nanog mailing list archives
Re: where to go to understand DDoS attack vector
From: Roland Dobbins <rdobbins () arbor net>
Date: Tue, 26 Aug 2014 18:57:27 +0700
On Aug 26, 2014, at 6:48 PM, Miles Fidelman <mfidelman () meetinghouse net> wrote:
Immediate issue is dealt with (at least for us, target seems to be off the air) - but want to understand this, report it, all of that.
IPMI boards are reported as being used in reflection/amplification attacks of various kinds; the ntp one is straightforward, as you note. This may be some sort of chargen-like packet reflector that's either built into the firmware, or that an attacker has managed to insert, somehow. The 'mailto:' bit is interesting; it might work sort of like SNMP reflection/amplification attacks work, where the attacker is using some sort of management functionality to walk the device config or somesuch, packetize it, and blast it out as packet-padding. Does the target of the attack have flow telemetry records or complete packets? Because the one you posted looked incomplete (29 bytes?) . . . ---------------------------------------------------------------------- Roland Dobbins <rdobbins () arbor net> // <http://www.arbornetworks.com> Equo ne credite, Teucri. -- Laocoön
Current thread:
- where to go to understand DDoS attack vector Miles Fidelman (Aug 26)
- Re: where to go to understand DDoS attack vector Roland Dobbins (Aug 26)
- Re: where to go to understand DDoS attack vector Miles Fidelman (Aug 26)
- Re: where to go to understand DDoS attack vector Roland Dobbins (Aug 26)
- Re: where to go to understand DDoS attack vector Stephen Satchell (Aug 26)
- Re: where to go to understand DDoS attack vector Roland Dobbins (Aug 26)
- RE: where to go to understand DDoS attack vector John York (Aug 26)
- Re: where to go to understand DDoS attack vector Roland Dobbins (Aug 26)
- Re: where to go to understand DDoS attack vector me (Aug 26)
- Re: where to go to understand DDoS attack vector Brian Rak (Aug 26)
- Re: where to go to understand DDoS attack vector Miles Fidelman (Aug 26)
- Re: where to go to understand DDoS attack vector John (Aug 26)
- Re: where to go to understand DDoS attack vector Miles Fidelman (Aug 26)
- Re: where to go to understand DDoS attack vector Roland Dobbins (Aug 26)