[GTER] Ataque DDOS

Guilherme Boing kolt at frag.com.br
Mon Oct 5 11:58:45 -03 2015


1900 é DDoS usando SSDP como amplificador.

2015-10-05 11:26 GMT-03:00 Rodrigo Meireles <mikrotikfull at gmail.com>:

> Qual o roteador do BGP?
> edge router?
> 1900 é protocolo de Neighboor Discovery!
> Desabilita o discovery no edge e testa!
>
> 2015-10-05 7:35 GMT-03:00 Glauber Derlland <glauber at vescnet.com.br>:
>
> > Bom dia,
> >
> > Alguem esta enfrentando isso tipo de Ataque
> >
> > Sep/29/2015 19:56:55 , proto UDP, 88.250.183.167:1900
> ->XXX.XXX.XXX.XXX:80,
> > len 266
> > Sep/29/2015 19:56:55 , proto UDP, 95.9.114.232:1900->XXX.XXX.XXX.XXX:80,
> > len 321
> > Sep/29/2015 19:56:55 , proto UDP, 95.9.114.232:1900->XXX.XXX.XXX.XXX:80,
> > len 321
> > Sep/29/2015 19:56:55 , proto UDP, 78.186.8.157:1900->XXX.XXX.XXX.XXX:80,
> > len 321
> > Sep/29/2015 19:56:55 , proto UDP, 72.229.228.53:1900
> ->XXX.XXX.XXX.XXX:80,
> > len 338
> > Sep/29/2015 19:56:55 , proto UDP, 41.196.86.182:1900
> ->XXX.XXX.XXX.XXX:80,
> > len 258
> > Sep/29/2015 19:56:55 , proto UDP, 75.89.110.97:1900->XXX.XXX.XXX.XXX:80,
> > len 367
> > Sep/29/2015 19:56:55 , proto UDP, 173.186.125.161:1900
> > ->XXX.XXX.XXX.XXX:80,
> > len 359
> > Sep/29/2015 19:56:55 , proto UDP, 85.96.207.61:1900->XXX.XXX.XXX.XXX:80,
> > len 316
> > Sep/29/2015 19:56:55 , proto UDP, 24.208.37.154
> :1900->XXX.XXX.XXX.XXX:80,
> > len 266
> > Sep/29/2015 19:56:55 , proto UDP, 24.208.37.154
> :1900->XXX.XXX.XXX.XXX:80,
> > len 338
> > Sep/29/2015 19:56:55 , proto UDP, 76.24.200.75:1900->XXX.XXX.XXX.XXX:80,
> > len 266
> > Sep/29/2015 19:56:55 , proto UDP, 98.30.40.44:1900->XXX.XXX.XXX.XXX:80,
> > len
> > 330
> > Sep/29/2015 19:56:55 , proto UDP, 37.242.12.64:1900->XXX.XXX.XXX.XXX:80,
> > len 329
> > Sep/29/2015 19:56:55 , proto UDP, 188.118.251.216:1900
> > ->XXX.XXX.XXX.XXX:80,
> > len 355
> > Sep/29/2015 19:56:55 , proto UDP, 190.214.140.21:1900
> ->XXX.XXX.XXX.XXX:80,
> > len 312
> > Sep/29/2015 19:56:55 , proto UDP, 78.189.168.191:1900
> ->XXX.XXX.XXX.XXX:80,
> > len 300
> > Sep/29/2015 19:56:55 , proto UDP, 88.250.168.173:1900
> ->XXX.XXX.XXX.XXX:80,
> > len 337
> > Sep/29/2015 19:56:55 , proto UDP, 88.250.168.173:1900
> ->XXX.XXX.XXX.XXX:80,
> > len 331
> > Sep/29/2015 19:56:55 , proto UDP, 166.102.230.129:1900
> > ->XXX.XXX.XXX.XXX:80,
> > len 295
> > Sep/29/2015 19:56:55 , proto UDP, 208.106.2.83:1900->XXX.XXX.XXX.XXX:80,
> > len 355
> > Sep/29/2015 19:56:55 , proto UDP, 76.24.200.75:1900->XXX.XXX.XXX.XXX:80,
> > len 338
> > Sep/29/2015 19:56:55 , proto UDP, 78.189.168.191:1900
> ->XXX.XXX.XXX.XXX:80,
> > len 351
> > Sep/29/2015 19:56:55 , proto UDP, 166.102.230.129:1900
> > ->XXX.XXX.XXX.XXX:80,
> > len 306
> > Sep/29/2015 19:56:55 , proto UDP, 208.106.2.83:1900->XXX.XXX.XXX.XXX:80,
> > len 302
> > Sep/29/2015 19:56:55 , proto UDP, 76.24.200.75:1900->XXX.XXX.XXX.XXX:80,
> > len 334
> > Sep/29/2015 19:56:55 , proto UDP, 78.189.168.191:1900
> ->XXX.XXX.XXX.XXX:80,
> > len 347
> > Sep/29/2015 19:56:55 , proto UDP, 76.24.200.75:1900->XXX.XXX.XXX.XXX:80,
> > len 314
> > Sep/29/2015 19:56:55 , proto UDP, 181.211.178.167:1900
> > ->XXX.XXX.XXX.XXX:80,
> > len 316
> > Sep/29/2015 19:56:55 , proto UDP, 78.189.168.191:1900
> ->XXX.XXX.XXX.XXX:80,
> > len 331
> > Sep/29/2015 19:56:55 , proto UDP, 98.242.172.180:1900
> ->XXX.XXX.XXX.XXX:80,
> > len 266
> > Sep/29/2015 19:56:55 , proto UDP, 139.55.188.117
> :1900->XXX.XXX.XXX.XXX:80,
> > len 301
> > Sep/29/2015 19:56:55 , proto UDP, 69.40.138.121
> :1900->XXX.XXX.XXX.XXX:80,
> > len 371
> > Sep/29/2015 19:56:55 , proto UDP, 75.89.110.97:1900->XXX.XXX.XXX.XXX:80,
> > len 304
> > Sep/29/2015 19:56:55 , proto UDP, 75.89.110.97:1900->XXX.XXX.XXX.XXX:80,
> > len 337
> > Sep/29/2015 19:56:55 , proto UDP, 98.22.249.5:1900->XXX.XXX.XXX.XXX:80,
> > len
> > 374
> > Sep/29/2015 19:56:55 , proto UDP, 78.188.168.188:1900
> ->XXX.XXX.XXX.XXX:80,
> > len 325
> > Sep/29/2015 19:56:55 , proto UDP, 14.221.129.218:1900
> ->XXX.XXX.XXX.XXX:80,
> > len 319
> > Sep/29/2015 19:56:55 , proto UDP, 95.188.78.112:1900
> ->XXX.XXX.XXX.XXX:80,
> > len 355
> > Sep/29/2015 19:56:55 , proto UDP, 78.188.204.57:1900
> ->XXX.XXX.XXX.XXX:80,
> > len 351
> > Sep/29/2015 19:56:55 , proto UDP, 78.188.204.57:1900
> ->XXX.XXX.XXX.XXX:80,
> > len 331
> > Sep/29/2015 19:56:55 , proto UDP, 173.186.125.161:1900
> > ->XXX.XXX.XXX.XXX:80,
> > len 306
> >
> >
> > XXX.XXX.XXX.XXX = qualquer ip do bloco
> >
> >
> > Soluções até o momento:
> >
> > Bloqueio do IP: XXX.XXX.XXX.XXX, junto a operado;
> > Operado não tem blackhole, esta ofertando serviço Anti-DDOS;
> > Não faz bloqueio por porta;
> > Firewall bloqueando, UDP porta 1900 para todos os host da rede;
> > Desligar a Interface do Link ao ativar o ataque permanece;
> > Duração do ataque 15 minutos, horas programados;
> > Consome toda banda do circuito.
> >
> >
> >
> >
> > --
> > <http://www.vescnet.com.br>
> > Glauber Derlland
> > 81-3497-7250
> > 81-4062-9722
> > 81-988-593-306
> > 11-4063-1673
> > INOC-DBA.br: 262792*100
> >
> > WhatsApp: 55 81 8163-7122
> > Viper: 55 81 8163-7122
> > Skype: vescnet
> > Facebook: vescnet
> > Twitter: @vescnet
> > ICQ: 670280143
> >
> > www.vescnet.com.br
> > https://beta.peeringdb.com/net/4988 <http://as262792.peeringdb.com/>
> > Maps <http://goo.gl/maps/ugZkZ>
> > --
> > gter list    https://eng.registro.br/mailman/listinfo/gter
>
>
>
>
> --
> *Rodrigo Melo Meireles*
>
> *CTO - Solustic Solucoes em Tecnologia-TI*
> Analista/Consultor de Redes
> Analista de Segurança
> Mikrotik Certified
> URBSS Certified
> 85.40629515 85.996459346
> --
> gter list    https://eng.registro.br/mailman/listinfo/gter
>



More information about the gter mailing list