Posted on by EvolutionCrazy

DDoS reflection attacks – udp 1900

So it happened… today a company I work with received their first ddos attack with source port 1900 udp.

Recorded attack peak was 1301 MBit/s with 530463 packets/s

I didn’t had the time to take a full network traffic dump as the attack cheased shortly, these were three most offending attackers in case someone is looking for additional infos/reasearches/inspections:

77.109.241.234
74.36.12.13
218.65.201.212
Nmap scan report for adsl-77-109-241-234.kymp.net (77.109.241.234) 
Host is up (0.098s latency). 
 
PORT STATE SERVICE 
1900/udp open|filtered upnp 
Too many fingerprints match this host to give specific OS details
Nmap scan report for 74-36-12-13.dr01.aurr.mn.frontiernet.net (74.36.12.13) 
Host is up (0.022s latency). 
 
PORT STATE SERVICE 
1900/udp open|filtered upnp 
 
Aggressive OS guesses: Aerohive HiveAP 320 WAP (HiveOS 3.4) (95%), AirMagnet SmartEdge wireless sensor, or Foxcam FI8904 or Instar IN-3010 surveillance camera (95%), Allnet 2210 webcam, Cisco MDS 9124 or 9216i switch (SAN-OS 3.1 - 3.2), or Nortel IP Phone 1535 (95%), Aruba 3400 or 6000 wireless LAN controller (ArubaOS 3.3.2) (95%), AT&T 3G MicroCell WAP (95%), Avocent AutoView or DSR2020 KVM switch (95%), Avocent DSR1021 KVM switch (95%), AXIS 211A Network Camera (Linux 2.6) (95%), AXIS 211A Network Camera (Linux 2.6.20) (95%), Buffalo TeraStation Pro III NAS device (95%) 
No exact OS matches for host (test conditions non-ideal).
Nmap scan report for 218.65.201.212 
Host is up (0.020s latency). 
 
PORT STATE SERVICE 
1900/udp open|filtered upnp 
 
Aggressive OS guesses: Sphairon Turbolink IAD DSL modem (97%), 3Com OfficeConnect 3CRWER100-75 wireless broadband router (96%), 3Com OfficeConnect 3CRWER100-75 wireless router (96%), Aastra RFP L32 IP DECT WAP (96%), Acorp W400G or W422G wireless ADSL modem (MontaVista embedded Linux 2.4.17) (96%), Actiontec GT701 DSL modem (96%), Aerohive HiveAP 320 WAP (HiveOS 3.4) (96%), AirMagnet SmartEdge wireless sensor, or Foxcam FI8904 or Instar IN-3010 surveillance camera (96%), Alcatel-Lucent OmniPCX Enterprise PBX (Linux 2.4.17) (96%), Sirio by Alice VoIP phone (96%) 
No exact OS matches for host (test conditions non-ideal).

Apparently those are just residential IP addresses running vulnerable routers with UPNP services exposed on the WAN side.

There were tens of thounsands attacking a single IP in total… Single pps rate was very very low (for example 74.36.12.13 was pushing out just 200pps and it was one of the top offenders)