Roland Dobbins wrote:
On Aug 26, 2014, at 6:48 PM, Miles Fidelman <[email protected]> wrote:
Immediate issue is dealt with (at least for us, target seems to be off the air)
- but want to understand this, report it, all of that.
IPMI boards are reported as being used in reflection/amplification attacks of
various kinds; the ntp one is straightforward, as you note.
This may be some sort of chargen-like packet reflector that's either built into
the firmware, or that an attacker has managed to insert, somehow. The
'mailto:' bit is interesting; it might work sort of like SNMP
reflection/amplification attacks work, where the attacker is using some sort of
management functionality to walk the device config or somesuch, packetize it,
and blast it out as packet-padding.
Can you say a bit more about what I might look for in trying to track
this down?
Does the target of the attack have flow telemetry records or complete packets?
Because the one you posted looked incomplete (29 bytes?) . . .
Unfortunately, all I have is what they sent to our abuse address -
understandably, they've been a bit busy and not as responsive to further
inquiries as one might hope.
But, having said that, this looks like all they have. They seem to be
getting these from lots of different places around the net, they just
sent a filtered excerpt - here's a larger sample:
18:33:58.482193 IP (tos 0x0, ttl 56, id 0, offset 0, flags [DF], proto
UDP (17), length 29) x.x.x.x.2072 > x.x.x.x.27015: UDP, length 1
0x0000: 4500 001d 0000 4000 3811 088c cf9a 3b8c
[email protected] <mailto:[email protected]>.....;.
0x0010: 405e eebf 0818 6987 0009 10f8 4300
0000 @^....i.....C...
0x0020: 0000 0000 0000 0000 0000 0000 0000
..............
18:33:58.484625 IP (tos 0x0, ttl 56, id 0, offset 0, flags [DF], proto
UDP (17), length 29) x.x.x.x.2072 > x.x.x.x.27015: UDP, length 1
0x0000: 4500 001d 0000 4000 3811 088c cf9a 3b8c
[email protected] <mailto:[email protected]>.....;.
0x0010: 405e eebf 0818 6987 0009 10f8 4300
0000 @^....i.....C...
0x0020: 0000 0000 0000 0000 0000 0000 0000
..............
18:33:58.486137 IP (tos 0x0, ttl 56, id 0, offset 0, flags [DF], proto
UDP (17), length 29) x.x.x.x.2072 > x.x.x.x.27015: UDP, length 1
0x0000: 4500 001d 0000 4000 3811 088c cf9a 3b8c
[email protected] <mailto:[email protected]>.....;.
0x0010: 405e eebf 0818 6987 0009 10f8 4300
0000 @^....i.....C...
0x0020: 0000 0000 0000 0000 0000 0000 0000
..............
On closer reading, what they captured does seem to be "proto UDP (17),
length 29)" and "UDP, length 1"
Thanks!
Miles
--
In theory, there is no difference between theory and practice.
In practice, there is. .... Yogi Berra
