Re: Syn flood to TCP port 21 from priveleged port (80)

[Theodore Baschak <theodore () ciscodude net>]

This might be a little late on this thread, however I just saw the
following news item on twitter which seemed pertinent to this story:
http://www.theregister.co.uk/2016/11/02/william_hill_ddos/
I guess they're a bookie who's under DDoS?


Theodore Baschak - AS395089 - Hextet Systems
https://ciscodude.net/ - https://hextet.systems/
http://mbix.ca/


On Wed, Nov 2, 2016 at 3:46 AM, Christian Kildau <lists () chrisk de> wrote:

> There is some nice research regarding systems "abusable" for reflection by
> tcp port and the amplification factor depending on the OS:
> http://www.christian-rossow.de/publications/tcpamplification-woot2014.pdf
>
> And in more detail:
> https://www.usenix.org/system/files/conference/
> usenixsecurity14/sec14-paper-
> kuhrer.pdf
>
> Best regards,
> Chris
>
> On Tue, Nov 1, 2016 at 11:21 PM, Ken Chase <math () sizone org> wrote:
>
> > what's the density of open port 21s on the planet though? trying to
> > estimate
> > the traffic resulting against the two target /21s.
> >
> > Your dump only has 2 ip's in it though, on your /19 so not
> representative.
> > My dump is 500 synacks returned in 14 seconds to 32 ips in a /22. This
> > would give
> > 128M ftp responders across the whole /0 (modulo actual space in use, etc,
> > so call it 32M responders?). (It's also a short timespan for a dump as
> > well.)
> > Syn-ack seems to be a 58 byte packet (?ish).
> >
> > 32 * 10^6 * 500/14 * 58*8 / 10^9 = 530 Gbps
> >
> > even if im off by 4 in density of ftp sites on the internet despite my
> > already
> > reducing it by 4, we're talking ~100+ Gbps.
> >
> > /kc
> >
> >
> > On Tue, Nov 01, 2016 at 03:59:49PM -0600, Selphie Keller said:
> >   >Yeah it is an odd ball attack for sure, here is a 5000 packet sample
> of
> >   >what I was seeing in connection to this attack
> >   >https://mystagic.io/80to21.pcap , don't think it's the entire /0 for
> > ftp
> >   >port as I am not seeing it on many other subnets, which is why I am
> >   >thinking someone did a pre-scan before conducting this wacky attack,
> >   >otherwise, I would have likely seen other port 21's seeing activity,
> > but so
> >   >far any IP that didn't have 21 as an actual service isn't seeing the
> syn
> >   >packets. This could be unique to my location, others observing this
> > attack
> >   >may be able to chime in and report what they are seeing if they seen
> 80
> > src
> >   >syn to port 21 where 21 isn't an actual ftp running. Yeah this is
> pretty
> >   >easy to filter.
> >   >
> >   >On 1 November 2016 at 13:48, Ken Chase <math () sizone org> wrote:
> >   >
> >   >> Not sure why reflected RSTs are the goal here, they're not much of
> an
> >   >> amplification
> >   >> to the original syn size. Additionally causing a mild dos of my
> > clients'
> >   >> stuff
> >   >> when it begins throttling # of connections, ie noticeable. (not
> that i
> >   >> want to
> >   >> help scriptkids improve their attacks...). Im guessing port 80 was
> > chosen
> >   >> for improved
> >   >> fw piercing.
> >   >>
> >   >> Sure is widespread though, 5 clients on very different networks all
> > seeing
> >   >> similar
> >   >> saturation. Someone has a nice complete prescanned list of open ftps
> > for
> >   >> the
> >   >> entire internet out there (or are they just saturating the whole
> /0?)
> >   >>
> >   >> Easy to filter though:
> >   >>
> >   >> tcp and src port 80 and src net '(141.138.128.0/21 or
> 95.131.184.0/21
> > )'
> >   >> and dst port 21
> >   >>
> >   >> Adapt for your fw rules of choice.
> >   >>
> >   >> /kc
> >   >>
> >   >>
> >   >> On Tue, Nov 01, 2016 at 07:39:40PM +0000, Van Dyk, Donovan said:
> >   >>   >I think Ken has nailed it. I think the source addresses are
> > spoofed so
> >   >> you reflect the connection (tcp syn ack) to those source addresses.
> > Get
> >   >> enough of those connections and the server is dead.
> >   >>   >
> >   >>   >Since your port 21 is open
> >   >>   >
> >   >>   >telnet 109.72.248.114 21
> >   >>   >Trying 109.72.248.114...
> >   >>   >Connected to 109.72.248.114.
> >   >>   >Escape character is '^]'.
> >   >>   >
> >   >>   >Your address was probably scanned and saw it could be used in the
> >   >> attack.
> >   >>   >
> >   >>   >Regards
> >   >>   >--
> >   >>   >Donovan Van Dyk
> >   >>   >
> >   >>   >SOC Network Engineer
> >   >>   >
> >   >>   >Office: +1.954.620.6002 x911
> >   >>   >
> >   >>   >Fort Lauderdale, FL USA
> >   >>   >
> >   >>   >
> >   >>   >
> >   >>   >
> >   >>   >The information contained in this electronic mail transmission
> and
> > its
> >   >> attachments may be privileged and confidential and protected from
> >   >> disclosure. If the reader of this message is not the intended
> > recipient (or
> >   >> an individual responsible for delivery of the message to such
> > person), you
> >   >> are strictly prohibited from copying, disseminating or distributing
> > this
> >   >> communication. If you have received this communication in error,
> > please
> >   >> notify the sender immediately and destroy all electronic, paper or
> > other
> >   >> versions.
> >   >>   >
> >   >>   >
> >   >>   >On 11/1/16, 3:29 PM, "Ken Chase" <math () sizone org> wrote:
> >   >>   >
> >   >>   >    seeing an awful lot of port 80 hitting port 21. (Why would
> > port 80
> >   >>   >    ever be used as source?). Also saw a buncha cpanel "FAILED:
> > FTP"
> >   >> alerts flickering
> >   >>   >    on and off as the service throttled itself at a couple client
> > sites
> >   >> I manage.
> >   >>   >
> >   >>   >    I see 540 unique source IPs hitting 32 destinations on my
> > network
> >   >> in just 1000
> >   >>   >    packets dumped on one router.
> >   >>   >
> >   >>   >    All from multiple sequential registered /24s in whois, but
> all
> > from
> >   >> one
> >   >>   >    management company:
> >   >>   >
> >   >>   >    141.138.128.0/21 and 95.131.184.0/21
> >   >>   >
> >   >>   >    role:           William Hill Network Services
> >   >>   >    abuse-mailbox:  networkservices () williamhill co uk
> >   >>   >    address:        Infrastructure Services 2 City Walk Sweet
> > Street
> >   >> Leeds LS11 9AR
> >   >>   >
> >   >>   >    AS49061
> >   >>   >
> >   >>   >    course, synfloods can be spoofed... perhaps they're hoping
> for
> > a
> >   >> retaliation
> >   >>   >    against WHNS.
> >   >>   >
> >   >>   >    /kc
> >   >>   >
> >   >>   >    On Tue, Nov 01, 2016 at 09:44:23PM +0300, Oleg A.
> Arkhangelsky
> > said:
> >   >>   >      >Hello,
> >   >>   >      >
> >   >>   >      >A couple of cuts from tcpdump output:
> >   >>   >      >
> >   >>   >      >21:31:54.995170 IP 141.138.131.115.80 > 109.72.248.114.21:
> > Flags
> >   >> [S], seq 1376379765, win 8192, length 0
> >   >>   >      >21:31:55.231925 IP 194.73.173.154.80 > 109.72.241.198.21:
> > Flags
> >   >> [S], seq 2254756684, win 8192, length 0
> >   >>   >      >21:27:50.413927 IP 95.131.188.179.80 > 109.72.248.114.21:
> > Flags
> >   >> [S], seq 3619475318, win 8192, length 0
> >   >>   >      >21:27:50.477014 IP 95.131.191.77.80 > 109.72.248.114.21:
> > Flags
> >   >> [S], seq 2412690982, win 8192, length 0
> >   >>   >      >
> >   >>   >      >Does anyone seeing this right now (18:31 UTC)? I see this
> > traffic
> >   >>   >      >on at least two completely independent ISPs near Moscow.
> The
> >   >>   >      >rate is about a few dozen PPS hitting all BGP-announced
> > networks.
> >   >>   >      >
> >   >>   >      >--??
> >   >>   >      >wbr, Oleg.
> >   >>   >      >
> >   >>   >      >"Anarchy is about taking complete responsibility for
> > yourself."
> >   >>   >      >?? ?? ?? Alan Moore.
> >   >>   >
> >
> > --
> > Ken Chase - math () sizone org Guelph Canada