[nsp-sec] [EXTERNAL] Re: 9001: New UDP amplification port?
Borja Marcos
borjamar at sarenet.es
Thu Jul 15 14:43:15 EDT 2021
On 15 Jul 2021, at 17:27, Compton, Rich A <Rich.Compton at charter.com> wrote:
> What's the TLP level for this info? Can we share this in other trust groups related to DDoS? I have started seeing spikes in UDP port 9001 today that could be DDoS amp traffic.
Interesting. I would say TLP-AMBER. When I contacted them I promised not to make noise, discussing it only with trusted researchers.
They way I associated it to Ruckus was simple. I picked up a handful of the source addresses and I searched on Alienvault. Turned out all of them were associated to Ruckus stuff.
BTW the cat is almost out of the box. I have found this doing a search for “udp port 9001 ddos”
http://webcache.googleusercontent.com/search?q=cache:RUsb20cG5GQJ:https://forums.ruckuswireless.com/conversations/smartcell-insight-sci/smartzone100-product-has-security-vulnerabilitieshackers-can-use-udp9001-port-to-launch-ddos-reflection-amplification-attack/60e2e826343e2b0bb01b8590?commentId%3D60e2f5dbcddb2601c40aae69&client=safari&hl=en&gl=es&strip=1&vwsrc=0
Seems they deleted/hid the post but Google cached it.
Our attack was really low volume. How was yours?
Cheers,
Borja.
More information about the nsp-security
mailing list