[GTER] Ataque UDP porta de origem 1900

Rodrigo Baldasso rodrigo at loophost.com.br
Thu Apr 30 08:00:39 -03 2015


Também estamos recebendo 1gbps de ataque ontem e hoje, amplificação de SSDP:

08:50:25.357463 IP 119.167.26.124.1900 > 177.101.229.194.80: UDP, length 320
08:50:25.357646 IP 73.205.239.44.1900 > 177.101.229.194.80: UDP, length 300
08:50:25.357824 IP 73.205.239.44.1900 > 177.101.229.194.80: UDP, length 302
08:50:25.358010 IP 67.167.192.45.1900 > 177.101.229.194.80: UDP, length 318
08:50:25.358187 IP 60.209.34.79.1900 > 177.101.229.194.80: UDP, length 290
08:50:25.358373 IP 67.167.192.45.1900 > 177.101.229.194.80: UDP, length 300
08:50:25.358553 IP 67.167.192.45.1900 > 177.101.229.194.80: UDP, length 302
08:50:25.358729 IP 67.167.192.45.1900 > 177.101.229.194.80: UDP, length 302
08:50:25.358893 IP 123.168.88.242.1900 > 177.101.229.194.80: UDP, length 242
08:50:25.359072 IP 123.168.88.242.1900 > 177.101.229.194.80: UDP, length 306
08:50:25.359238 IP 123.168.88.242.1900 > 177.101.229.194.80: UDP, length 268
08:50:25.359418 IP 60.209.34.79.1900 > 177.101.229.194.80: UDP, length 322
08:50:25.359593 IP 123.168.88.242.1900 > 177.101.229.194.80: UDP, length 290
08:50:25.359781 IP 123.168.88.242.1900 > 177.101.229.194.80: UDP, length 322
08:50:25.359949 IP 123.232.136.226.1900 > 177.101.229.194.80: UDP, 
length 242
08:50:25.360110 IP 123.168.88.242.1900 > 177.101.229.194.80: UDP, length 288
08:50:25.360287 IP 60.209.34.79.1900 > 177.101.229.194.80: UDP, length 288
08:50:25.360472 IP 123.168.88.242.1900 > 177.101.229.194.80: UDP, length 320
08:50:25.360664 IP 123.168.88.242.1900 > 177.101.229.194.80: UDP, length 326
08:50:25.360843 IP 113.123.185.189.1900 > 177.101.229.194.80: UDP, 
length 288
08:50:25.361025 IP 113.123.185.189.1900 > 177.101.229.194.80: UDP, 
length 320
08:50:25.361224 IP 123.168.88.242.1900 > 177.101.229.194.80: UDP, length 314
08:50:25.361396 IP 66.214.131.31.1900 > 177.101.229.194.80: UDP, length 245
08:50:25.361551 IP 66.214.131.31.1900 > 177.101.229.194.80: UDP, length 315
08:50:25.361733 IP 66.214.131.31.1900 > 177.101.229.194.80: UDP, length 291
08:50:25.361924 IP 66.214.131.31.1900 > 177.101.229.194.80: UDP, length 323
08:50:25.362106 IP 66.214.131.31.1900 > 177.101.229.194.80: UDP, length 311
08:50:25.362282 IP 124.166.202.70.1900 > 177.101.229.194.80: UDP, length 268
08:50:25.362443 IP 50.149.0.248.1900 > 177.101.229.194.80: UDP, length 247
08:50:25.362612 IP 66.214.131.31.1900 > 177.101.229.194.80: UDP, length 307
08:50:25.362780 IP 50.149.0.248.1900 > 177.101.229.194.80: UDP, length 247
08:50:25.362950 IP 124.166.202.70.1900 > 177.101.229.194.80: UDP, length 314
08:50:25.363122 IP 124.166.202.70.1900 > 177.101.229.194.80: UDP, length 242
08:50:25.363284 IP 124.166.202.70.1900 > 177.101.229.194.80: UDP, length 306
08:50:25.363457 IP 116.27.196.128.1900 > 177.101.229.194.80: UDP, length 268
08:50:25.363624 IP 50.149.0.248.1900 > 177.101.229.194.80: UDP, length 290
08:50:25.363808 IP 116.27.196.128.1900 > 177.101.229.194.80: UDP, length 314
08:50:25.363986 IP 124.166.202.70.1900 > 177.101.229.194.80: UDP, length 268
08:50:25.364144 IP 116.27.196.128.1900 > 177.101.229.194.80: UDP, length 242
08:50:25.364315 IP 116.27.196.128.1900 > 177.101.229.194.80: UDP, length 306
08:50:25.364484 IP 116.27.196.128.1900 > 177.101.229.194.80: UDP, length 268
08:50:25.364652 IP 116.27.196.128.1900 > 177.101.229.194.80: UDP, length 290
08:50:25.364842 IP 116.27.196.128.1900 > 177.101.229.194.80: UDP, length 322
08:50:25.365015 IP 116.27.196.128.1900 > 177.101.229.194.80: UDP, length 288
08:50:25.365194 IP 116.27.196.128.1900 > 177.101.229.194.80: UDP, length 320
08:50:25.365390 IP 116.27.196.128.1900 > 177.101.229.194.80: UDP, length 326
08:50:25.365586 IP 74.218.17.250.1900 > 177.101.229.194.80: UDP, length 307
08:50:25.365762 IP 27.189.24.245.1900 > 177.101.229.194.80: UDP, length 314
08:50:25.365933 IP 27.189.24.245.1900 > 177.101.229.194.80: UDP, length 242
08:50:25.366098 IP 27.189.24.245.1900 > 177.101.229.194.80: UDP, length 306
08:50:25.366290 IP 113.123.185.189.1900 > 177.101.229.194.80: UDP, 
length 326
08:50:25.366482 IP 113.123.185.189.1900 > 177.101.229.194.80: UDP, 
length 314
08:50:25.366658 IP 27.192.61.208.1900 > 177.101.229.194.80: UDP, length 268
08:50:25.366820 IP 27.192.61.208.1900 > 177.101.229.194.80: UDP, length 290
08:50:25.366994 IP 27.189.24.245.1900 > 177.101.229.194.80: UDP, length 268
08:50:25.367166 IP 27.189.24.245.1900 > 177.101.229.194.80: UDP, length 290
08:50:25.367338 IP 74.218.17.250.1900 > 177.101.229.194.80: UDP, length 305
08:50:25.367531 IP 27.192.61.208.1900 > 177.101.229.194.80: UDP, length 322
08:50:25.367709 IP 27.192.61.208.1900 > 177.101.229.194.80: UDP, length 288
08:50:25.367890 IP 27.192.61.208.1900 > 177.101.229.194.80: UDP, length 320
08:50:25.368088 IP 27.192.61.208.1900 > 177.101.229.194.80: UDP, length 326
08:50:25.368288 IP 27.192.61.208.1900 > 177.101.229.194.80: UDP, length 314
08:50:25.368474 IP 27.189.24.245.1900 > 177.101.229.194.80: UDP, length 322
08:50:25.368649 IP 27.189.24.245.1900 > 177.101.229.194.80: UDP, length 288
08:50:25.368826 IP 27.189.24.245.1900 > 177.101.229.194.80: UDP, length 320
08:50:25.369023 IP 27.189.24.245.1900 > 177.101.229.194.80: UDP, length 326
08:50:25.369219 IP 27.189.24.245.1900 > 177.101.229.194.80: UDP, length 314
08:50:25.369403 IP 74.218.17.250.1900 > 177.101.229.194.80: UDP, length 307
08:50:25.369582 IP 74.218.17.250.1900 > 177.101.229.194.80: UDP, length 307
08:50:25.369773 IP 70.126.196.223.1900 > 177.101.229.194.80: UDP, length 323
08:50:25.369956 IP 70.126.196.223.1900 > 177.101.229.194.80: UDP, length 311
08:50:25.370147 IP 70.126.196.223.1900 > 177.101.229.194.80: UDP, length 307
08:50:25.370314 IP 71.87.92.86.1900 > 177.101.229.194.80: UDP, length 238
08:50:25.370492 IP 71.87.92.86.1900 > 177.101.229.194.80: UDP, length 310
08:50:25.370660 IP 71.87.92.86.1900 > 177.101.229.194.80: UDP, length 306
08:50:25.370846 IP 71.87.92.86.1900 > 177.101.229.194.80: UDP, length 286
08:50:25.371022 IP 71.87.92.86.1900 > 177.101.229.194.80: UDP, length 318
08:50:25.371205 IP 71.87.92.86.1900 > 177.101.229.194.80: UDP, length 300
08:50:25.371385 IP 71.87.92.86.1900 > 177.101.229.194.80: UDP, length 302
08:50:25.371570 IP 60.209.34.79.1900 > 177.101.229.194.80: UDP, length 320
08:50:25.371766 IP 39.67.88.71.1900 > 177.101.229.194.80: UDP, length 322
08:50:25.371939 IP 107.184.51.161.1900 > 177.101.229.194.80: UDP, length 245
08:50:25.372102 IP 39.67.88.71.1900 > 177.101.229.194.80: UDP, length 288
08:50:25.372145 IP 177.101.229.18.7300 > 8.8.8.8.53: UDP, length 44
08:50:25.372168 IP 177.101.229.18.7300 > 8.8.8.8.53: UDP, length 44
08:50:25.372283 IP 39.67.88.71.1900 > 177.101.229.194.80: UDP, length 320
08:50:25.372476 IP 39.67.88.71.1900 > 177.101.229.194.80: UDP, length 326
08:50:25.372661 IP 39.67.88.71.1900 > 177.101.229.194.80: UDP, length 314
08:50:25.372851 IP 60.209.34.79.1900 > 177.101.229.194.80: UDP, length 326
08:50:25.373071 IP 182.108.152.63.36679 > 177.101.229.194.80: UDP, 
length 345
08:50:25.373238 IP 182.38.140.55.1900 > 177.101.229.194.80: UDP, length 268
08:50:25.373412 IP 182.38.140.55.1900 > 177.101.229.194.80: UDP, length 314
08:50:25.373581 IP 182.38.140.55.1900 > 177.101.229.194.80: UDP, length 242
08:50:25.373745 IP 182.38.140.55.1900 > 177.101.229.194.80: UDP, length 306
08:50:25.373931 IP 67.244.158.115.1900 > 177.101.229.194.80: UDP, length 302
08:50:25.374107 IP 182.38.140.55.1900 > 177.101.229.194.80: UDP, length 268
08:50:25.374272 IP 182.38.140.55.1900 > 177.101.229.194.80: UDP, length 290
08:50:25.374453 IP 182.38.140.55.1900 > 177.101.229.194.80: UDP, length 322
08:50:25.374647 IP 60.209.34.79.1900 > 177.101.229.194.80: UDP, length 314
08:50:25.374814 IP 73.196.49.160.1900 > 177.101.229.194.80: UDP, length 238


On 29/04/2015 22:04, Jonathan Falcão wrote:
> Caramba! Depois disso, vou até verificar minha rede!
>
> Em qua, 29 de abr de 2015 17:28, Wilson R Lopes <wilsonlopes00 at gmail.com>
> escreveu:
>
>> https://ssdpscan.shadowserver.org/asn.csv
>>
>> Para ter uma idéia de ASNs BR com mais de 1 mil ips na lista:
>>
>> count ips,country code,asn
>>
>> 1157,BR,28281
>> 1340,BR,28202
>> 1513,BR,28668
>> 1676,BR,19182
>> 3227,BR,22689
>> 4089,BR,22085
>> 4091,BR,26615
>> 6390,BR,14868
>> 16012,BR,53006
>> 17292,BR,7738
>> 31999,BR,8167
>> 46089,BR,28573
>> 46216,BR,18881
>> 59768,BR,26599
>> 102147,BR,27699
>>
>> Em 29 de abril de 2015 17:02, Wilson R Lopes <wilsonlopes00 at gmail.com>
>> escreveu:
>>> Abuso do SSDP - amplificação no fator de 30x
>>>
>>> O projeto abaixo tem o objetivo de mapear hosts com ssdp aberto e
>>> notificar os owners para remediação.
>>>
>>> https://ssdpscan.shadowserver.org/
>>>
>>> A situação é crítica - mundo ~ 13.5 milhões de hosts com ssdp aberto.
>>> Só no Brasil ~ 365k. Grandes provedores de acesso brasileiros -
>>> Telefonica, Net, GVT, Oi - estão na lista com milhares de ips  (pelo
>>> protocolo, roteadores dos clientes domésticos)
>>>
>>>
>>>
>>> Esta exploração é recente e saltou muito rápido. A arbor sinaliza no
>>> serviço do Atlas apenas 3 ataques deste tipo no primeiro quadrimestre
>>> do ano passado, contra 126k este ano.
>>>
>>>
>> www.arbornetworks.com/news-and-events/press-releases/recent-pess-releases/5405-arbor-networks-records-largest-ever-ddos-attack-in-q1-2015-ddos-report
>>>
>>> Wilson.
>>>
>>> Em 28 de abril de 2015 19:10, Renan Montoro <renan.m at msn.com> escreveu:
>>>> Pessoa, boa noite.
>>>>
>>>> Obrigado a todos que responderam, realmente trata-se de um ataque de
>> amplificação SSDP/PNP, o drop de src-port 1900 realmente não durou mto
>> tempo e o tráfego disparou após alguns minutos. Só resolvi solicitando o
>> bloqueio da src-port UDP 1900 para a operadora, porém eles me disseram que
>> após 48 horas o filtro é retirado.
>>>> Sobre a proteção por parte deles, por coincidência ou não, eles (Algar)
>> me ligaram e falaram sobre a aquisição de um produto deles que faz tal
>> proteção. Isso após alguns ataques em menos de 15 dias e após 2 anos de
>> link com eles e nunca ter tido tal problema.
>>>> Não vou mentir. Fiquei com um pé atrás. A Vivo tá no meu pé com
>> propostas de valores melhores, a Algar vai acabar perdendo o cliente, pois
>> tenho já tenho link com a Vivo em outra localidade e nunca enfrentei tal
>> problema.
>>>> Atenciosamente,
>>>>
>>>>
>>>> Renan Alves Montoro
>>>> MikroTik Certified MTCNA
>>>> RVNeT - Soluções em Internet
>>>> www.rvnett.com.br
>>>>
>>>>> Date: Tue, 28 Apr 2015 10:23:16 -0300
>>>>> From: danton.nunes at inexo.com.br
>>>>> To: gter at eng.registro.br
>>>>> Subject: Re: [GTER] Ataque UDP porta de origem 1900
>>>>>
>>>>> On Mon, 27 Apr 2015, Renan Montoro wrote:
>>>>>
>>>>>> Alguém já enfrentou este tipo de ataque? São vários ips de origem de
>>>>>> vários blocos, protocolo UDP, porém portas de origem 1900. Já
>> aconteceu
>>>>>> duas vezes comigo, tráfego sobe absurdamente no limite do contratado
>> com
>>>>>> a operadora, resolvi bloqueando tudo que entra com porta de origem
>> 1900
>>>>>> UDP.
>>>>> e que porta de destino? é algum ataque visando amplificação?
>>>>>
>>>>> --
>>>>> gter list https://eng.registro.br/mailman/listinfo/gter
>>>> --
>>>> gter list    https://eng.registro.br/mailman/listinfo/gter
>> --
>> gter list    https://eng.registro.br/mailman/listinfo/gter
> --
> gter list    https://eng.registro.br/mailman/listinfo/gter

-- 
--
LoopHost Datacenter & Servidores
(11) 2626-5458 / (51) 2626-1217




More information about the gter mailing list