Re: where to go to understand DDoS attack vector

On 8/26/2014 8:28 PM, Larry Sheldon wrote: On 8/26/2014 08:31, Roland Dobbins wrote: On Aug 26, 2014, at 8:26 PM, Stephen Satchell wrote: qotd17/udp quote No, that's the protocol number - 17 is UDP - not the port number. Really? http://en.wikipedia.org/wiki/List_o

Re: where to go to understand DDoS attack vector

On 8/26/2014 08:31, Roland Dobbins wrote: On Aug 26, 2014, at 8:26 PM, Stephen Satchell wrote: qotd17/udp quote No, that's the protocol number - 17 is UDP - not the port number. Really? http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers udp DID used to b

Re: where to go to understand DDoS attack vector

On 8/26/2014 10:40 AM, Miles Fidelman wrote: That's about as far as I've gotten. What has me scratching my head is what is setting the source port. This has all the earmarks of a reflection attack, except... I'm not running anything that presents as port 2072 (msync) - so either the attack is

Re: where to go to understand DDoS attack vector

me wrote: On 08/26/2014 07:58 AM, Roland Dobbins wrote: On Aug 26, 2014, at 8:37 PM, John York wrote: In this case, 17 is both the protocol and port number. Confusing coincidence :) Not in this output which the OP sent to the list: 8:33:58.482193 IP (tos 0x0, ttl 56, id 0, offset 0, flags

Re: where to go to understand DDoS attack vector

On 8/26/2014 12:52 PM, me wrote: On 08/26/2014 07:58 AM, Roland Dobbins wrote: On Aug 26, 2014, at 8:37 PM, John York wrote: In this case, 17 is both the protocol and port number. Confusing coincidence :) Not in this output which the OP sent to the list: 8:33:58.482193 IP (tos 0x0, ttl 5

Re: where to go to understand DDoS attack vector

On 08/26/2014 07:58 AM, Roland Dobbins wrote: On Aug 26, 2014, at 8:37 PM, John York wrote: In this case, 17 is both the protocol and port number. Confusing coincidence :) Not in this output which the OP sent to the list: 8:33:58.482193 IP (tos 0x0, ttl 56, id 0, offset 0, flags [DF], prot

Re: where to go to understand DDoS attack vector

On Aug 26, 2014, at 11:02 PM, valdis.kletni...@vt.edu wrote: > Took me a few seconds to figure it out too, am a tad low on caffeine today. :) doh, lack of proper sanitization/escaping strikes again! -- Roland Dobbins //

Re: where to go to understand DDoS attack vector

On Tue, 26 Aug 2014 18:57:27 +0700, Roland Dobbins said: >. The 'mailto:' bit is interesting; it might work sort of like SNMP >reflection/amplificati Nope. It's a red herring, somebody's MUA trying to get *far* too clever with the fact that there's a literal "@.8" in the ascii dump part of

Re: where to go to understand DDoS attack vector

On Aug 26, 2014, at 8:37 PM, John York wrote: > In this case, 17 is both the protocol and port number. Confusing coincidence > :) Not in this output which the OP sent to the list: > 8:33:58.482193 IP (tos 0x0, ttl 56, id 0, offset 0, flags [DF], proto UDP > (17), length 29) x.x.x.x.2072 > x.

RE: where to go to understand DDoS attack vector

In this case, 17 is both the protocol and port number. Confusing coincidence :) > -Original Message- > From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Roland > Dobbins > Sent: Tuesday, August 26, 2014 8:32 AM > To: nanog@nanog.org > Subject: Re: where to go

Re: where to go to understand DDoS attack vector

On Aug 26, 2014, at 8:26 PM, Stephen Satchell wrote: > qotd17/udp quote No, that's the protocol number - 17 is UDP - not the port number. -- Roland Dobbins //

Re: where to go to understand DDoS attack vector

qotd17/udp quote You're not blocking small services outbound at the edge? On 08/26/2014 05:18 AM, Miles Fidelman wrote: > Roland Dobbins wrote: >> On Aug 26, 2014, at 6:48 PM, Miles Fidelman >> wrote: >> >>> Immediate issue is dealt with (at least for us, target seems to be

Re: where to go to understand DDoS attack vector

On Aug 26, 2014, at 7:18 PM, Miles Fidelman wrote: > Can you say a bit more about what I might look for in trying to track this > down? Fuzz your IPMI boards? ;> My guess is that this is going to come to light sooner rather than later. We're getting reports of other DDoS attacks which seem

Re: where to go to understand DDoS attack vector

Roland Dobbins wrote: On Aug 26, 2014, at 6:48 PM, Miles Fidelman wrote: Immediate issue is dealt with (at least for us, target seems to be off the air) - but want to understand this, report it, all of that. IPMI boards are reported as being used in reflection/amplification attacks of vario

Re: where to go to understand DDoS attack vector

On Aug 26, 2014, at 6:48 PM, Miles Fidelman wrote: > Immediate issue is dealt with (at least for us, target seems to be off the > air) - but want to understand this, report it, all of that. IPMI boards are reported as being used in reflection/amplification attacks of various kinds; the ntp on

where to go to understand DDoS attack vector

Hi Folks, Possibly a little off-topic for nanog, but I couldn't think of anywhere else to ask this (suggestions please!): We just discovered a vulnerability the hard way - someone used one of our IPMI boards as a vector for a DDoS attack (well, I guess the real hard way would be to have been