WS-Discovery reflected DDoS (3702 UDP – fragmented – amplified)

Was going to provide some infos about this new attack fingerprint I’ve been seeing in the past few days generating decently sized volumetric attacks (50gbps+).

Service source this time is WS-Discovery (https://en.wikipedia.org/wiki/WS-Discovery)

Big variety of exploited appliances (many are IP surveillance systems)

Seems like Akamai have recently published plenty of informations and the news is already old:
https://blogs.akamai.com/sitr/2019/09/new-ddos-vector-observed-in-the-wild-wsd-attacks-hitting-35gbps.html

TLDR: this is real and being exploited in the wild towards multiple targets.
Good news is that it can be mitigated with the usual ACL rule placed as early as possible in your network stack:

deny udp any any fragment

As usual make sure your ACL rule matches both the first and subsequent fragments (some HP switches are known to match only first fragment – quick test to verify if your network is properly denying UDP fragments)

If you make use of UDP fragments for legit purposes ( 😱 ) then you can add UDP port 3702 source to your deny ACL in order to stop at least the first fragment.
The subsequent ones will reach you anyway (and this reflection has an high amplification rate) so you would get the traffic transported within your network but at least it will not consume much cpu cycles as all those fragments cannot be rebuilt and will be discarded.
In such case you just need to make sure you have enough bandwidth across the whole path

Take care

Check if network is allowing inbound UDP fragments

while looking for additional fragments with tcpump

tcpdump -i any -nnvvXS  '((ip[6:2] > 0) and (not ip[6] = 64))'

run a DNS query that produces a fragmented reply

dig ANY financialresearch.gov @208.67.222.222

Apple remote desktop DDoS reflection (UDP 3283)

Here comes just another volumetric DDoS reflected attack.

This time it’s from Apple Remote Desktop (UDP) protocol

The amplification rate looks quite good (35:1)

Apparently there are many hosts online to pick from

65,538 on Shodan right now, seems

https://www.shodan.io/search?query=port%3A3283

A lot of Macstadium host are actively being exploited apparently

If you have your Apple MAC in a DMZ or directly with public IP please properly secure port 3283

Searching online seems someone else is actually seeing this pattern.

Arbor (Netscout) has some more detailed infos published: https://www.netscout.com/blog/asert/call-arms-apple-remote-management-service-udp

centos 7 raid5 rebuild + grub from live ubuntu 18.04 rescue env

sudo su -
 
modprobe raid5
mdadm --stop /dev/md0
mdadm --stop /dev/md1
stop any other active md device (you can see them in /prod/mdstat)
mdadm --stop /dev/md127
mdadm --stop /dev/md126
check if they are all stopped
cat /proc/mdstat
run a new scan
mdadm --assemble --scan
check if the raid5 is properly detected
cat /proc/mdstat
copy over the partition tables from working disk (sdc here) to the new disk (sdb here)
sfdisk -d /dev/sdc | sfdisk /dev/sdb
add the devices to their corresponding arrays (start with the /boot one if you have a dedicated boot one)
mdadm /dev/md126 -a /dev/sdb2
mdadm /dev/md127 -a /dev/sdb3
now let’s get ready to fix grub on the new disk, in our example md126 is boot, md127 is /
mkdir /mnt-boot
mount /dev/md126 /mnt
mount /dev/md127 /mnt-boot
mount --bind /dev /mnt/dev
mount --bind /proc /mnt/proc
mount --bind /sys /mnt/sys
mount --bind /mnt-boot /mnt/boot
chroot /mnt
you may get an error when doing the chroot if the shell is on a different path. this works for default centos install
chroot /mnt /usr/bin/bash
install grub on all the disks
grub2-install /dev/sda
grub2-install /dev/sdb
grub2-install /dev/sdc
regenerate grub.cfg
grub2-mkconfig > /boot/grub2/grub.cfg
now monitor the progress of the array rebuild process and reboot once completed
watch cat /proc/mdstat

Plesk unpack splitted backups

mkdir unpacked_data
find ./ -name "backup_1805230147.tar*" | sort -V | xargs cat | tar --overwrite -xvf - -i -C ./unpacked_data/

tested from 11.5 to 17.5

LDAP reflected ddos

LDAP reflected ddos

tcpdump -nn -i em1 udp and port 389
 
15:35:36.667005 IP 75.99.0.158.389 > x.x.x.x.4829: UDP, length 2804
15:35:36.667065 IP 192.162.242.123.389 > x.x.x.x.45750: UDP, length 2993
15:35:36.667105 IP 210.3.1.38.389 > x.x.x.x.61703: UDP, length 2687
15:35:36.667260 IP 210.211.126.112.389 > x.x.x.x.61703: UDP, length 2591
15:35:36.667318 IP 88.198.78.124.389 > x.x.x.x.18313: UDP, length 2955
15:35:36.667407 IP 192.186.71.248.389 > x.x.x.x.45750: UDP, length 3088
15:35:36.667420 IP 193.158.199.220.389 > x.x.x.x.45750: UDP, length 2582
15:35:36.667453 IP 108.60.201.51.389 > x.x.x.x.27164: UDP, length 2969
15:35:36.667472 IP 211.144.154.13.389 > x.x.x.x.61703: UDP, length 2395
15:35:36.667551 IP 78.140.59.119.389 > x.x.x.x.4829: UDP, length 2368
15:35:36.667562 IP 197.231.192.44.389 > x.x.x.x.45750: UDP, length 2959
15:35:36.667575 IP 185.104.180.89.389 > x.x.x.x.29749: UDP, length 3009
15:35:36.667600 IP 108.31.185.59.389 > x.x.x.x.27164: UDP, length 2474
15:35:36.667652 IP 76.16.250.71.389 > x.x.x.x.4829: UDP, length 2622
15:35:36.667708 IP 185.3.168.182.389 > x.x.x.x.29749: UDP, length 2816
15:35:36.667798 IP 196.6.233.18.389 > x.x.x.x.45750: UDP, length 2538
15:35:36.667845 IP 91.106.91.12.389 > x.x.x.x.18313: UDP, length 2863
15:35:36.667869 IP 89.218.64.42.389 > x.x.x.x.18313: UDP, length 2799
15:35:36.667909 IP 193.140.41.174.389 > x.x.x.x.45750: UDP, length 3046
15:35:36.667982 IP 76.213.157.105.389 > x.x.x.x.4829: UDP, length 2894
15:35:36.668086 IP 196.30.230.54.389 > x.x.x.x.45750: UDP, length 2706
15:35:36.668188 IP 75.99.131.234.389 > x.x.x.x.4829: UDP, length 2516
15:35:36.668218 IP 196.11.102.164.389 > x.x.x.x.45750: UDP, length 2798
15:35:36.668248 IP 184.69.98.206.389 > x.x.x.x.29749: UDP, length 2857
15:35:36.668267 IP 121.40.104.130.389 > x.x.x.x.27164: UDP, length 2589
15:35:36.668284 IP 109.166.208.171.389 > x.x.x.x.27164: UDP, length 2772
15:35:36.668343 IP 108.74.106.227.389 > x.x.x.x.27164: UDP, length 2904
15:35:36.668383 IP 88.150.147.131.389 > x.x.x.x.18313: UDP, length 2966
15:35:36.668421 IP 88.198.222.112.389 > x.x.x.x.18313: UDP, length 2714
15:35:36.668463 IP 184.106.234.128.389 > x.x.x.x.29749: UDP, length 2631
15:35:36.668468 IP 88.198.90.43.389 > x.x.x.x.18313: UDP, length 1782
15:35:36.668487 IP 194.247.240.50.389 > x.x.x.x.45750: UDP, length 2937
15:35:36.668641 IP 88.84.197.162.389 > x.x.x.x.18313: UDP, length 1785
15:35:36.668835 IP 115.124.66.19.389 > x.x.x.x.27164: UDP, length 2929
15:35:36.668888 IP 119.160.218.42.389 > x.x.x.x.27164: UDP, length 2497
15:35:36.668920 IP 76.104.14.11.389 > x.x.x.x.4829: UDP, length 2566
15:35:36.668944 IP 112.74.167.244.389 > x.x.x.x.27164: UDP, length 2873
15:35:36.669013 IP 116.12.189.33.389 > x.x.x.x.27164: UDP, length 2628
15:35:36.669163 IP 184.106.250.48.389 > x.x.x.x.29749: UDP, length 2600
15:35:36.669215 IP 115.90.181.114.389 > x.x.x.x.27164: UDP, length 2469
15:35:36.669396 IP 196.15.180.8.389 > x.x.x.x.45750: UDP, length 2632
15:35:36.669400 IP 196.15.180.62.389 > x.x.x.x.45750: UDP, length 2684
15:35:36.669417 IP 109.166.153.104.389 > x.x.x.x.27164: UDP, length 2362
15:35:36.669422 IP 197.148.64.80.389 > x.x.x.x.45750: UDP, length 2711
15:35:36.669463 IP 184.106.234.46.389 > x.x.x.x.29749: UDP, length 2747
15:35:36.669535 IP 88.208.119.250.389 > x.x.x.x.18313: UDP, length 3051
15:35:36.669548 IP 88.220.122.52.389 > x.x.x.x.18313: UDP, length 2868
15:35:36.669755 IP 197.81.233.50.389 > x.x.x.x.45750: UDP, length 2472
15:35:36.669766 IP 196.214.87.66.389 > x.x.x.x.45750: UDP, length 2623
15:35:36.669821 IP 88.198.203.195.389 > x.x.x.x.18313: UDP, length 1917
15:35:36.669942 IP 115.178.16.249.389 > x.x.x.x.27164: UDP, length 2996
15:35:36.670003 IP 184.147.198.111.389 > x.x.x.x.29749: UDP, length 2553
15:35:36.670044 IP 75.99.203.190.389 > x.x.x.x.4829: UDP, length 3046
15:35:36.670212 IP 197.249.132.72.389 > x.x.x.x.45750: UDP, length 2449
15:35:36.670286 IP 88.150.188.42.389 > x.x.x.x.18313: UDP, length 2914
15:35:36.670297 IP 184.155.25.26.389 > x.x.x.x.29749: UDP, length 2881
15:35:36.670411 IP 88.82.192.243.389 > x.x.x.x.18313: UDP, length 2501
15:35:36.670414 IP 186.115.11.67.389 > x.x.x.x.4829: UDP, length 2682
15:35:36.670549 IP 75.99.161.82.389 > x.x.x.x.4829: UDP, length 2861
15:35:36.670583 IP 77.120.243.225.389 > x.x.x.x.4829: UDP, length 2508
15:35:36.670657 IP 193.248.203.67.389 > x.x.x.x.45750: UDP, length 2931
15:35:36.670688 IP 75.35.145.219.389 > x.x.x.x.4829: UDP, length 2897
15:35:36.670819 IP 184.149.19.174.389 > x.x.x.x.29749: UDP, length 2579
15:35:36.671004 IP 197.159.49.36.389 > x.x.x.x.45750: UDP, length 2936
15:35:36.671027 IP 79.175.176.14.389 > x.x.x.x.4829: UDP, length 2891
15:35:36.671055 IP 108.29.161.26.389 > x.x.x.x.27164: UDP, length 2561
15:35:36.671075 IP 200.116.120.158.389 > x.x.x.x.45750: UDP, length 2892
15:35:36.671101 IP 196.15.180.2.389 > x.x.x.x.45750: UDP, length 2640
15:35:36.671186 IP 88.159.158.30.389 > x.x.x.x.18313: UDP, length 2574
15:35:36.671228 IP 108.29.99.165.389 > x.x.x.x.27164: UDP, length 2946
15:35:36.671256 IP 88.198.1.28.389 > x.x.x.x.18313: UDP, length 2949

sample packet:

15:37:21.996866 IP (tos 0x0, ttl 117, id 18284, offset 0, flags [+], proto UDP (17), length 1500)
    179.210.166.177.389 > x.x.x.x.45750: UDP, length 2905
	0x0000:  4500 05dc 476c 2000 7511 9265 b3d2 a6b1  E...Gl..u..e....
	0x0010:  2ea6 bd15 0185 b2b6 0b61 9566 3084 0000  .........a.f0...
	0x0020:  0b3d 0201 0764 8400 000b 3404 0030 8400  .=...d....4..0..
	0x0030:  000b 2c30 8400 0000 2604 0b63 7572 7265  ..,0....&..curre
	0x0040:  6e74 5469 6d65 3184 0000 0013 0411 3230  ntTime1.......20
	0x0050:  3137 3037 3035 3135 3337 3232 2e30 5a30  170705153722.0Z0
	0x0060:  8400 0000 5504 1173 7562 7363 6865 6d61  ....U..subschema
	0x0070:  5375 6265 6e74 7279 3184 0000 003c 043a  Subentry1....<.:
	0x0080:  434e 3d41 6767 7265 6761 7465 2c43 4e3d  CN=Aggregate,CN=
	0x0090:  5363 6865 6d61 2c43 4e3d 436f 6e66 6967  Schema,CN=Config
	0x00a0:  7572 6174 696f 6e2c 4443 3d45 434f 5445  uration,DC=ECOTE
	0x00b0:  502c 4443 3d6c 6f63 616c 3084 0000 0086  P,DC=local0.....
	0x00c0:  040d 6473 5365 7276 6963 654e 616d 6531  ..dsServiceName1
	0x00d0:  8400 0000 7104 6f43 4e3d 4e54 4453 2053  ....q.oCN=NTDS.S
	0x00e0:  6574 7469 6e67 732c 434e 3d45 434f 5352  ettings,CN=ECOSR
	0x00f0:  5630 322c 434e 3d53 6572 7665 7273 2c43  V02,CN=Servers,C
	0x0100:  4e3d 4465 6661 756c 742d 4669 7273 742d  N=Default-First-
	0x0110:  5369 7465 2d4e 616d 652c 434e 3d53 6974  Site-Name,CN=Sit
	0x0120:  6573 2c43 4e3d 436f 6e66 6967 7572 6174  es,CN=Configurat
	0x0130:  696f 6e2c 4443 3d45 434f 5445 502c 4443  ion,DC=ECOTEP,DC
	0x0140:  3d6c 6f63 616c 3084 0000 00ca 040e 6e61  =local0.......na
	0x0150:  6d69 6e67 436f 6e74 6578 7473 3184 0000  mingContexts1...
	0x0160:  00b4 0412 4443 3d45 434f 5445 502c 4443  ....DC=ECOTEP,DC
	0x0170:  3d6c 6f63 616c 0423 434e 3d43 6f6e 6669  =local.#CN=Confi
	0x0180:  6775 7261 7469 6f6e 2c44 433d 4543 4f54  guration,DC=ECOT
	0x0190:  4550 2c44 433d 6c6f 6361 6c04 2d43 4e3d  EP,DC=local.-CN=
	0x01a0:  5363 6865 6d61 2c43 4e3d 436f 6e66 6967  Schema,CN=Config
	0x01b0:  7572 6174 696f 6e2c 4443 3d45 434f 5445  uration,DC=ECOTE
	0x01c0:  502c 4443 3d6c 6f63 616c 0424 4443 3d44  P,DC=local.$DC=D
	0x01d0:  6f6d 6169 6e44 6e73 5a6f 6e65 732c 4443  omainDnsZones,DC
	0x01e0:  3d45 434f 5445 502c 4443 3d6c 6f63 616c  =ECOTEP,DC=local
	0x01f0:  0424 4443 3d46 6f72 6573 7444 6e73 5a6f  .$DC=ForestDnsZo
	0x0200:  6e65 732c 4443 3d45 434f 5445 502c 4443  nes,DC=ECOTEP,DC
	0x0210:  3d6c 6f63 616c 3084 0000 0030 0414 6465  =local0....0..de
	0x0220:  6661 756c 744e 616d 696e 6743 6f6e 7465  faultNamingConte
	0x0230:  7874 3184 0000 0014 0412 4443 3d45 434f  xt1.......DC=ECO
	0x0240:  5445 502c 4443 3d6c 6f63 616c 3084 0000  TEP,DC=local0...
	0x0250:  004a 0413 7363 6865 6d61 4e61 6d69 6e67  .J..schemaNaming
	0x0260:  436f 6e74 6578 7431 8400 0000 2f04 2d43  Context1..../.-C
	0x0270:  4e3d 5363 6865 6d61 2c43 4e3d 436f 6e66  N=Schema,CN=Conf
	0x0280:  6967 7572 6174 696f 6e2c 4443 3d45 434f  iguration,DC=ECO
	0x0290:  5445 502c 4443 3d6c 6f63 616c 3084 0000  TEP,DC=local0...
	0x02a0:  0047 041a 636f 6e66 6967 7572 6174 696f  .G..configuratio
	0x02b0:  6e4e 616d 696e 6743 6f6e 7465 7874 3184  nNamingContext1.
	0x02c0:  0000 0025 0423 434e 3d43 6f6e 6669 6775  ...%.#CN=Configu
	0x02d0:  7261 7469 6f6e 2c44 433d 4543 4f54 4550  ration,DC=ECOTEP
	0x02e0:  2c44 433d 6c6f 6361 6c30 8400 0000 3304  ,DC=local0....3.
	0x02f0:  1772 6f6f 7444 6f6d 6169 6e4e 616d 696e  .rootDomainNamin
	0x0300:  6743 6f6e 7465 7874 3184 0000 0014 0412  gContext1.......
	0x0310:  4443 3d45 434f 5445 502c 4443 3d6c 6f63  DC=ECOTEP,DC=loc
	0x0320:  616c 3084 0000 03a9 0410 7375 7070 6f72  al0.......suppor
	0x0330:  7465 6443 6f6e 7472 6f6c 3184 0000 0391  tedControl1.....
	0x0340:  0416 312e 322e 3834 302e 3131 3335 3536  ..1.2.840.113556
	0x0350:  2e31 2e34 2e33 3139 0416 312e 322e 3834  .1.4.319..1.2.84
	0x0360:  302e 3131 3335 3536 2e31 2e34 2e38 3031  0.113556.1.4.801
	0x0370:  0416 312e 322e 3834 302e 3131 3335 3536  ..1.2.840.113556
	0x0380:  2e31 2e34 2e34 3733 0416 312e 322e 3834  .1.4.473..1.2.84
	0x0390:  302e 3131 3335 3536 2e31 2e34 2e35 3238  0.113556.1.4.528
	0x03a0:  0416 312e 322e 3834 302e 3131 3335 3536  ..1.2.840.113556
	0x03b0:  2e31 2e34 2e34 3137 0416 312e 322e 3834  .1.4.417..1.2.84
	0x03c0:  302e 3131 3335 3536 2e31 2e34 2e36 3139  0.113556.1.4.619
	0x03d0:  0416 312e 322e 3834 302e 3131 3335 3536  ..1.2.840.113556
	0x03e0:  2e31 2e34 2e38 3431 0416 312e 322e 3834  .1.4.841..1.2.84
	0x03f0:  302e 3131 3335 3536 2e31 2e34 2e35 3239  0.113556.1.4.529
	0x0400:  0416 312e 322e 3834 302e 3131 3335 3536  ..1.2.840.113556
	0x0410:  2e31 2e34 2e38 3035 0416 312e 322e 3834  .1.4.805..1.2.84
	0x0420:  302e 3131 3335 3536 2e31 2e34 2e35 3231  0.113556.1.4.521
	0x0430:  0416 312e 322e 3834 302e 3131 3335 3536  ..1.2.840.113556
	0x0440:  2e31 2e34 2e39 3730 0417 312e 322e 3834  .1.4.970..1.2.84
	0x0450:  302e 3131 3335 3536 2e31 2e34 2e31 3333  0.113556.1.4.133
	0x0460:  3804 1631 2e32 2e38 3430 2e31 3133 3535  8..1.2.840.11355
	0x0470:  362e 312e 342e 3437 3404 1731 2e32 2e38  6.1.4.474..1.2.8
	0x0480:  3430 2e31 3133 3535 362e 312e 342e 3133  40.113556.1.4.13
	0x0490:  3339 0417 312e 322e 3834 302e 3131 3335  39..1.2.840.1135
	0x04a0:  3536 2e31 2e34 2e31 3334 3004 1731 2e32  56.1.4.1340..1.2
	0x04b0:  2e38 3430 2e31 3133 3535 362e 312e 342e  .840.113556.1.4.
	0x04c0:  3134 3133 0417 322e 3136 2e38 3430 2e31  1413..2.16.840.1
	0x04d0:  2e31 3133 3733 302e 332e 342e 3904 1832  .113730.3.4.9..2
	0x04e0:  2e31 362e 3834 302e 312e 3131 3337 3330  .16.840.1.113730
	0x04f0:  2e33 2e34 2e31 3004 1731 2e32 2e38 3430  .3.4.10..1.2.840
	0x0500:  2e31 3133 3535 362e 312e 342e 3135 3034  .113556.1.4.1504
	0x0510:  0417 312e 322e 3834 302e 3131 3335 3536  ..1.2.840.113556
	0x0520:  2e31 2e34 2e31 3835 3204 1631 2e32 2e38  .1.4.1852..1.2.8
	0x0530:  3430 2e31 3133 3535 362e 312e 342e 3830  40.113556.1.4.80
	0x0540:  3204 1731 2e32 2e38 3430 2e31 3133 3535  2..1.2.840.11355
	0x0550:  362e 312e 342e 3139 3037 0417 312e 322e  6.1.4.1907..1.2.
	0x0560:  3834 302e 3131 3335 3536 2e31 2e34 2e31  840.113556.1.4.1
	0x0570:  3934 3804 1731 2e32 2e38 3430 2e31 3133  948..1.2.840.113
	0x0580:  3535 362e 312e 342e 3139 3734 0417 312e  556.1.4.1974..1.
	0x0590:  322e 3834 302e 3131 3335 3536 2e31 2e34  2.840.113556.1.4
	0x05a0:  2e31 3334 3104 1731 2e32 2e38 3430 2e31  .1341..1.2.840.1
	0x05b0:  3133 3535 362e 312e 342e 3230 3236 0417  13556.1.4.2026..
	0x05c0:  312e 322e 3834 302e 3131 3335 3536 2e31  1.2.840.113556.1
	0x05d0:  2e34 2e32 3036 3404 1731 2e32            .4.2064..1.2

DDoS reflection attacks – udp 1900

So it happened… today a company I work with received their first ddos attack with source port 1900 udp.

Recorded attack peak was 1301 MBit/s with 530463 packets/s

I didn’t had the time to take a full network traffic dump as the attack cheased shortly, these were three most offending attackers in case someone is looking for additional infos/reasearches/inspections:

77.109.241.234
74.36.12.13
218.65.201.212
Nmap scan report for adsl-77-109-241-234.kymp.net (77.109.241.234) 
Host is up (0.098s latency). 
 
PORT STATE SERVICE 
1900/udp open|filtered upnp 
Too many fingerprints match this host to give specific OS details
Nmap scan report for 74-36-12-13.dr01.aurr.mn.frontiernet.net (74.36.12.13) 
Host is up (0.022s latency). 
 
PORT STATE SERVICE 
1900/udp open|filtered upnp 
 
Aggressive OS guesses: Aerohive HiveAP 320 WAP (HiveOS 3.4) (95%), AirMagnet SmartEdge wireless sensor, or Foxcam FI8904 or Instar IN-3010 surveillance camera (95%), Allnet 2210 webcam, Cisco MDS 9124 or 9216i switch (SAN-OS 3.1 - 3.2), or Nortel IP Phone 1535 (95%), Aruba 3400 or 6000 wireless LAN controller (ArubaOS 3.3.2) (95%), AT&T 3G MicroCell WAP (95%), Avocent AutoView or DSR2020 KVM switch (95%), Avocent DSR1021 KVM switch (95%), AXIS 211A Network Camera (Linux 2.6) (95%), AXIS 211A Network Camera (Linux 2.6.20) (95%), Buffalo TeraStation Pro III NAS device (95%) 
No exact OS matches for host (test conditions non-ideal).
Nmap scan report for 218.65.201.212 
Host is up (0.020s latency). 
 
PORT STATE SERVICE 
1900/udp open|filtered upnp 
 
Aggressive OS guesses: Sphairon Turbolink IAD DSL modem (97%), 3Com OfficeConnect 3CRWER100-75 wireless broadband router (96%), 3Com OfficeConnect 3CRWER100-75 wireless router (96%), Aastra RFP L32 IP DECT WAP (96%), Acorp W400G or W422G wireless ADSL modem (MontaVista embedded Linux 2.4.17) (96%), Actiontec GT701 DSL modem (96%), Aerohive HiveAP 320 WAP (HiveOS 3.4) (96%), AirMagnet SmartEdge wireless sensor, or Foxcam FI8904 or Instar IN-3010 surveillance camera (96%), Alcatel-Lucent OmniPCX Enterprise PBX (Linux 2.4.17) (96%), Sirio by Alice VoIP phone (96%) 
No exact OS matches for host (test conditions non-ideal).

Apparently those are just residential IP addresses running vulnerable routers with UPNP services exposed on the WAN side.

There were tens of thounsands attacking a single IP in total… Single pps rate was very very low (for example 74.36.12.13 was pushing out just 200pps and it was one of the top offenders)

Blocking outgoing wordpress bruteforces

Just an emergency fix to deploy while searching for the root cause of outgoing bruteforce hacks

iptables -I OUTPUT -p tcp -m multiport --dports 80 -m tcp -m string --algo bm --string "wp-login.php" -j DROP