So it happened… today a company I work with received their first ddos attack with source port 1900 udp.<\/p>\n
Recorded attack peak was 1301 MBit\/s with 530463 packets\/s<\/p>\n
I didn’t had the time to take a full network traffic dump as the attack cheased shortly, these were three most offending attackers in case someone is looking for additional infos\/reasearches\/inspections:<\/p>\n
\r\n77.109.241.234\r\n74.36.12.13\r\n218.65.201.212\r\n<\/pre>\n\r\nNmap scan report for adsl-77-109-241-234.kymp.net (77.109.241.234) \r\nHost is up (0.098s latency). \r\n\r\nPORT STATE SERVICE \r\n1900\/udp open|filtered upnp \r\nToo many fingerprints match this host to give specific OS details \r\n<\/pre>\n\r\nNmap scan report for 74-36-12-13.dr01.aurr.mn.frontiernet.net (74.36.12.13) \r\nHost is up (0.022s latency). \r\n\r\nPORT STATE SERVICE \r\n1900\/udp open|filtered upnp \r\n\r\nAggressive OS guesses: Aerohive HiveAP 320 WAP (HiveOS 3.4) (95%), AirMagnet SmartEdge wireless sensor, or Foxcam FI8904 or Instar IN-3010 surveillance camera (95%), Allnet 2210 webcam, Cisco MDS 9124 or 9216i switch (SAN-OS 3.1 - 3.2), or Nortel IP Phone 1535 (95%), Aruba 3400 or 6000 wireless LAN controller (ArubaOS 3.3.2) (95%), AT&T 3G MicroCell WAP (95%), Avocent AutoView or DSR2020 KVM switch (95%), Avocent DSR1021 KVM switch (95%), AXIS 211A Network Camera (Linux 2.6) (95%), AXIS 211A Network Camera (Linux 2.6.20) (95%), Buffalo TeraStation Pro III NAS device (95%) \r\nNo exact OS matches for host (test conditions non-ideal). \r\n<\/pre>\n\r\nNmap scan report for 218.65.201.212 \r\nHost is up (0.020s latency). \r\n\r\nPORT STATE SERVICE \r\n1900\/udp open|filtered upnp \r\n\r\nAggressive OS guesses: Sphairon Turbolink IAD DSL modem (97%), 3Com OfficeConnect 3CRWER100-75 wireless broadband router (96%), 3Com OfficeConnect 3CRWER100-75 wireless router (96%), Aastra RFP L32 IP DECT WAP (96%), Acorp W400G or W422G wireless ADSL modem (MontaVista embedded Linux 2.4.17) (96%), Actiontec GT701 DSL modem (96%), Aerohive HiveAP 320 WAP (HiveOS 3.4) (96%), AirMagnet SmartEdge wireless sensor, or Foxcam FI8904 or Instar IN-3010 surveillance camera (96%), Alcatel-Lucent OmniPCX Enterprise PBX (Linux 2.4.17) (96%), Sirio by Alice VoIP phone (96%) \r\nNo exact OS matches for host (test conditions non-ideal). \r\n<\/pre>\nApparently those are just residential IP addresses running vulnerable routers with UPNP services exposed on the WAN side.<\/p>\n
There were tens of thounsands attacking a single IP in total… Single pps rate was very very low (for example 74.36.12.13 was pushing out just 200pps and it was one of the top offenders)<\/p>\n","protected":false},"excerpt":{"rendered":"
So it happened… today a company I work with received their first ddos attack with source port 1900 udp. Recorded attack peak was 1301 MBit\/s with 530463 packets\/s I didn’t had the time to take a full network traffic dump as the attack cheased shortly, these were three most offending attackers in case someone is … <\/p>\n