This might be a little late on this thread, however I just saw the following news item on twitter which seemed pertinent to this story: http://www.theregister.co.uk/2016/11/02/william_hill_ddos/ I guess they're a bookie who's under DDoS?
Theodore Baschak - AS395089 - Hextet Systems https://ciscodude.net/ - https://hextet.systems/ http://mbix.ca/ On Wed, Nov 2, 2016 at 3:46 AM, Christian Kildau <li...@chrisk.de> wrote: > There is some nice research regarding systems "abusable" for reflection by > tcp port and the amplification factor depending on the OS: > http://www.christian-rossow.de/publications/tcpamplification-woot2014.pdf > > And in more detail: > https://www.usenix.org/system/files/conference/ > usenixsecurity14/sec14-paper- > kuhrer.pdf > > Best regards, > Chris > > On Tue, Nov 1, 2016 at 11:21 PM, Ken Chase <m...@sizone.org> wrote: > > > what's the density of open port 21s on the planet though? trying to > > estimate > > the traffic resulting against the two target /21s. > > > > Your dump only has 2 ip's in it though, on your /19 so not > representative. > > > > My dump is 500 synacks returned in 14 seconds to 32 ips in a /22. This > > would give > > 128M ftp responders across the whole /0 (modulo actual space in use, etc, > > so call it 32M responders?). (It's also a short timespan for a dump as > > well.) > > Syn-ack seems to be a 58 byte packet (?ish). > > > > 32 * 10^6 * 500/14 * 58*8 / 10^9 = 530 Gbps > > > > even if im off by 4 in density of ftp sites on the internet despite my > > already > > reducing it by 4, we're talking ~100+ Gbps. > > > > /kc > > > > > > On Tue, Nov 01, 2016 at 03:59:49PM -0600, Selphie Keller said: > > >Yeah it is an odd ball attack for sure, here is a 5000 packet sample > of > > >what I was seeing in connection to this attack > > >https://mystagic.io/80to21.pcap , don't think it's the entire /0 for > > ftp > > >port as I am not seeing it on many other subnets, which is why I am > > >thinking someone did a pre-scan before conducting this wacky attack, > > >otherwise, I would have likely seen other port 21's seeing activity, > > but so > > >far any IP that didn't have 21 as an actual service isn't seeing the > syn > > >packets. This could be unique to my location, others observing this > > attack > > >may be able to chime in and report what they are seeing if they seen > 80 > > src > > >syn to port 21 where 21 isn't an actual ftp running. Yeah this is > pretty > > >easy to filter. > > > > > >On 1 November 2016 at 13:48, Ken Chase <m...@sizone.org> wrote: > > > > > >> Not sure why reflected RSTs are the goal here, they're not much of > an > > >> amplification > > >> to the original syn size. Additionally causing a mild dos of my > > clients' > > >> stuff > > >> when it begins throttling # of connections, ie noticeable. (not > that i > > >> want to > > >> help scriptkids improve their attacks...). Im guessing port 80 was > > chosen > > >> for improved > > >> fw piercing. > > >> > > >> Sure is widespread though, 5 clients on very different networks all > > seeing > > >> similar > > >> saturation. Someone has a nice complete prescanned list of open ftps > > for > > >> the > > >> entire internet out there (or are they just saturating the whole > /0?) > > >> > > >> Easy to filter though: > > >> > > >> tcp and src port 80 and src net '(141.138.128.0/21 or > 95.131.184.0/21 > > )' > > >> and dst port 21 > > >> > > >> Adapt for your fw rules of choice. > > >> > > >> /kc > > >> > > >> > > >> On Tue, Nov 01, 2016 at 07:39:40PM +0000, Van Dyk, Donovan said: > > >> >I think Ken has nailed it. I think the source addresses are > > spoofed so > > >> you reflect the connection (tcp syn ack) to those source addresses. > > Get > > >> enough of those connections and the server is dead. > > >> > > > >> >Since your port 21 is open > > >> > > > >> >telnet 109.72.248.114 21 > > >> >Trying 109.72.248.114... > > >> >Connected to 109.72.248.114. > > >> >Escape character is '^]'. > > >> > > > >> >Your address was probably scanned and saw it could be used in the > > >> attack. > > >> > > > >> >Regards > > >> >-- > > >> >Donovan Van Dyk > > >> > > > >> >SOC Network Engineer > > >> > > > >> >Office: +1.954.620.6002 x911 > > >> > > > >> >Fort Lauderdale, FL USA > > >> > > > >> > > > >> > > > >> > > > >> >The information contained in this electronic mail transmission > and > > its > > >> attachments may be privileged and confidential and protected from > > >> disclosure. If the reader of this message is not the intended > > recipient (or > > >> an individual responsible for delivery of the message to such > > person), you > > >> are strictly prohibited from copying, disseminating or distributing > > this > > >> communication. If you have received this communication in error, > > please > > >> notify the sender immediately and destroy all electronic, paper or > > other > > >> versions. > > >> > > > >> > > > >> >On 11/1/16, 3:29 PM, "Ken Chase" <m...@sizone.org> wrote: > > >> > > > >> > seeing an awful lot of port 80 hitting port 21. (Why would > > port 80 > > >> > ever be used as source?). Also saw a buncha cpanel "FAILED: > > FTP" > > >> alerts flickering > > >> > on and off as the service throttled itself at a couple client > > sites > > >> I manage. > > >> > > > >> > I see 540 unique source IPs hitting 32 destinations on my > > network > > >> in just 1000 > > >> > packets dumped on one router. > > >> > > > >> > All from multiple sequential registered /24s in whois, but > all > > from > > >> one > > >> > management company: > > >> > > > >> > 141.138.128.0/21 and 95.131.184.0/21 > > >> > > > >> > role: William Hill Network Services > > >> > abuse-mailbox: networkservi...@williamhill.co.uk > > >> > address: Infrastructure Services 2 City Walk Sweet > > Street > > >> Leeds LS11 9AR > > >> > > > >> > AS49061 > > >> > > > >> > course, synfloods can be spoofed... perhaps they're hoping > for > > a > > >> retaliation > > >> > against WHNS. > > >> > > > >> > /kc > > >> > > > >> > On Tue, Nov 01, 2016 at 09:44:23PM +0300, Oleg A. > Arkhangelsky > > said: > > >> > >Hello, > > >> > > > > >> > >A couple of cuts from tcpdump output: > > >> > > > > >> > >21:31:54.995170 IP 141.138.131.115.80 > 109.72.248.114.21: > > Flags > > >> [S], seq 1376379765, win 8192, length 0 > > >> > >21:31:55.231925 IP 194.73.173.154.80 > 109.72.241.198.21: > > Flags > > >> [S], seq 2254756684, win 8192, length 0 > > >> > >21:27:50.413927 IP 95.131.188.179.80 > 109.72.248.114.21: > > Flags > > >> [S], seq 3619475318, win 8192, length 0 > > >> > >21:27:50.477014 IP 95.131.191.77.80 > 109.72.248.114.21: > > Flags > > >> [S], seq 2412690982, win 8192, length 0 > > >> > > > > >> > >Does anyone seeing this right now (18:31 UTC)? I see this > > traffic > > >> > >on at least two completely independent ISPs near Moscow. > The > > >> > >rate is about a few dozen PPS hitting all BGP-announced > > networks. > > >> > > > > >> > >--?? > > >> > >wbr, Oleg. > > >> > > > > >> > >"Anarchy is about taking complete responsibility for > > yourself." > > >> > >?? ?? ?? Alan Moore. > > >> > > > > > -- > > Ken Chase - m...@sizone.org Guelph Canada > > >