[AusNOG] PIPE and EQUINIX Reflection Attack, PORT 3389 RDP Traffic.

Sean K. Finn sean.finn at ozservers.com.au
Tue Mar 6 11:22:27 EST 2012


Hi All,

Unusual request.

We have a client server that is getting responses from RDP /Remote Desktop servers
The trouble is, my client isn't sending the requests, so it's obviously coming from a spoofed source claiming to be my client's IP, and therefore sending responses back to my clients IP.

I've blocked the traffic internationally, but, at a Multilateral peering exchange, how the HECK do I drop traffic for a specific /32!!

Does anyone have any techniques to share to black hole traffic destined to this IP? Perhaps spoof some packets back to the sources with icmp unreachables or something similar?

This one's got me boggled :)

Cheers for any help, feel free to post on-list if its relevant to the discussion, I'm sure there are others who this has affected and who it will affect in the future.

Graphs are included below to help visualize some of this traffic. (It's the big green bit).

Sean.

[cid:image007.png at 01CCFB83.4B9CB330]
[cid:image008.png at 01CCFB83.4B9CB330]

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20120306/2e2e1fea/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image007.png
Type: image/png
Size: 27358 bytes
Desc: image007.png
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20120306/2e2e1fea/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image008.png
Type: image/png
Size: 19854 bytes
Desc: image008.png
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20120306/2e2e1fea/attachment-0001.png>


More information about the AusNOG mailing list