I apologize for the potentially obvious question, but I've been through sf, google, etc and can't find anything. I have a customer that is currently getting several hundred thousand packets per second sent to them on 80/udp. /etc/services lists 80/udp as IANA assigned for http but I've never seen a udp implementation of http so I'm assuming it's a sneaky DOS/DDOS of some kind. ACL's seem to work to catch it but I'm curious if anyone has seen this specific attack (80/udp) before. Thanks -Scott -- Scott Call Router Geek, ATGi, home of $6.95 Prime Rib I make the world a better place, I boycott Wal-Mart VoIP incoming: +1 360-382-1814
Yes, this seems to be a common thing these days. You send udp/LAGE udp packets and fragments to port 80 to saturate bandwidth and you combine that with compromised hosts successively opening and closing TCP connections to port 80 (Not a syn flood, actual connections that look to the router in terms of packet size etc to be legitimate.) A note that the majority of these hosts are from LACNIC and APNIC space. (with a smattering from RIPE) I almost never see ARIN address space used for these compromised hosts. Most of the attacks I've seen recently have used this setup. Easy enough to fend off except for the TCP 80 bit. For most of these attacks, I've taken to just filtering the entire LACNIC and APNIC address delegations at the host level for the durration of the incident since, in the general case, my customers (the ones that suffer these incidents) do little if any business in that region. On Wed, Feb 18, 2004 at 02:45:14AM -0800, Scott Call wrote:
I apologize for the potentially obvious question, but I've been through sf, google, etc and can't find anything.
I have a customer that is currently getting several hundred thousand packets per second sent to them on 80/udp. /etc/services lists 80/udp as IANA assigned for http but I've never seen a udp implementation of http so I'm assuming it's a sneaky DOS/DDOS of some kind.
ACL's seem to work to catch it but I'm curious if anyone has seen this specific attack (80/udp) before.
Thanks -Scott
-- Scott Call Router Geek, ATGi, home of $6.95 Prime Rib I make the world a better place, I boycott Wal-Mart VoIP incoming: +1 360-382-1814
--- Wayne Bouchard web@typo.org Network Dude http://www.typo.org/~web/
Wayne E. Bouchard wrote:
Yes, this seems to be a common thing these days. You send udp/LAGE udp packets and fragments to port 80 to saturate bandwidth and you combine that with compromised hosts successively opening and closing TCP connections to port 80 (Not a syn flood, actual connections that look to the router in terms of packet size etc to be legitimate.) A note that the majority of these hosts are from LACNIC and APNIC space. (with a smattering from RIPE) I almost never see ARIN address space used for these compromised hosts.
Most of the attacks I've seen recently have used this setup.
Easy enough to fend off except for the TCP 80 bit. For most of these attacks, I've taken to just filtering the entire LACNIC and APNIC address delegations at the host level for the durration of the incident since, in the general case, my customers (the ones that suffer these incidents) do little if any business in that region.
We've seen >1Gb/s connection filling attacks from ARIN space, especially 24.x blocks. FYI, Deepak Jain AiNET
Wayne E. Bouchard [2/19/2004 6:16 AM] :
Easy enough to fend off except for the TCP 80 bit. For most of these attacks, I've taken to just filtering the entire LACNIC and APNIC address delegations at the host level for the durration of the incident since, in the general case, my customers (the ones that suffer these incidents) do little if any business in that region.
May I suggest extending your ACLs to filter 0/0? I have seen quite a lot of this from ARIN (mostly cablemodem land, 24/8) as well as RIPE space (again cablemodem land -> trojaned zombies?) srs -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
participants (4)
-
Deepak Jain
-
Scott Call
-
Suresh Ramasubramanian
-
Wayne E. Bouchard