[nsp-sec] DNS Reflection DDoS
Felix Schueren
felix.schueren at hosteurope.de
Tue Mar 1 03:18:57 EST 2011
Dear colleagues,
>
>> We have been getting hit with a DNS reflection attack. Here are the specs:
>>
>> It's currently hitting 204.74.115.1, though it's hit a few different IPs
>> of ours. It's an ANY query for isc.org with the EDNS option set to 4096.
>>
>> Looks like this:
>>
>> 23:55:09.105010 00:19:e2:2d:45:79> 00:30:48:cb:86:f0, ethertype IPv4
>> (0x0800), length 78: (tos 0x0, ttl 235, id 50959, offset 0, flags
>> [none], proto: UDP (17), length: 64) 204.74.109.1.25345>
>> 204.74.103.145.53: [no cksum] 10809+ [1au] ANY? isc.org. ar: . OPT
>> UDPsize=4096 (36)
>
> FYI - That timestamp is from previous event similar in nature. This
> latest one started around 01:52 GMT. Of note ... The spoofed source port
> is always 25345.
>
We saw a few large spikes in traffic (up to ~5Gbit/sec) regarding port
25345 tonight, not sure if that's backscatter or if those hosted
machines were actually attackers. What I found odd is a bit of traffic
seen to dst port 25345 that was not from src port 53, see attached file.
All of those machines are rented servers, so getting more information on
them is going to be rather difficult - is there anything else I should
look for in my (sampled) flow data?
The amount of unique source IPs hitting dst udp/25345 was approx 4600
(from ~1k different /16s), so I'm really not sure what to make of this.
Kind regards,
Felix
--
Felix Schüren
Head of Network
-----------------------------------------------------------------------
Host Europe GmbH - http://www.hosteurope.de
Welserstraße 14 - 51149 Köln - Germany
Telefon: 0800 467 8387 - Fax: +49 180 5 66 3233 (*)
HRB 28495 Amtsgericht Köln - USt-IdNr.: DE187370678
Geschäftsführer: Patrick Pulvermüller
(*) 0,14 EUR/Min. aus dem dt. Festnetz; maximal 0,42 EUR/Min. aus
den dt. Mobilfunknetzen
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: tcp_dst_port_25435-ddos-2011-03-01_as20773.txt
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20110301/17a1dee9/attachment-0001.txt>
More information about the nsp-security
mailing list