[GTER] Ataque DDOS

Rodrigo Meireles mikrotikfull at gmail.com
Mon Oct 5 12:15:09 -03 2015


Ataque DDOS especifico por reflexão realmente.
Se a operadora nao bloqueia e cobra o DDOS so tem duas alternativas
Ou contrata um Serviço de Anti-DDOS externo ou vai ter que implementar
ferramentas de Anti-DDOS no Vyos ou Edge.
Dependendo do que esteja utilizando vai consumir uma boa carga da CPU.

2015-10-05 11:58 GMT-03:00 Guilherme Boing <kolt at frag.com.br>:

> 1900 é DDoS usando SSDP como amplificador.
>
> 2015-10-05 11:26 GMT-03:00 Rodrigo Meireles <mikrotikfull at gmail.com>:
>
> > Qual o roteador do BGP?
> > edge router?
> > 1900 é protocolo de Neighboor Discovery!
> > Desabilita o discovery no edge e testa!
> >
> > 2015-10-05 7:35 GMT-03:00 Glauber Derlland <glauber at vescnet.com.br>:
> >
> > > Bom dia,
> > >
> > > Alguem esta enfrentando isso tipo de Ataque
> > >
> > > Sep/29/2015 19:56:55 , proto UDP, 88.250.183.167:1900
> > ->XXX.XXX.XXX.XXX:80,
> > > len 266
> > > Sep/29/2015 19:56:55 , proto UDP, 95.9.114.232:1900
> ->XXX.XXX.XXX.XXX:80,
> > > len 321
> > > Sep/29/2015 19:56:55 , proto UDP, 95.9.114.232:1900
> ->XXX.XXX.XXX.XXX:80,
> > > len 321
> > > Sep/29/2015 19:56:55 , proto UDP, 78.186.8.157:1900
> ->XXX.XXX.XXX.XXX:80,
> > > len 321
> > > Sep/29/2015 19:56:55 , proto UDP, 72.229.228.53:1900
> > ->XXX.XXX.XXX.XXX:80,
> > > len 338
> > > Sep/29/2015 19:56:55 , proto UDP, 41.196.86.182:1900
> > ->XXX.XXX.XXX.XXX:80,
> > > len 258
> > > Sep/29/2015 19:56:55 , proto UDP, 75.89.110.97:1900
> ->XXX.XXX.XXX.XXX:80,
> > > len 367
> > > Sep/29/2015 19:56:55 , proto UDP, 173.186.125.161:1900
> > > ->XXX.XXX.XXX.XXX:80,
> > > len 359
> > > Sep/29/2015 19:56:55 , proto UDP, 85.96.207.61:1900
> ->XXX.XXX.XXX.XXX:80,
> > > len 316
> > > Sep/29/2015 19:56:55 , proto UDP, 24.208.37.154
> > :1900->XXX.XXX.XXX.XXX:80,
> > > len 266
> > > Sep/29/2015 19:56:55 , proto UDP, 24.208.37.154
> > :1900->XXX.XXX.XXX.XXX:80,
> > > len 338
> > > Sep/29/2015 19:56:55 , proto UDP, 76.24.200.75:1900
> ->XXX.XXX.XXX.XXX:80,
> > > len 266
> > > Sep/29/2015 19:56:55 , proto UDP, 98.30.40.44:1900
> ->XXX.XXX.XXX.XXX:80,
> > > len
> > > 330
> > > Sep/29/2015 19:56:55 , proto UDP, 37.242.12.64:1900
> ->XXX.XXX.XXX.XXX:80,
> > > len 329
> > > Sep/29/2015 19:56:55 , proto UDP, 188.118.251.216:1900
> > > ->XXX.XXX.XXX.XXX:80,
> > > len 355
> > > Sep/29/2015 19:56:55 , proto UDP, 190.214.140.21:1900
> > ->XXX.XXX.XXX.XXX:80,
> > > len 312
> > > Sep/29/2015 19:56:55 , proto UDP, 78.189.168.191:1900
> > ->XXX.XXX.XXX.XXX:80,
> > > len 300
> > > Sep/29/2015 19:56:55 , proto UDP, 88.250.168.173:1900
> > ->XXX.XXX.XXX.XXX:80,
> > > len 337
> > > Sep/29/2015 19:56:55 , proto UDP, 88.250.168.173:1900
> > ->XXX.XXX.XXX.XXX:80,
> > > len 331
> > > Sep/29/2015 19:56:55 , proto UDP, 166.102.230.129:1900
> > > ->XXX.XXX.XXX.XXX:80,
> > > len 295
> > > Sep/29/2015 19:56:55 , proto UDP, 208.106.2.83:1900
> ->XXX.XXX.XXX.XXX:80,
> > > len 355
> > > Sep/29/2015 19:56:55 , proto UDP, 76.24.200.75:1900
> ->XXX.XXX.XXX.XXX:80,
> > > len 338
> > > Sep/29/2015 19:56:55 , proto UDP, 78.189.168.191:1900
> > ->XXX.XXX.XXX.XXX:80,
> > > len 351
> > > Sep/29/2015 19:56:55 , proto UDP, 166.102.230.129:1900
> > > ->XXX.XXX.XXX.XXX:80,
> > > len 306
> > > Sep/29/2015 19:56:55 , proto UDP, 208.106.2.83:1900
> ->XXX.XXX.XXX.XXX:80,
> > > len 302
> > > Sep/29/2015 19:56:55 , proto UDP, 76.24.200.75:1900
> ->XXX.XXX.XXX.XXX:80,
> > > len 334
> > > Sep/29/2015 19:56:55 , proto UDP, 78.189.168.191:1900
> > ->XXX.XXX.XXX.XXX:80,
> > > len 347
> > > Sep/29/2015 19:56:55 , proto UDP, 76.24.200.75:1900
> ->XXX.XXX.XXX.XXX:80,
> > > len 314
> > > Sep/29/2015 19:56:55 , proto UDP, 181.211.178.167:1900
> > > ->XXX.XXX.XXX.XXX:80,
> > > len 316
> > > Sep/29/2015 19:56:55 , proto UDP, 78.189.168.191:1900
> > ->XXX.XXX.XXX.XXX:80,
> > > len 331
> > > Sep/29/2015 19:56:55 , proto UDP, 98.242.172.180:1900
> > ->XXX.XXX.XXX.XXX:80,
> > > len 266
> > > Sep/29/2015 19:56:55 , proto UDP, 139.55.188.117
> > :1900->XXX.XXX.XXX.XXX:80,
> > > len 301
> > > Sep/29/2015 19:56:55 , proto UDP, 69.40.138.121
> > :1900->XXX.XXX.XXX.XXX:80,
> > > len 371
> > > Sep/29/2015 19:56:55 , proto UDP, 75.89.110.97:1900
> ->XXX.XXX.XXX.XXX:80,
> > > len 304
> > > Sep/29/2015 19:56:55 , proto UDP, 75.89.110.97:1900
> ->XXX.XXX.XXX.XXX:80,
> > > len 337
> > > Sep/29/2015 19:56:55 , proto UDP, 98.22.249.5:1900
> ->XXX.XXX.XXX.XXX:80,
> > > len
> > > 374
> > > Sep/29/2015 19:56:55 , proto UDP, 78.188.168.188:1900
> > ->XXX.XXX.XXX.XXX:80,
> > > len 325
> > > Sep/29/2015 19:56:55 , proto UDP, 14.221.129.218:1900
> > ->XXX.XXX.XXX.XXX:80,
> > > len 319
> > > Sep/29/2015 19:56:55 , proto UDP, 95.188.78.112:1900
> > ->XXX.XXX.XXX.XXX:80,
> > > len 355
> > > Sep/29/2015 19:56:55 , proto UDP, 78.188.204.57:1900
> > ->XXX.XXX.XXX.XXX:80,
> > > len 351
> > > Sep/29/2015 19:56:55 , proto UDP, 78.188.204.57:1900
> > ->XXX.XXX.XXX.XXX:80,
> > > len 331
> > > Sep/29/2015 19:56:55 , proto UDP, 173.186.125.161:1900
> > > ->XXX.XXX.XXX.XXX:80,
> > > len 306
> > >
> > >
> > > XXX.XXX.XXX.XXX = qualquer ip do bloco
> > >
> > >
> > > Soluções até o momento:
> > >
> > > Bloqueio do IP: XXX.XXX.XXX.XXX, junto a operado;
> > > Operado não tem blackhole, esta ofertando serviço Anti-DDOS;
> > > Não faz bloqueio por porta;
> > > Firewall bloqueando, UDP porta 1900 para todos os host da rede;
> > > Desligar a Interface do Link ao ativar o ataque permanece;
> > > Duração do ataque 15 minutos, horas programados;
> > > Consome toda banda do circuito.
> > >
> > >
> > >
> > >
> > > --
> > > <http://www.vescnet.com.br>
> > > Glauber Derlland
> > > 81-3497-7250
> > > 81-4062-9722
> > > 81-988-593-306
> > > 11-4063-1673
> > > INOC-DBA.br: 262792*100
> > >
> > > WhatsApp: 55 81 8163-7122
> > > Viper: 55 81 8163-7122
> > > Skype: vescnet
> > > Facebook: vescnet
> > > Twitter: @vescnet
> > > ICQ: 670280143
> > >
> > > www.vescnet.com.br
> > > https://beta.peeringdb.com/net/4988 <http://as262792.peeringdb.com/>
> > > Maps <http://goo.gl/maps/ugZkZ>
> > > --
> > > gter list    https://eng.registro.br/mailman/listinfo/gter
> >
> >
> >
> >
> > --
> > *Rodrigo Melo Meireles*
> >
> > *CTO - Solustic Solucoes em Tecnologia-TI*
> > Analista/Consultor de Redes
> > Analista de Segurança
> > Mikrotik Certified
> > URBSS Certified
> > 85.40629515 85.996459346
> > --
> > gter list    https://eng.registro.br/mailman/listinfo/gter
> >
> --
> gter list    https://eng.registro.br/mailman/listinfo/gter




-- 
*Rodrigo Melo Meireles*

*CTO - Solustic Solucoes em Tecnologia-TI*
Analista/Consultor de Redes
Analista de Segurança
Mikrotik Certified
URBSS Certified
85.40629515 85.996459346



More information about the gter mailing list