nanog mailing list archives
Re: where to go to understand DDoS attack vector
From: me <jschiel () flowtools net>
Date: Tue, 26 Aug 2014 10:52:35 -0600
On 08/26/2014 07:58 AM, Roland Dobbins wrote:
On Aug 26, 2014, at 8:37 PM, John York <johny () griffintechnology com> wrote:In this case, 17 is both the protocol and port number. Confusing coincidence :)Not in this output which the OP sent to the list:8:33:58.482193 IP (tos 0x0, ttl 56, id 0, offset 0, flags [DF], proto UDP (17), length 29) x.x.x.x.2072 > x.x.x.x.27015: UDP, length 1 0x0000: 4500 001d 0000 4000 3811 088c cf9a 3b8c E.....@.8 <mailto:E.....@.8>.....;. 0x0010: 405e eebf 0818 6987 0009 10f8 4300 0000 @^....i.....C... 0x0020: 0000 0000 0000 0000 0000 0000 0000 ..............18:33:58.482193 IP (tos 0x0, ttl 56, id 0, offset 0, flags [DF], proto UDP (17), length 29) x.x.x.x.2072 > x.x.x.x.27015: UDP, length 1 0x0000: 4500 001d 0000 4000 3811 088c cf9a 3b8c E.....@.8 <mailto:E.....@.8>.....;. 0x0010: 405e eebf 0818 6987 0009 10f8 4300 0000 @^....i.....C... 0x0020: 0000 0000 0000 0000 0000 0000 0000 .............. 18:33:58.484625 IP (tos 0x0, ttl 56, id 0, offset 0, flags [DF], proto UDP (17), length 29) x.x.x.x.2072 > x.x.x.x.27015: UDP, length 1 0x0000: 4500 001d 0000 4000 3811 088c cf9a 3b8c E.....@.8 <mailto:E.....@.8>.....;. 0x0010: 405e eebf 0818 6987 0009 10f8 4300 0000 @^....i.....C... 0x0020: 0000 0000 0000 0000 0000 0000 0000 .............. 18:33:58.486137 IP (tos 0x0, ttl 56, id 0, offset 0, flags [DF], proto UDP (17), length 29) x.x.x.x.2072 > x.x.x.x.27015: UDP, length 1 0x0000: 4500 001d 0000 4000 3811 088c cf9a 3b8c E.....@.8 <mailto:E.....@.8>.....;. 0x0010: 405e eebf 0818 6987 0009 10f8 4300 0000 @^....i.....C... 0x0020: 0000 0000 0000 0000 0000 0000 0000 ..............Source port 2072, destination port 27015.
Been awhile since I got to dig into hex tcpdump but spent the time anyway. A UDP data segment that is 9 bytes long and only contains a "C" (0x43) ? And looks like to a Steam/Half-life (27015) gaming port. Not sure what the "C" is used for with those systems but guessing it's some sort of request?
--john
---------------------------------------------------------------------- Roland Dobbins <rdobbins () arbor net> // <http://www.arbornetworks.com> Equo ne credite, Teucri. -- Laocoön
Current thread:
- where to go to understand DDoS attack vector Miles Fidelman (Aug 26)
- Re: where to go to understand DDoS attack vector Roland Dobbins (Aug 26)
- Re: where to go to understand DDoS attack vector Miles Fidelman (Aug 26)
- Re: where to go to understand DDoS attack vector Roland Dobbins (Aug 26)
- Re: where to go to understand DDoS attack vector Stephen Satchell (Aug 26)
- Re: where to go to understand DDoS attack vector Roland Dobbins (Aug 26)
- RE: where to go to understand DDoS attack vector John York (Aug 26)
- Re: where to go to understand DDoS attack vector Roland Dobbins (Aug 26)
- Re: where to go to understand DDoS attack vector me (Aug 26)
- Re: where to go to understand DDoS attack vector Brian Rak (Aug 26)
- Re: where to go to understand DDoS attack vector Miles Fidelman (Aug 26)
- Re: where to go to understand DDoS attack vector John (Aug 26)
- Re: where to go to understand DDoS attack vector Miles Fidelman (Aug 26)
- Re: where to go to understand DDoS attack vector Roland Dobbins (Aug 26)
- Message not available
- Re: where to go to understand DDoS attack vector Larry Sheldon (Aug 26)
- Re: where to go to understand DDoS attack vector Brian Rak (Aug 26)
- Re: where to go to understand DDoS attack vector Roland Dobbins (Aug 26)