nanog mailing list archives
Re: where to go to understand DDoS attack vector
From: John <jw () nuclearfallout net>
Date: Tue, 26 Aug 2014 12:37:12 -0700
On 8/26/2014 10:40 AM, Miles Fidelman wrote:
That's about as far as I've gotten. What has me scratching my head is what is setting the source port. This has all the earmarks of a reflection attack, except... I'm not running anything that presents as port 2072 (msync) - so either the attack is making very clever use of some other open server, or the board's BMC is infected by a bot. Unfortunately, with the port now blocked, and what was intermittent in any case - it's a little hard to monitor incoming traffic to see what might be trigger traffic. Sigh...
From the traffic dump and description, this was highly likely to be a direct attack and not an amplification/reflection hit. I don't know of reflectors that run on port 2072; but, bots are routinely used to send UDP length 29 (payload length 1) packets.
Older Supermicro IPMI devices have multiple published exploits including the much-publicized port-49152 vulnerability that provides the admin password in the clear (described at http://blog.cari.net/carisirt-yet-another-bmc-vulnerability-and-some-added-extras/ and other places). Many device owners also never change the default u/p, in which case an exploit doesn't even need to be used. The attacker will typically use a tool to scan the IPv4 space for vulnerable hosts; the tool logs in and installs a bot that connects to a C&C server and is later used for attacks. The same procedure is followed with other easily-compromised devices, including Hikvision DVRs/NVRs and various routers including the Chinese Telecom F420. Resulting botnets can be tens or even hundreds of thousands of hosts in size.
IPMI devices have been used quite regularly for attacks for a couple of months now -- as soon as that vulnerability was made public, the toolmakers started using it. The best defense against current and yet-to-be-discovered IPMI vulnerabilities is to make sure that your IPMI devices are not open to the public internet, as Roland said.
-John
Current thread:
- Re: where to go to understand DDoS attack vector, (continued)
- Re: where to go to understand DDoS attack vector Roland Dobbins (Aug 26)
- Re: where to go to understand DDoS attack vector Miles Fidelman (Aug 26)
- Re: where to go to understand DDoS attack vector Roland Dobbins (Aug 26)
- Re: where to go to understand DDoS attack vector Stephen Satchell (Aug 26)
- Re: where to go to understand DDoS attack vector Roland Dobbins (Aug 26)
- RE: where to go to understand DDoS attack vector John York (Aug 26)
- Re: where to go to understand DDoS attack vector Roland Dobbins (Aug 26)
- Re: where to go to understand DDoS attack vector me (Aug 26)
- Re: where to go to understand DDoS attack vector Brian Rak (Aug 26)
- Re: where to go to understand DDoS attack vector Miles Fidelman (Aug 26)
- Re: where to go to understand DDoS attack vector John (Aug 26)
- Re: where to go to understand DDoS attack vector Miles Fidelman (Aug 26)
- Re: where to go to understand DDoS attack vector Roland Dobbins (Aug 26)
- Message not available
- Re: where to go to understand DDoS attack vector Larry Sheldon (Aug 26)
- Re: where to go to understand DDoS attack vector Brian Rak (Aug 26)
- Re: where to go to understand DDoS attack vector Roland Dobbins (Aug 26)