[nsp-sec] DNS Reflection DDoS

Tue Mar 1 08:17:11 EST 2011

At that sampling rate 1 doesn't really mean 1k packets.
It could be 1 packet or 1k and with truly random sampling either is just as likely as the other.

The 4 packet example is probably some where between 2k and 3k.

It would be interesting to see proto udp and src port 53 and dst port 25345.
That may or may not match the first two queries.

(coffee != sleep) & (!coffee == sleep)
 Donald.Smith at qwest.com
________________________________________
From: nsp-security-bounces at puck.nether.net [nsp-security-bounces at puck.nether.net] On Behalf Of Felix Schueren [felix.schueren at hosteurope.de]
Sent: Tuesday, March 01, 2011 1:18 AM
To: nsp-security at puck.nether.net
Subject: Re: [nsp-sec] DNS Reflection DDoS
Dear colleagues,
>
>> We have been getting hit with a DNS reflection attack. Here are the specs:
>>
>> It's currently hitting 204.74.115.1, though it's hit a few different IPs
>> of ours. It's an ANY query for isc.org with the EDNS option set to 4096.
>>
>> Looks like this:
>>
>> 23:55:09.105010 00:19:e2:2d:45:79>  00:30:48:cb:86:f0, ethertype IPv4
>> (0x0800), length 78: (tos 0x0, ttl 235, id 50959, offset 0, flags
>> [none], proto: UDP (17), length: 64) 204.74.109.1.25345>
>> 204.74.103.145.53: [no cksum]  10809+ [1au] ANY? isc.org. ar: . OPT
>> UDPsize=4096 (36)
>
> FYI - That timestamp is from previous event similar in nature.  This
> latest one started around 01:52 GMT.  Of note ... The spoofed source port
> is always 25345.
>
We saw a few large spikes in traffic (up to ~5Gbit/sec) regarding port
25345 tonight, not sure if that's backscatter or if those hosted
machines were actually attackers. What I found odd is a bit of traffic
seen to dst port 25345 that was not from src port 53, see attached file.
All of those machines are rented servers, so getting more information on
them is going to be rather difficult - is there anything else I should
look for in my (sampled) flow data?
The amount of unique source IPs hitting dst udp/25345 was approx 4600
(from ~1k different /16s), so I'm really not sure what to make of this.
Kind regards,
Felix
--
Felix Schüren
Head of Network
-----------------------------------------------------------------------
Host Europe GmbH - http://www.hosteurope.de
Welserstraße 14 - 51149 Köln - Germany
Telefon: 0800 467 8387 - Fax: +49 180 5 66 3233 (*)
HRB 28495 Amtsgericht Köln - USt-IdNr.: DE187370678
Geschäftsführer: Patrick Pulvermüller
(*) 0,14 EUR/Min. aus dem dt. Festnetz; maximal 0,42 EUR/Min. aus
den dt. Mobilfunknetzen

----------- nsp-security Confidential --------

This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful.  If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.