Jump to content

DDOS Атаки


SIRAJ
 Share

Recommended Posts

Ассаламу аллейкум! Сегодня где то в пять часов вечера\дня на мой комп идет ддос атака с 19888 адресов, комп чуть было не повис(касперский загрузил процессор), пришлось кабель выдернуть)), у кого нить такое бывало? Edited by Rashid
Link to comment
Share on other sites

  • Replies 63
  • Created
  • Last Reply

Top Posters In This Topic

Rashid, а из-за чего тебя ддосили?)

Если бы я знал)) Конкретно именно меня ддосить они по идее не могут, потому что я как и многие другие сижу за NAT`том через ip адрес, поэтому скорее я посто попал под замес))) может через какой то скрытый vpn клиент идет трафик но это врядли

Link to comment
Share on other sites

я как и многие другие сижу за NAT`том через ip адрес

У Сабнет в том числе используется NAT при котором при каждой новой сессии ты получаешь случайный адрес, и трансляция осуществляется порт в порт(смотря через какой сервер подключаешься). Так что вполне могли и с интернета досить

Link to comment
Share on other sites

  • 4 months later...

Уже несколько раз к нам приходили письма такого рода:

 

---------- Forwarded message ----------

From: NFOservers.com DDoS notifier <ddos-response@nfoservers.com>

Date: 2014-05-29 3:08 GMT+04:00

Subject: Open recursive resolver used for an attack: 176.120.ХХХ.ХХХ

To:

 

 

You appear to be running an open recursive resolver at IP address 176.120.ХХХ.ХХХ that participated in an attack against a customer of ours today, generating large UDP responses to spoofed queries, with those responses becoming fragmented because of their size.

 

Please consider reconfiguring your resolver in one or more of these ways:

 

- To only serve your customers and not respond to outside IP addresses (in BIND, this is done by defining a limited set of hosts in "allow-query"; with a Windows DNS server, you would need to use firewall rules to block external access to UDP port 53)

- To only serve domains that it is authoritative for (in BIND, this is done by defining a limited set of hosts in "allow-query" for the server overall but setting "allow-query" to "any" for each zone)

- To rate-limit responses to individual source IP addresses (DNS Response Rate Limiting, or DNS RRL)

 

More information on this type of attack and what each party can do to mitigate it can be found here: http://www.us-cert.gov/ncas/alerts/TA13-088A

 

If you are an ISP, please also look at your network configuration and make sure that you do not allow spoofed traffic (that pretends to be from external IP addresses) to leave the network. Hosts that allow spoofed traffic make possible this type of attack.

 

If you already have your resolver configured to rate-limit, please accept our apologies for bothering you. These attackers use any server that will respond, and they (and we) can't easily tell that the traffic is being rate-limited. If you rate limit and contact us at noc@nfoe.net, we can whitelist your IP address in our database so that you don't receive more of these notifications for it.

 

Example DNS responses from your resolver during this attack are given below.

Timestamps (far left) are PST (UTC-8), and the date is 2014-05-28.

 

15:58:44.877753 IP (tos 0x0, ttl 51, id 27986, offset 0, flags [+], proto UDP (17), length 1396) 176.120.ХХХ.ХХХ.53 > 66.150.188.x.15897: 2201| 253/0/0 magas.bslrpg.com. A 2.2.2.160, magas.bslrpg.com.[|domain]

0x0000: 4500 0574 6d52 2000 3311 7c21 b078 c9ad E..tmR..3.|!.x..

0x0010: 4296 bc49 0035 3e19 0ffa 581d 0899 8380 B..I.5>...X.....

0x0020: 0001 00fd 0000 0000 056d 6167 6173 0662 .........magas.b

0x0030: 736c 7270 6703 636f 6d00 00ff 0001 c00c slrpg.com.......

0x0040: 0001 0001 0000 1a9a 0004 0202 02a0 c00c ................

0x0050: 0001 ..

15:58:44.901065 IP (tos 0x0, ttl 51, id 27987, offset 0, flags [+], proto UDP (17), length 1396) 176.120.ХХХ.ХХХ.53 > 66.150.188.x.15897: 2201| 253/0/0 magas.bslrpg.com. A 2.2.2.161, magas.bslrpg.com.[|domain]

0x0000: 4500 0574 6d53 2000 3311 7c20 b078 c9ad E..tmS..3.|..x..

0x0010: 4296 bc49 0035 3e19 0ffa 5a20 0899 8380 B..I.5>...Z.....

0x0020: 0001 00fd 0000 0000 056d 6167 6173 0662 .........magas.b

0x0030: 736c 7270 6703 636f 6d00 00ff 0001 c00c slrpg.com.......

0x0040: 0001 0001 0000 1a9a 0004 0202 02a1 c00c ................

0x0050: 0001 ..

15:58:44.923798 IP (tos 0x0, ttl 51, id 27988, offset 0, flags [+], proto UDP (17), length 1396) 176.120.ХХХ.ХХХ.53 > 66.150.188.x.15897: 2201| 253/0/0 magas.bslrpg.com. A 2.2.2.162, magas.bslrpg.com.[|domain]

0x0000: 4500 0574 6d54 2000 3311 7c1f b078 c9ad E..tmT..3.|..x..

0x0010: 4296 bc49 0035 3e19 0ffa 5c23 0899 8380 B..I.5>...\#....

0x0020: 0001 00fd 0000 0000 056d 6167 6173 0662 .........magas.b

0x0030: 736c 7270 6703 636f 6d00 00ff 0001 c00c slrpg.com.......

0x0040: 0001 0001 0000 1a9a 0004 0202 02a2 c00c ................

0x0050: 0001 ..

 

(The final octet of our customer's IP address is masked in the above output because some automatic parsers become confused when multiple IP addresses are included. The value of that octet is "73".)

 

-John

President

Nuclearfallout, Enterprises, Inc. (NFOservers.com)

 

(We're sending out so many of these notices, and seeing so many auto-responses, that we can't go through this email inbox effectively. If you have follow-up questions, please contact us at noc@nfoe.net.)

 

 

 

На этом ip адресе стоит роутер микротик с внешним адресом. Сканирование адреса показало:

 

PORT STATE SERVICE

21/tcp open ftp

22/tcp open ssh

23/tcp open telnet

53/tcp open domain

80/tcp open http

2000/tcp open cisco-sccp

8291/tcp open unknown

 

 

Скорее всего в силу того что там есть открытые порты его использовали для атаки на какой то хост, как в случае с Rashid

 

Кстати такие случаи были зарегистрированы у нас дважды. Когда хост в нашей сети оказывался в качестве атакуемого, атака осуществлялась с использованием NTP серверов.

 

Принцип такой: некий злоумышленник делает запрос (о последних 600 запрашивающих время) на тысячи NTP серверов. В качестве своего адреса он подставляет адрес жертвы. Сервера уже отвечают на реальный адрес, тем самым генерируют огромное количество трафика, которое жертва переварить не в силах.

 

Вывод такой: закрывайте порты )))

Link to comment
Share on other sites

Вчера такое письмо пришло нам и еще одному провайдеру Махачкалы (а может и не одному)) ). Все никак их в покое не оставят

 

 

A public NTP server on your network, running on IP address 176.120.XXX.XXX and UDP port 123, participated in a very large-scale attack against a customer of ours, generating UDP responses to spoofed "monlist" requests that claimed to be from the attack target.

 

Please consider reconfiguring this NTP server in one or more of these ways:

 

1. If you run ntpd, upgrading to the latest version, which removes the "monlist" command that is used for these attacks; alternately, disabling the monitoring function by adding "disable monitor" to your /etc/ntp.conf file.

2. Setting the NTP installation to act as a client only. With ntpd, that can be done with "restrict default ignore" in /etc/ntp.conf; other daemons should have a similar configuration option. More information on configuring different devices can be found here: https://www.team-cymru.org/ReadingRoom/Templates/secure-ntp-template.html.

3. Adjusting your firewall or NTP server configuration so that it only serves your users and does not respond to outside IP addresses.

 

If you don't mean to run a public NTP server, we recommend #1 and #2. If you do mean to run a public NTP server, we recommend #1, and also that you rate-limit responses to individual source IP addresses -- silently discarding those that exceed a low number, such as one request per IP address per second. Rate-limit functionality is built into many recently-released NTP daemons, including ntpd, but needs to be enabled; it would help with different types of attacks than this one.

 

Fixing open NTP servers is important; with the 1000x+ amplification factor of NTP DRDoS attacks -- one 40-byte-long request can generate up to 46800 bytes worth of response traffic -- it only takes one machine on an unfiltered 100 Mbps link to create a 100+ Gbps attack!

If you are an ISP, please also look at your network configuration and make sure that you do not allow spoofed traffic (that pretends to be from external IP addresses) to leave the network. Hosts that allow spoofed traffic make possible this type of attack.

 

Further reading:

 

https://cert.litnet.lt/en/docs/ntp-distributed-reflection-dos-attacks

https://isc.sans.org/forums/diary/NTP+reflection+attack/17300

http://www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks

http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10613&smlogin=true

 

You can find more vulnerable servers on a network through this site: http://openntpproject.org/

 

Example NTP responses from the host during this attack are given below.

Timestamps (far left) are PDT (UTC-7), and the date is 2014-06-06.

 

14:56:00.582232 IP 176.120.XXX.XXX.123 > 66.150.155.x.27015: NTPv2, Reserved, length 440

0x0000: 4500 01d4 e456 4000 3211 f6a8 b078 de04 E....V@.2....x..

0x0010: 4296 9b06 007b 6987 01c0 67de d700 032a B....{i...g....*

0x0020: 0006 0048 0000 0000 0000 0000 0000 0000 ...H............

0x0030: 0000 002d 4296 9b06 b078 de04 0100 0000 ...-B....x......

0x0040: 6987 0702 0000 0000 0000 0000 0000 0000 i...............

0x0050: 0000 ..

14:56:00.582469 IP 176.120.XXX.XXX.123 > 66.150.155.x.27015: NTPv2, Reserved, length 440

0x0000: 4500 01d4 e457 4000 3211 f6a7 b078 de04 E....W@.2....x..

0x0010: 4296 9b06 007b 6987 01c0 30b2 d701 032a B....{i...0....*

0x0020: 0006 0048 0000 0000 0000 00ac 0000 0000 ...H............

0x0030: 0000 0001 2eae 3056 b078 de04 0100 0000 ......0V.x......

0x0040: 6987 0702 0000 0000 0000 0000 0000 0000 i...............

0x0050: 0000 ..

14:56:00.582659 IP 176.120.XXX.XXX.123 > 66.150.155.x.27015: NTPv2, Reserved, length 440

0x0000: 4500 01d4 e458 4000 3211 f6a6 b078 de04 E....X@.2....x..

0x0010: 4296 9b06 007b 6987 01c0 f340 d702 032a B....{i....@...*

0x0020: 0006 0048 0000 000d 0000 01a2 0000 0000 ...H............

0x0030: 0000 0004 4657 f03b b078 de04 0100 0000 ....FW.;.x......

0x0040: 007b 0702 0000 0000 0000 0000 0000 0000 .{..............

0x0050: 0000 ..

14:56:00.582824 IP 176.120.XXX.XXX.123 > 66.150.155.x.27015: NTPv2, Reserved, length 440

0x0000: 4500 01d4 e459 4000 3211 f6a5 b078 de04 E....Y@.2....x..

0x0010: 4296 9b06 007b 6987 01c0 2ebe d703 032a B....{i........*

0x0020: 0006 0048 0000 0036 0000 05e5 0000 0000 ...H...6........

0x0030: 0000 0004 184a 29ea b078 de04 0100 0000 .....J)..x......

0x0040: 0050 0702 0000 0000 0000 0000 0000 0000 .P..............

0x0050: 0000 ..

14:56:00.583035 IP 176.120.XXX.XXX.123 > 66.150.155.x.27015: NTPv2, Reserved, length 440

0x0000: 4500 01d4 e45a 4000 3211 f6a4 b078 de04 E....Z@.2....x..

0x0010: 4296 9b06 007b 6987 01c0 10a6 d704 032a B....{i........*

0x0020: 0006 0048 0000 0170 0000 0c80 0000 0000 ...H...p........

0x0030: 0000 0003 6c4a 9c76 b078 de04 0100 0000 ....lJ.v.x......

0x0040: 0050 0702 0000 0000 0000 0000 0000 0000 .P..............

0x0050: 0000 ..

14:56:00.583215 IP 176.120.XXX.XXX.123 > 66.150.155.x.27015: NTPv2, Reserved, length 440

0x0000: 4500 01d4 e45b 4000 3211 f6a3 b078 de04 E....[@.2....x..

0x0010: 4296 9b06 007b 6987 01c0 efcf d705 032a B....{i........*

0x0020: 0006 0048 0000 0003 0000 1819 0000 0000 ...H............

0x0030: 0000 04ea 4256 f40d b078 de04 0100 0000 ....BV...x......

0x0040: 0050 0702 0000 0000 0000 0000 0000 0000 .P..............

0x0050: 0000 ..

 

 

(The final octet of our customer's IP address is masked in the above output because some automatic parsers become confused when multiple IP addresses are included. The value of that octet is "6".)

 

-John

President

Nuclearfallout, Enterprises, Inc. (NFOservers.com)

 

(We're sending out so many of these notices, and seeing so many auto-responses, that we can't go through this email inbox effectively. If you have follow-up questions, please contact us at noc@nfoe.net.)

 

Link to comment
Share on other sites

  • 2 weeks later...
  • 1 year later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
 Share


×
×
  • Create New...