[AusNOG] DDoS Attacks - Painful and Persistent.

[Craig Meyers]

The consistent signature from the packet dump seems to be UDP and 8k
packets. (I couldn't see anything outside of this, anyone else see an
example outside of that signature?)

The source/destination ports seem to vary wildly.

Legitimate traffic with this profile that comes to mind is NFS.

I've done a whois on some of the source IPs, and I get hosting companies
(not ISPs). Generally these are more hardened against being used as
botnets vs domestic ISPs.

I wonder if you seeing something a university in the US saw a few years
back. What happened to them was a network manufacturer included
keep-alive code in the router such that it did an ntp request ever
10secs or so. 

With 100,000+ devices in circulation, this caused a massive DDOS on
their infrastructure. Forgive me, I can't recall university name.

8k packet sizes typically depict storage-type networks. I wonder if you
are seeing an artifact of NAS-type infrastructure 'calling-home'
so-to-speak. For example, a recent software update to NAS-type hardware
with the incorrect domain name.

Just a thought. This could explain why you haven't seen any form of
randsom.

-- Craig Meyers


-----Original Message-----
From: ausnog-bounces at lists.ausnog.net
[mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Nick Brown
Sent: Monday, 10 August 2009 4:15 PM
To: Roland Dobbins
Cc: ausnog at ausnog.net
Subject: Re: [AusNOG] DDoS Attacks - Painful and Persistent.

There is a 3 Minute capture (15MB) available for viewing at 
http://mirror.as38887.net/Misc/Attack_2009-08-10_202.45.155.46.txt as 
captured earlier this morning showing some data pertaining to the type 
and volume of traffic. Despite dropping the affected prefixes earlier 
today, bringing the affected prefix back into the global routing table 
immediately shows the return of the malicious traffic.