mike Tancsa wrote:
> >> ----------- nsp-security Confidential --------
> >>
> >> I am seeing a steady stream, but I am also seeing responses ? Let me
> >> see if I can get any access to these customer boxes and see what they
> >> are doing.
> >>
> >>
> >> 15:53:25.477315 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto:
> >> UDP (17), length: 533) 64.7.141.17.53 > 178.251.233.35.53: [udp sum
> >> ok]
> >> 952 q: ANY? ripe.net. 3/13/1 ripe.net. Type46, ripe.net. Type43,
> >> ripe.net. Type43 ns: net. NS d.gtld-servers.net., net. NS
> >> e.gtld-servers.net., net. NS f.gtld-servers.net., net. NS
> >> g.gtld-servers.net., net. NS h.gtld-servers.net., net. NS
> >> i.gtld-servers.net., net. NS j.gtld-servers.net., net. NS
> >> k.gtld-servers.net., net. NS l.gtld-servers.net., net. NS
> >> m.gtld-servers.net., net. NS a.gtld-servers.net., net. NS
> >> b.gtld-servers.net., net. NS c.gtld-servers.net. ar: . OPT
> >> UDPsize=4096
> >> (505)
> >> 0x0000: 4500 0215 0000 4000 3f11 d0a0 4007 8d11 E..... at .?... at ...
> >> 0x0010: b2fb e923 0035 0035 0201 4257 03b8 8180 ...#.5.5..BW....
> >> 0x0020: 0001 0003 000d 0001 0472 6970 6503 6e65 .........ripe.ne
> >> 0x0030: 7400 00ff 0001 c00c 002e 0001 0000 4592 t.............E.
> >> 0x0040: 0097 002b 0802 0001 5180 4ef9 5486 4ef0 ...+....Q.N.T.N.
> >> 0x0050: 099e a055 036e 6574 0032 a8f5 e3e6 b400 ...U.net.2......
> >> 0x0060: a2d3 6de8 10cd 342c 60dd ce14 3dcb 77e2 ..m...4,`...=.w.
> >> 0x0070: fde6 e817 4f7a a0f2 16ab adcd de73 2dff ....Oz.......s-.
> >> 0x0080: b864 e7ee 6ea3 6c82 63ae d5c4 ffd4 9869 .d..n.l.c......i
> >> 0x0090: 71a8 026f cffd cfb3 6043 3c78 623c 86aa q..o....`C<xb<..
> >> 0x00a0: 9ceb 9fb6 915f 39f2 8e20 37cc 3759 60be ....._9...7.7Y`.
> >> 0x00b0: 7e38 96ec 2873 7190 8568 6711 418a 7ec4 ~8..(sq..hg.A.~.
> >> 0x00c0: ae96 78b3 f6cc c264 4745 d5e4 3ea5 345b ..x....dGE..>.4[
> >> 0x00d0: 27ff 7a01 be5c 344a ccc0 0c00 2b00 0100 '.z..\4J....+...
> >> 0x00e0: 0045 9200 18b8 9405 0102 739f 2dd3 9560 .E........s.-..`
> >> 0x00f0: 789d 7358 1aa6 0f0c db60 73a8 49c0 0c00 x.sX.....`s.I...
> >> 0x0100: 2b00 0100 0045 9200 24b8 9405 0252 4dbb +....E..$....RM.
> >> 0x0110: 3b5c d028 da80 9f1a 1b3b afc0 6b62 a170 ;\.(.....;..kb.p
> >> 0x0120: 644f 729c 4cbd 7e6c ab17 85ab d2c0 3800 dOr.L.~l......8.
> >> 0x0130: 0200 0100 0045 9100 1101 640c 6774 6c64 .....E....d.gtld
> >> 0x0140: 2d73 6572 7665 7273 c038 c038 0002 0001 -servers.8.8....
> >> 0x0150: 0000 4591 0004 0165 c11f c038 0002 0001 ..E....e...8....
> >> 0x0160: 0000 4591 0004 0166 c11f c038 0002 0001 ..E....f...8....
> >> 0x0170: 0000 4591 0004 0167 c11f c038 0002 0001 ..E....g...8....
> >> 0x0180: 0000 4591 0004 0168 c11f c038 0002 0001 ..E....h...8....
> >> 0x0190: 0000 4591 0004 0169 c11f c038 0002 0001 ..E....i...8....
> >> 0x01a0: 0000 4591 0004 016a c11f c038 0002 0001 ..E....j...8....
> >> 0x01b0: 0000 4591 0004 016b c11f c038 0002 0001 ..E....k...8....
> >> 0x01c0: 0000 4591 0004 016c c11f c038 0002 0001 ..E....l...8....
> >> 0x01d0: 0000 4591 0004 016d c11f c038 0002 0001 ..E....m...8....
> >> 0x01e0: 0000 4591 0004 0161 c11f c038 0002 0001 ..E....a...8....
> >> 0x01f0: 0000 4591 0004 0162 c11f c038 0002 0001 ..E....b...8....
> >> 0x0200: 0000 4591 0004 0163 c11f 0000 2910 0000 ..E....c....)...
> >> 0x0210: 0080 0000 00 .....
> >> 15:53:25.477550 IP (tos 0x0, ttl 63, id 58338, offset 0, flags [DF],
> >> proto: UDP (17), length: 468) 64.7.141.29.53 > 178.251.233.35.53:
> >> [udp sum ok] 952 q: ANY? ripe.net. 2/13/9 ripe.net. Type47,
> >> ripe.net. A
> >> 193.0.6.139 ns: net. NS j.gtld-servers.net., net. NS
> >> k.gtld-servers.net., net. NS l.gtld-servers.net., net. NS
> >> m.gtld-servers.net., net. NS a.gtld-servers.net., net. NS
> >> b.gtld-servers.net., net. NS c.gtld-servers.net., net. NS
> >> d.gtld-servers.net., net. NS e.gtld-servers.net., net. NS
> >> f.gtld-servers.net., net. NS g.gtld-servers.net., net. NS
> >> h.gtld-servers.net., net. NS i.gtld-servers.net. ar: c.gtld-servers.net.
> >> A 192.26.92.30, d.gtld-servers.net. A 192.31.80.30, e.gtld-servers.net.
> >> A 192.12.94.30, f.gtld-servers.net. A 192.35.51.30, i.gtld-servers.net.
> >> A 192.43.172.30, j.gtld-servers.net. A 192.48.79.30, k.gtld-servers.net.
> >> A 192.52.178.30, m.gtld-servers.net. A 192.55.83.30, . OPT
> >> UDPsize=4096
> >> (440)
> >> 0x0000: 4500 01d4 e3e2 4000 3f11 ecf2 4007 8d1d E..... at .?... at ...
> >> 0x0010: b2fb e923 0035 0035 01c0 768a 03b8 8180 ...#.5.5..v.....
> >> 0x0020: 0001 0002 000d 0009 0472 6970 6503 6e65 .........ripe.ne
> >> 0x0030: 7400 00ff 0001 c00c 002f 0001 0000 1b64 t......../.....d
> >> 0x0040: 001a 0632 3536 636e 7304 7269 7065 036e ...256cns.ripe.n
> >> 0x0050: 6574 0000 0762 0100 0800 0380 c00c 0001 et...b..........
> >> 0x0060: 0001 0000 4594 0004 c100 068b c011 0002 ....E...........
> >> 0x0070: 0001 0001 178c 0011 016a 0c67 746c 642d .........j.gtld-
> >> 0x0080: 7365 7276 6572 73c0 11c0 1100 0200 0100 servers.........
> >> 0x0090: 0117 8c00 0401 6bc0 5ec0 1100 0200 0100 ......k.^.......
> >> 0x00a0: 0117 8c00 0401 6cc0 5ec0 1100 0200 0100 ......l.^.......
> >> 0x00b0: 0117 8c00 0401 6dc0 5ec0 1100 0200 0100 ......m.^.......
> >> 0x00c0: 0117 8c00 0401 61c0 5ec0 1100 0200 0100 ......a.^.......
> >> 0x00d0: 0117 8c00 0401 62c0 5ec0 1100 0200 0100 ......b.^.......
> >> 0x00e0: 0117 8c00 0401 63c0 5ec0 1100 0200 0100 ......c.^.......
> >> 0x00f0: 0117 8c00 0401 64c0 5ec0 1100 0200 0100 ......d.^.......
> >> 0x0100: 0117 8c00 0401 65c0 5ec0 1100 0200 0100 ......e.^.......
> >> 0x0110: 0117 8c00 0401 66c0 5ec0 1100 0200 0100 ......f.^.......
> >> 0x0120: 0117 8c00 0401 67c0 5ec0 1100 0200 0100 ......g.^.......
> >> 0x0130: 0117 8c00 0401 68c0 5ec0 1100 0200 0100 ......h.^.......
> >> 0x0140: 0117 8c00 0401 69c0 5ec0 c900 0100 0100 ......i.^.......
> >> 0x0150: 0117 8b00 04c0 1a5c 1ec0 d900 0100 0100 .......\........
> >> 0x0160: 008d d500 04c0 1f50 1ec0 e900 0100 0100 .......P........
> >> 0x0170: 007b ee00 04c0 0c5e 1ec0 f900 0100 0100 .{.....^........
> >> 0x0180: 00f5 ea00 04c0 2333 1ec1 2900 0100 0100 ......#3..).....
> >> 0x0190: 007b ee00 04c0 2bac 1ec0 5c00 0100 0100 .{....+...\.....
> >> 0x01a0: 012f 7c00 04c0 304f 1ec0 7900 0100 0100 ./|...0O..y.....
> >> 0x01b0: 007b ee00 04c0 34b2 1ec0 9900 0100 0100 .{....4.........
> >> 0x01c0: 0132 1100 04c0 3753 1e00 0029 1000 0000 .2....7S...)....
> >> 0x01d0: 0000 0000 ....
> >> 15:53:25.683529 IP (tos 0x0, ttl 116, id 22787, offset 0, flags
> >> [none],
> >> proto: UDP (17), length: 66) 178.251.233.35.53 > 64.7.141.29.53: [no
> >> cksum] 952+ [1au] ANY? ripe.net. ar: . OPT UDPsize=4096 (38)
> >> 0x0000: 4500 0042 5903 0000 7411 8464 b2fb e923 E..BY...t..d...#
> >> 0x0010: 4007 8d1d 0035 0035 002e 0000 03b8 0100 @....5.5........
> >> 0x0020: 0001 0000 0000 0001 0472 6970 6503 6e65 .........ripe.ne
> >> 0x0030: 7400 00ff 0001 0000 2910 0000 0080 0000 t.......).......
> >> 0x0040: 0000 ..
> >> 15:53:25.683654 IP (tos 0x0, ttl 116, id 22798, offset 0, flags
> >> [none],
> >> proto: UDP (17), length: 66) 178.251.233.35.53 > 64.7.141.17.53: [no
> >> cksum] 952+ [1au] ANY? ripe.net. ar: . OPT UDPsize=4096 (38)
> >> 0x0000: 4500 0042 590e 0000 7411 8465 b2fb e923 E..BY...t..e...#
> >> 0x0010: 4007 8d11 0035 0035 002e 0000 03b8 0100 @....5.5........
> >> 0x0020: 0001 0000 0000 0001 0472 6970 6503 6e65 .........ripe.ne
> >> 0x0030: 7400 00ff 0001 0000 2910 0000 0080 0000 t.......).......
> >> 0x0040: 0000 ..
> >>
> >>
> >> On 12/23/2011 3:25 PM, Daniel Goscomb wrote:
> >>> ----------- nsp-security Confidential --------
> >>>
> >>> Hi All
> >>>
> >>> We have an attack in progress against one of our downstream customers
> which they have asked us to filter. We're currently filtering 2.2Gbps of UDP
> destined to 178.251.233.35 (ports 0 and 53). The source and destination ports
> are always the same (i.e. 0 and 0 or 53 and 53).
> >>>
> >>> There is no DNS server on this box; its not legitimate traffic. Sources
> appear to be spoofed (3-5 hosts in a row from each /24 that seems to be in
> use).
> >>>
> >>> If you could please check for any flows towards 178.251.233.35 it would
> be appreciated.
> >>>
> >>> Cheers
> >>>
> >>> Dan
> >>>
> >>>
> >>> _______________________________________________
> >>> nsp-security mailing list
> >>> nsp-security at puck.nether.net
> >>> https://puck.nether.net/mailman/listinfo/nsp-security
> >>>
> >>> Please do not Forward, CC, or BCC this E-mail outside of the
> >>> nsp-security community. Confidentiality is essential for effective
> Internet security counter-measures.
> >>> _______________________________________________
> >>>
> >>>
> >>
> >>
> >
> >
> > --
> > -------------------
> > Mike Tancsa, tel +1 519 651 3400
> > Sentex Communications, mike at sentex.net Providing Internet services
> > since 1994 www.sentex.net
> > Cambridge, Ontario Canada http://www.tancsa.com/
>
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________
More information about the nsp-security
mailing list