[AusNOG] UDP based HTTP attack?

Joseph Goldman joe at apcs.com.au
Sun Sep 20 10:14:25 EST 2015


Ok so NTP was being used to reflect back on port 80 to the attacked IP, 
so you were participating in your instance? Just never seen port 80 UDP 
traffic in attacks before. Unfortunately quite distributed so couldn't 
effectively do source based blocking. Luckily its a smaller server so 
not many complaints, will just hopefully wait it out for a few hours, 
still yet to implement scrubbing.

On 20/09/15 10:04, Matt Richards wrote:
>
> One of our servers had an insecure NTP config, and it was being used 
> in a DDoS attack to udp/80.
>
> Matt.
>
> On 20/09/2015 12:01 p.m., Joseph Goldman wrote:
>> Hi *,
>>
>>  One of my webservers just went under DDoS attack so before 
>> blackholing the IP I decided to capture some traffic - At a quick 
>> glance I could see it was port 80 but after firing up wireshark I saw 
>> it was all UDP - is it common to send UDP payloads to Port 80? I was 
>> hoping to get the URI in the request to know which site in particular 
>> was getting targeted, but oh well.
>>
>> Thanks,
>> Joe
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at lists.ausnog.net
>> http://lists.ausnog.net/mailman/listinfo/ausnog
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog



More information about the AusNOG mailing list