This might be a little late on this thread, however I just saw the
following news item on twitter which seemed pertinent to this story:
http://www.theregister.co.uk/2016/11/02/william_hill_ddos/
I guess they're a bookie who's under DDoS?
Theodore Baschak - AS395089 - Hextet Systems
https://ciscod
There is some nice research regarding systems "abusable" for reflection by
tcp port and the amplification factor depending on the OS:
http://www.christian-rossow.de/publications/tcpamplification-woot2014.pdf
And in more detail:
https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-
Most of those networks are served by Prolexic DDOS mitigation (AS 32787),
and according to BGPlay have been for a while. (AS carrying untoward material,
like a Tor exit node or onion router?)
But a couple /24s in the 95.* block are AS14537 Mohawk Internet Tech. in
Quebec Canada such as 95.131.188
what's the density of open port 21s on the planet though? trying to estimate
the traffic resulting against the two target /21s.
Your dump only has 2 ip's in it though, on your /19 so not representative.
My dump is 500 synacks returned in 14 seconds to 32 ips in a /22. This would
give
128M ftp r
Yeah it is an odd ball attack for sure, here is a 5000 packet sample of
what I was seeing in connection to this attack
https://mystagic.io/80to21.pcap , don't think it's the entire /0 for ftp
port as I am not seeing it on many other subnets, which is why I am
thinking someone did a pre-scan before
I think Ken has nailed it. I think the source addresses are spoofed so you
reflect the connection (tcp syn ack) to those source addresses. Get enough of
those connections and the server is dead.
Since your port 21 is open
telnet 109.72.248.114 21
Trying 109.72.248.114...
Connected to 109.72.24
lto:selphie.kel...@gmail.com]
> *Sent:* November-01-16 1:13 PM
> *To:* Emille Blanc
> *Cc:* Ken Chase; Oleg A. Arkhangelsky; nanog@nanog.org
>
> *Subject:* Re: Syn flood to TCP port 21 from priveleged port (80)
>
>
>
> Does the synflood have tcp option headers?
>
>
&g
Emille Blanc
Cc: Ken Chase; Oleg A. Arkhangelsky; nanog@nanog.org
Subject: Re: Syn flood to TCP port 21 from priveleged port (80)
Does the synflood have tcp option headers?
I am seeing this same activity at our forward observation system, however it's
not showing any tcp options like mss,sa
ur AS.
>
> Obligatory data should this be of use to anyone listening in.
>
> -Original Message-
> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Ken Chase
> Sent: November-01-16 12:29 PM
> To: Oleg A. Arkhangelsky
> Cc: nanog@nanog.org
> Subject: Re: Syn flo
-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Ken Chase
Sent: November-01-16 12:29 PM
To: Oleg A. Arkhangelsky
Cc: nanog@nanog.org
Subject: Re: Syn flood to TCP port 21 from priveleged port (80)
seeing an awful lot of port 80 hitting port 21. (Why would port 80
ever be used as source
Not sure why reflected RSTs are the goal here, they're not much of an
amplification
to the original syn size. Additionally causing a mild dos of my clients' stuff
when it begins throttling # of connections, ie noticeable. (not that i want to
help scriptkids improve their attacks...). Im guessing p
seeing an awful lot of port 80 hitting port 21. (Why would port 80
ever be used as source?). Also saw a buncha cpanel "FAILED: FTP" alerts
flickering
on and off as the service throttled itself at a couple client sites I manage.
I see 540 unique source IPs hitting 32 destinations on my network in
01.11.2016, 22:06, "Eric Tykwinski" :
> Oleg,
>
> I'm seeing the same to a single client here source IPs seem to be matching up
> as well.
> I attached a pcap, just so you can compare.
>
And the same sources:
141.138.128.0 - 141.138.135.255
194.73.173.0 - 194.73.173.127
95.131.184.0 - 95.131.1
Hello,
A couple of cuts from tcpdump output:
21:31:54.995170 IP 141.138.131.115.80 > 109.72.248.114.21: Flags [S], seq
1376379765, win 8192, length 0
21:31:55.231925 IP 194.73.173.154.80 > 109.72.241.198.21: Flags [S], seq
2254756684, win 8192, length 0
21:27:50.413927 IP 95.131.188.179.80 > 10
14 matches
Mail list logo