[nsp-sec] DoS attack to 164.67.228.152

JASON CHAMBERS jchambers at ucla.edu
Tue Jul 28 12:13:08 EDT 2020 

Yes, thanks.  I used to work for our upstream so I'm familiar with their
dense peering network and traceback potential, I reached out to them in
parallel to this nsp-sec inquiry.

I didn't consider the possibility of a single source.


Just now finished a larger query for the entire timespan.... I've never
seen so many spoofed IPs before when analyzing a DoS attack... does say
something about the upstream filters.   197m source IPs, I'm sure some are
legitimate, but that site is very low volume on average.

dIP|dPort|        sIP-Distinct|               Bytes|        Packets|
Records|     sTime-Earliest|       eTime-Latest|
  164.67.228.152|   80|           197983585|         84765195656|
1513734218|1503204248|2020/07/26T20:00:22|2020/07/27T01:58:38|


--Jason



On Tue, Jul 28, 2020 at 3:37 PM Damian Menscher <damian at google.com> wrote:

> That sounds like a spoofed synflood from a single source, not a serious
> botnet attack (which would have been 1000 times larger).  Best approach is
> to ask your upstream to determine which link the packets ingressed, and
> chase it back that way.  Once the source network has been identified, their
> upstream should apply filters to prevent their customer from sending more
> spoofed packets.
>
> Worth fixing any gear that falls over under such a minor attack... in
> general you should avoid stateful devices at the network level.
>
> Damian
>
> On Tue, Jul 28, 2020 at 8:28 AM JASON CHAMBERS <jchambers at ucla.edu> wrote:
>
>> ----------- nsp-security Confidential --------
>>
>> Hello all,
>>
>>
>> Over the weekend we experienced a brief DoS attack to our main site
>> www.ucla.edu (164.67.228.152).  It lasted a few hours and peaked about 60
>> Mbps / 150k pps, during which it overflowed the state table in the ASA
>> fronting that site.  Small event by NSP measurements but maybe of interest
>> to some.
>>
>>
>> Rough start/stop times (UTC):
>>
>> 2020-07-26 22:00 to 2020-07-27 01:30
>>
>>
>> Attack signature:
>>
>> SYN Flood, 52 byte packets.  ~260k unique Source IPs.
>>
>>
>> If you turn up anything mildly interesting we'd enjoy hearing about it.
>>
>>
>> Thanks,
>>
>> --Jason
>>
>>
>> _______________________________________________
>> nsp-security mailing list
>> nsp-security at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/nsp-security
>>
>> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
>> community. Confidentiality is essential for effective Internet security
>> counter-measures.
>> _______________________________________________
>>
>

More information about the nsp-security mailing list