[GTER] Alerta: Pacotes udp desconhecido com volumes absurdos

Mon Jan 3 15:51:45 -02 2005

Oi,

Uma resposta saiu em uns dias após no handlers diary, em relação ao
link informado pelo Wander Menezes. Seguindo
http://isc.sans.org/diary.php?date=2004-12-13
Acompanhei o caso desde o inicio e foi interessante. O que impressiona
é que o netblock causador do DoS ainda esteja mandando pacotes, e não
tenha tomado nenhuma providencia, ao que parece.

Update: Mysterious UDP Solved?
One of our diligent handlers was able to locate a compromised system
sending out malformed UDP packets identical to those we've been
describing over the past few days. The proposed solution to this
conundrum is as follows:
Mr. L. Haxor lives in the 83.102.166.0/24 netblock. Haxor irritates
some of his fellow kiddies on IRC. One decides to teach Mr. Haxor a
lesson, by at least partially custom coding a severely broken
implementation of a relfective amplification attack via recursive DNS
queries. Had his packet-fu not been so bad, this probably would have
been a pretty decent attack. As it stands, it ended up being a limited
resource exhaustion attack against analysts' cycles.
A big thanks to everyone who submitted packets and assisted with
analysis.
For more information on how to prevent your resources from being used
in a *successful* DoS attack, check out the following guide:
http://www.sans.org/dosstep/

[]'s
--Aristeu
--------------------

Olá

  Por aqui ainda está "batendo" requisições da rede 83.102.166.0/24.

tcpdump -i ethX  -n 'src net 83.102.166 and (ip[6] & 0x02 = 0 and
ip[6:2] & 0x1fff !=0)' -tttt -vvvv -x -X

01/03/2005 15:31:47.851690 83.102.166.46 > 200.X.X.X: udp (frag
24897:25 at 512) (ttl 49, len 45)
0x0000  4500 002d 6141 0040 3111 9ee4 5366 a62e E..-aA. at 1...Sf..
0x0010  c8c3 c702 11ef 0035 0019 ee44 71f7 0100 .......5...Dq...
0x0020  0001 0000 0000 0000 0000 0200 0100      ..............
01/03/2005 15:31:56.652519 83.102.166.131 > 200.X.X.X:: udp (frag
16656:25 at 512) (ttl 49, len 45)
0x0000  4500 002d 4110 0040 3111 bec0 5366 a683 E..-A.. at 1...Sf..
0x0010  c8c3 c702 11ef 0035 0019 edef 71f7 0100 .......5....q...
0x0020  0001 0000 0000 0000 0000 0200 0100      ..............
01/03/2005 15:32:02.667775 83.102.166.47 > 200.X.X.X:: udp (frag
36892:25 at 512) (ttl 49, len 45)
0x0000  4500 002d 901c 0040 3111 7004 5366 a62f E..-... at 1.p.Sf./
0x0010  c8c3 c706 11ef 0035 0019 ee3f 71f7 0100 .......5...?q...
0x0020  0001 0000 0000 0000 0000 0200 0100      ..............
01/03/2005 15:32:02.851757 83.102.166.55 > 200.X.X.X:: udp (frag
38350:25 at 512) (ttl 49, len 45)
0x0000  4500 002d 95ce 0040 3111 7146 5366 a637 E..-... at 1.qFSf.7
0x0010  c8c3 c00a 11ef 0035 0019 f533 71f7 0100 .......5...3q...
0x0020  0001 0000 0000 0000 0000 0200 0100      ..............
01/03/2005 15:32:04.625090 83.102.166.15 > 200.X.X.X:: udp (frag
63997:25 at 512) (ttl 49, len 45)
0x0000  4500 002d f9fd 0040 3111 0cc4 5366 a60f E..-... at 1...Sf..
0x0010  c8c3 c085 11ef 0035 0019 f4e0 71f7 0100 .......5....q...
0x0020  0001 0000 0000 0000 0000 0200 0100      ..............
01/03/2005 15:32:05.470183 83.102.166.4 > 200.X.X.X:: udp (frag
10864:25 at 512) (ttl 49, len 45)
0x0000  4500 002d 2a70 0040 3111 dc5c 5366 a604 E..-*p. at 1..\Sf..
0x0010  c8c3 c085 11ef 0035 0019 f4eb 71f7 0100 .......5....q...
0x0020  0001 0000 0000 0000 0000 0200 0100      ..............
01/03/2005 15:32:06.303029 83.102.166.33 > 200.X.X.X:: udp (frag
21300:25 at 512) (ttl 49, len 45)
0x0000  4500 002d 5334 0040 3111 b3f6 5366 a621 E..-S4. at 1...Sf.!
0x0010  c8c3 c00a 11ef 0035 0019 f549 71f7 0100 .......5...Iq...
0x0020  0001 0000 0000 0000 0000 0200 0100      ..............

-- 
[ ]'s
Humberto Sartini
http://web.onda.com.br/humberto

On Sun, 2 Jan 2005 15:01:29 -0200, Wander Menezes <wander at
dominal.com> wrote:
> Srs,
>
> Após um ataque com um volume monstruoso +50 MBs que foi bloqueado
pelas
> operadores que prestam serviços a minha empresa usando bgp (com
técnicas
> de black  hole ) capturei o tipo  de tráfego UDP para os meus
Roteadores
> e Firewalls :
>
> 17:41:26.113664 64.23.1.61 > x.x.x.x: udp (frag 8347:25 at 512) (ttl
55,
> len 45)
>                          4500 05dc 209b 74f5 2e11 5699 4017 013d
>                          c896 90fd 4242 4242 4242 4242 4242 4242
>                          4242 4242 4242 4242 4242 4242 4242 4242
>                          4242 4242 4242 4242 4242 4242 4242 4242
>                          4242 4242 4242 4242 4242 4242 4242 4242
>                          4242