* * * * *

                They aren't attacking, they're being attacked

So that list of IP (Internet Protocol) addresses I listed yesterday [1] … it
turns out they weren't the attackers, but the victims! And I was unwittingly
helping to facilitate a DDoS (Distributed Denial of Service) amplification
attack.

Sigh.

When we left off yesterday, I had modified my QOTD (Quote of the Day) server
to log the IP address, port number, and the incoming UDP (User Datagram
Protocol) packet to help figure out what the heck was going on. So pretty
much off the bat, I'm seeing this (which goes on for nearly 4,000 entries):

-----[ data ]-----
38.21.240.153:6951      "\001"
38.21.240.153:7333      "\001"
38.21.240.153:37152     "\001"
38.21.240.153:6951      "\001"
38.21.240.153:7333      "\001"
38.21.240.153:37152     "\001"
38.21.240.153:6951      "\001"
38.21.240.153:7333      "\001"
38.21.240.153:37152     "\001"
-----[ END OF LINE ]-----

What had me puzzled are the ports—I wasn't familar with them. It may be that
port 6951 deals with online transaction processing [2], port 7333 seems to
have something to do with the Swiss Exchange [3], and nothing at all about
port 37152. It's not exactly looking good, but the ports being attacked are
rather all over the place (I'm only going to list two of the attacked IP
addresses—there are more though):

Table: Ports being attacked
host address    port number     requests
------------------------------
38.21.240.153   10947   1508
38.21.240.153   11860   1425
38.21.240.153   14485   1420
38.21.240.153   65033   1418
38.21.240.153   4625    1409
38.21.240.153   4808    1401
38.21.240.153   37152   1400
38.21.240.153   65277   1394
38.21.240.153   27683   1389
38.21.240.153   17615   1389
38.21.240.153   48235   1388
38.21.240.153   27227   1386
38.21.240.153   14503   1386
38.21.240.153   43174   1385
38.21.240.153   43069   1377
38.21.240.153   47040   1372
38.21.240.153   6991    1370
38.21.240.153   18235   1369
38.21.240.153   57696   1360
38.21.240.153   7333    1233
38.21.240.153   6951    1204
38.21.240.153   36965   1171
38.21.240.153   16306   1139
47.99.152.166   47673   145
47.99.152.166   39606   144
47.96.172.52    48309   142
47.96.172.52    46769   142
47.107.64.105   59669   142
47.107.64.105   35763   142
47.107.64.105   22100   141
47.99.152.166   4302    140
47.107.64.105   53336   140
47.99.152.166   35758   138
47.96.172.52    44529   138
47.96.172.52    26878   138
47.107.64.105   52337   138

------------------------------
host address    port number     requests
A lot of the ports are high values, which tend not to have defined services
and are typically used for outbound requests to a service, like making a
request to a QOTD service.

The data being sent is just a single byte, which is all that's really needed
for the QOTD protocol [4] to return a quote via UDP. So this looks like
legitimate traffic, except for the volume.

But as I kept searching for “QOTD attacks” I kept coming across UDP
amplification attacks [5] (more of the same [6]). It appears that the vast
majority of traffic is forged (it's easy enough to forge UDP packets), and
because QOTD sends more data than it receives, it's a rather cheap method to
attack a target with a ton of traffic regardless of what the attacked machine
is being used for (and my UDP based server probably isn't the only one
unwittingly facilitating this attack).

A bit more research revealed a few servers that made a request (or a very
small number of requests):

Table: Requests to the UDP QOTD server
host address    requests        first request
------------------------------
74.82.47.61     2       May 03
185.94.111.1    4       May 04
74.82.47.37     1       May 04
74.82.47.17     1       May 05
71.6.233.171    1       May 06
74.82.47.29     1       May 06
104.152.52.39   1       May 07
74.82.47.57     2       May 07
74.82.47.33     1       May 08
206.189.86.188  1       May 10
74.82.47.49     1       May 10

------------------------------
host address    requests        first request
I'm guessing these machines made the query to see if my machine could be used
for a UDP DDoS amplification attack, and would periodically check back to see
if such attacks could continue from my server, which would explain the
periodic nature of the deluge of traffic I saw (they weren't continuous but
would happen in very random bursts). I also suspect there may be two
different groups doing an attack, given the volume of traffic to certain
targets.

It was also amusing to see 104.152.52.39 attempt to spam me with email, and
attempt to log in via ssh on the 7^TH as well.

I've since disabled the UDP protocol on my QOTD server. Sigh. This is why we
can't have nice things on the Intarwebs.

[1] gopher://gopher.conman.org/0Phlog:2019/05/12.1
[2] https://en.wikipedia.org/wiki/Online_transaction_processing
[3] https://www.speedguide.net/port.php?port=7333
[4] https://www.ietf.org/rfc/rfc865.txt
[5] https://christian-rossow.de/articles/Amplification_DDoS.php
[6] https://www.us-cert.gov/ncas/alerts/TA14-017A

Email author at [email protected]

You are viewing proxied material from gopher.conman.org. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.