qotd 17/udp quote You're not blocking small services outbound at the edge?
On 08/26/2014 05:18 AM, Miles Fidelman wrote: > Roland Dobbins wrote: >> On Aug 26, 2014, at 6:48 PM, Miles Fidelman >> <[email protected]> wrote: >> >>> Immediate issue is dealt with (at least for us, target seems to be >>> off the air) - but want to understand this, report it, all of that. >> IPMI boards are reported as being used in reflection/amplification >> attacks of various kinds; the ntp one is straightforward, as you note. >> >> This may be some sort of chargen-like packet reflector that's either >> built into the firmware, or that an attacker has managed to insert, >> somehow. The 'mailto:' bit is interesting; it might work sort of like >> SNMP reflection/amplification attacks work, where the attacker is >> using some sort of management functionality to walk the device config >> or somesuch, packetize it, and blast it out as packet-padding. > > Can you say a bit more about what I might look for in trying to track > this down? > >> >> Does the target of the attack have flow telemetry records or complete >> packets? Because the one you posted looked incomplete (29 bytes?) . . . >> >> > > Unfortunately, all I have is what they sent to our abuse address - > understandably, they've been a bit busy and not as responsive to further > inquiries as one might hope. > > But, having said that, this looks like all they have. They seem to be > getting these from lots of different places around the net, they just > sent a filtered excerpt - here's a larger sample: > > 18:33:58.482193 IP (tos 0x0, ttl 56, id 0, offset 0, flags [DF], proto > UDP (17), length 29) x.x.x.x.2072 > x.x.x.x.27015: UDP, length 1 > 0x0000: 4500 001d 0000 4000 3811 088c cf9a 3b8c > [email protected] <mailto:[email protected]>.....;. > 0x0010: 405e eebf 0818 6987 0009 10f8 4300 0000 > @^....i.....C... > 0x0020: 0000 0000 0000 0000 0000 0000 0000 > .............. > 18:33:58.484625 IP (tos 0x0, ttl 56, id 0, offset 0, flags [DF], proto > UDP (17), length 29) x.x.x.x.2072 > x.x.x.x.27015: UDP, length 1 > 0x0000: 4500 001d 0000 4000 3811 088c cf9a 3b8c > [email protected] <mailto:[email protected]>.....;. > 0x0010: 405e eebf 0818 6987 0009 10f8 4300 0000 > @^....i.....C... > 0x0020: 0000 0000 0000 0000 0000 0000 0000 > .............. > 18:33:58.486137 IP (tos 0x0, ttl 56, id 0, offset 0, flags [DF], proto > UDP (17), length 29) x.x.x.x.2072 > x.x.x.x.27015: UDP, length 1 > 0x0000: 4500 001d 0000 4000 3811 088c cf9a 3b8c > [email protected] <mailto:[email protected]>.....;. > 0x0010: 405e eebf 0818 6987 0009 10f8 4300 0000 > @^....i.....C... > 0x0020: 0000 0000 0000 0000 0000 0000 0000 > .............. > > On closer reading, what they captured does seem to be "proto UDP (17), > length 29)" and "UDP, length 1" > > Thanks! > > Miles >
