[174116] in North American Network Operators' Group
Re: where to go to understand DDoS attack vector
daemon@ATHENA.MIT.EDU (Roland Dobbins)
Tue Aug 26 07:57:42 2014
X-Original-To: nanog@nanog.org
From: Roland Dobbins <rdobbins@arbor.net>
In-Reply-To: <53FC7410.9010203@meetinghouse.net>
Date: Tue, 26 Aug 2014 18:57:27 +0700
To: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On Aug 26, 2014, at 6:48 PM, Miles Fidelman <mfidelman@meetinghouse.net> =
wrote:
> Immediate issue is dealt with (at least for us, target seems to be off =
the air) - but want to understand this, report it, all of that.
IPMI boards are reported as being used in reflection/amplification =
attacks of various kinds; the ntp one is straightforward, as you note.
This may be some sort of chargen-like packet reflector that's either =
built into the firmware, or that an attacker has managed to insert, =
somehow. The 'mailto:' bit is interesting; it might work sort of like =
SNMP reflection/amplification attacks work, where the attacker is using =
some sort of management functionality to walk the device config or =
somesuch, packetize it, and blast it out as packet-padding.
Does the target of the attack have flow telemetry records or complete =
packets? Because the one you posted looked incomplete (29 bytes?) . . .
----------------------------------------------------------------------
Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
Equo ne credite, Teucri.
-- Laoco=F6n
