[AusNOG] UDP based HTTP attack?
Matt Richards
matt at shakesbeare.com
Sun Sep 20 11:36:34 EST 2015
Yes, our server was being used in the attack. UDP traffic with a forged
souce address and a source port of 80 would hit our NTP server and use
monlist to flood the DDoS target.
I've previously fixed the ntp config on this server (multiple times...),
but the vendor's software keeps overwriting it with their insecure
defaults. I've given up asking the vendor to fix it properly and just
firewalled NTP upstream of that server. It's a PBX, so NTP is used to
set the time on the phones - we'll just have to find a way around not
having NTP exposed on it.
https://blog.cloudflare.com/understanding-and-mitigating-ntp-based-ddos-attacks/
Matt.
On 20/09/2015 12:14 p.m., Joseph Goldman wrote:
> Ok so NTP was being used to reflect back on port 80 to the attacked
> IP, so you were participating in your instance? Just never seen port
> 80 UDP traffic in attacks before. Unfortunately quite distributed so
> couldn't effectively do source based blocking. Luckily its a smaller
> server so not many complaints, will just hopefully wait it out for a
> few hours, still yet to implement scrubbing.
>
> On 20/09/15 10:04, Matt Richards wrote:
>>
>> One of our servers had an insecure NTP config, and it was being used
>> in a DDoS attack to udp/80.
>>
>> Matt.
>>
>> On 20/09/2015 12:01 p.m., Joseph Goldman wrote:
>>> Hi *,
>>>
>>> One of my webservers just went under DDoS attack so before
>>> blackholing the IP I decided to capture some traffic - At a quick
>>> glance I could see it was port 80 but after firing up wireshark I
>>> saw it was all UDP - is it common to send UDP payloads to Port 80? I
>>> was hoping to get the URI in the request to know which site in
>>> particular was getting targeted, but oh well.
>>>
>>> Thanks,
>>> Joe
>>> _______________________________________________
>>> AusNOG mailing list
>>> AusNOG at lists.ausnog.net
>>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at lists.ausnog.net
>> http://lists.ausnog.net/mailman/listinfo/ausnog
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
More information about the AusNOG
mailing list