[nsp-sec] Spoofed DDoS traceback request / experiment

J. Chambers jchambers at ucla.edu
Fri Dec 1 11:32:35 EST 2017 

It might help your overall effort to attribute the recon of
amplification sources, maybe there is some overlap in the use of origin
ASNs for both the recon and deployment of DrDoS attacks.

OriginASN --(recon/spoof_attack)--> AmplifierASN -> TargetASN

Our network is constantly bombarded with recon attempts for the well
known services vulnerable to amplification.  (Of course, we also have
some of our assets abused for attacks on occasion.)

For example considering MSSQL 1433, below are the top 50 sources from
the past 30 days.  The format is Origin ASN, Source IP, unique
destinations, total flows, first seen and last seen.  Looks like all of
them are constantly hunting for amplifiers.  (ie: the first seen field
is superfluous here)

To follow up on that idea, use Shodan to cull a list of all potential
amplification source IPs based on amplifier vulnerable services.  Then
translate that list to possible AmplifierASNs lacking BCP38/filtering
support.  Using a very slow pulse of 1 packet per 30 minutes or
something it would be possible to map out BCP38 compliance paths from
various points on the internet by spoofing traffic to generate replies
to known collectors.  Potentially that would map out the paths where
potential (unwitting) collaboration exists between OriginASN and
AmplifierASN due to lack of filtering.  It may be that filtering at only
a few ASNs would disrupt a decent percentage of spoofed traffic paths.

Is there prior research on this ?


Regards,

--Jason



 bgp_id |      host       | count  |  sum   |          min           |
       max
--------+-----------------+--------+--------+------------------------+------------------------
  38794 | 43.249.57.255   | 276696 | 600555 | 2017-11-01 00:00:00+00 |
2017-11-30 21:25:00+00
   4837 | 60.222.233.208  | 274935 | 579769 | 2017-11-01 00:00:00+00 |
2017-11-30 21:25:00+00
   4847 | 103.10.87.50    | 273855 | 581267 | 2017-11-01 06:30:00+00 |
2017-11-30 21:25:00+00
   4134 | 124.114.154.78  | 271142 | 556331 | 2017-11-01 00:00:00+00 |
2017-11-30 21:25:00+00
   4134 | 113.108.96.206  | 269186 | 539237 | 2017-11-01 00:00:00+00 |
2017-11-30 21:25:00+00
   4134 | 113.106.12.63   | 268663 | 540356 | 2017-11-01 00:00:00+00 |
2017-11-30 21:25:00+00
   4134 | 58.213.143.154  | 267234 | 543939 | 2017-11-01 00:00:00+00 |
2017-11-30 21:25:00+00
  24445 | 218.206.227.194 | 266763 | 532154 | 2017-11-01 00:00:00+00 |
2017-11-30 21:25:00+00
   4134 | 59.53.182.91    | 264855 | 521531 | 2017-11-01 00:00:00+00 |
2017-11-30 21:25:00+00
   4837 | 124.67.115.131  | 258261 | 495732 | 2017-11-01 00:00:00+00 |
2017-11-30 21:25:00+00
   4808 | 61.148.197.2    | 257974 | 481828 | 2017-11-01 00:00:00+00 |
2017-11-30 21:25:00+00
   4134 | 218.64.66.50    | 257044 | 478961 | 2017-11-01 00:00:00+00 |
2017-11-30 21:25:00+00
   4134 | 59.172.6.242    | 256921 | 492675 | 2017-11-01 00:00:00+00 |
2017-11-30 21:25:00+00
   4134 | 202.101.92.3    | 255143 | 475284 | 2017-11-01 00:00:00+00 |
2017-11-30 21:25:00+00
   4134 | 61.130.105.126  | 255080 | 473023 | 2017-11-01 00:00:00+00 |
2017-11-30 21:25:00+00
   4837 | 58.18.228.108   | 253340 | 464935 | 2017-11-01 00:45:00+00 |
2017-11-30 21:25:00+00
   9808 | 183.233.186.111 | 252543 | 468052 | 2017-11-01 00:00:00+00 |
2017-11-30 21:25:00+00
   4837 | 124.67.255.158  | 251386 | 460694 | 2017-11-01 00:00:00+00 |
2017-11-30 21:25:00+00
   4837 | 218.58.59.66    | 251279 | 470473 | 2017-11-01 00:00:00+00 |
2017-11-30 21:25:00+00
  17785 | 1.197.108.25    | 250182 | 459477 | 2017-11-01 00:00:00+00 |
2017-11-30 21:25:00+00
   4134 | 59.51.66.142    | 243924 | 432541 | 2017-11-01 00:00:00+00 |
2017-11-26 16:25:00+00
   4134 | 58.217.103.18   | 242238 | 427489 | 2017-11-01 00:00:00+00 |
2017-11-30 21:25:00+00
   4134 | 58.218.185.74   | 240823 | 425064 | 2017-11-01 00:00:00+00 |
2017-11-30 15:25:00+00
   4837 | 221.213.54.70   | 236021 | 404312 | 2017-11-01 00:00:00+00 |
2017-11-30 21:25:00+00
   4134 | 125.88.36.18    | 234370 | 399091 | 2017-11-01 00:00:00+00 |
2017-11-30 21:25:00+00
   7738 | 200.216.73.66   | 232722 | 394236 | 2017-11-01 00:00:00+00 |
2017-11-30 21:25:00+00
   4808 | 124.65.190.2    | 229582 | 375120 | 2017-11-01 00:00:00+00 |
2017-11-30 06:20:00+00
  56046 | 211.143.252.170 | 226976 | 369170 | 2017-11-01 00:00:00+00 |
2017-11-30 21:25:00+00
   4837 | 113.59.66.153   | 226611 | 367187 | 2017-11-01 00:00:00+00 |
2017-11-30 21:25:00+00
   4134 | 221.224.136.6   | 225046 | 375716 | 2017-11-01 00:00:00+00 |
2017-11-30 21:25:00+00
   4134 | 222.92.228.230  | 224894 | 375348 | 2017-11-01 00:00:00+00 |
2017-11-30 21:25:00+00
   4134 | 222.222.216.166 | 224333 | 367090 | 2017-11-01 00:00:00+00 |
2017-11-30 21:25:00+00
  37061 | 197.248.194.234 | 223528 | 370353 | 2017-11-01 00:00:00+00 |
2017-11-30 21:25:00+00
  23456 | 124.173.117.147 | 222031 | 348104 | 2017-11-01 00:00:00+00 |
2017-11-30 21:25:00+00
  37943 | 122.114.87.120  | 220515 | 346702 | 2017-11-01 00:00:00+00 |
2017-11-30 21:25:00+00
   4837 | 106.3.210.37    | 220347 | 344669 | 2017-11-01 00:00:00+00 |
2017-11-30 21:25:00+00
   4134 | 61.154.135.198  | 220275 | 344364 | 2017-11-01 00:00:00+00 |
2017-11-30 21:25:00+00
   4134 | 222.173.214.50  | 220061 | 343668 | 2017-11-01 08:30:00+00 |
2017-11-30 21:25:00+00
   4134 | 27.154.234.194  | 219939 | 345699 | 2017-11-01 00:00:00+00 |
2017-11-30 21:25:00+00
   4134 | 118.122.33.148  | 219732 | 354748 | 2017-11-01 04:10:00+00 |
2017-11-30 21:25:00+00
  56046 | 223.112.89.58   | 219665 | 357441 | 2017-11-02 00:00:00+00 |
2017-11-30 21:20:00+00
   4837 | 119.39.65.74    | 219536 | 342918 | 2017-11-01 00:00:00+00 |
2017-11-30 21:25:00+00
   4134 | 222.85.71.242   | 219353 | 343084 | 2017-11-01 00:00:00+00 |
2017-11-30 21:25:00+00
   4134 | 58.51.197.245   | 219319 | 353869 | 2017-11-01 00:00:00+00 |
2017-11-30 21:25:00+00
  45090 | 203.195.191.64  | 219298 | 350550 | 2017-11-01 00:00:00+00 |
2017-11-30 21:25:00+00
  45758 | 110.164.217.64  | 219086 | 340803 | 2017-11-01 00:00:00+00 |
2017-11-30 21:25:00+00
  56046 | 223.68.169.142  | 219049 | 341527 | 2017-11-01 00:00:00+00 |
2017-11-30 21:25:00+00
   4134 | 222.92.203.222  | 218815 | 339455 | 2017-11-01 00:00:00+00 |
2017-11-30 21:25:00+00
   4812 | 180.169.113.216 | 218802 | 339891 | 2017-11-01 00:00:00+00 |
2017-11-30 21:25:00+00
  24413 | 202.46.32.36    | 218595 | 340312 | 2017-11-01 00:00:00+00 |
2017-11-30 21:25:00+00
(50 rows)

More information about the nsp-security mailing list