We've seen at least a couple of the port 1900 attacks.
I also notice that there are fresh ntp updates in CentOS.
--
bp
<part {dash} 15 {at} SkylineBroadbandService {dot} com>
On 12/22/2014 7:36 PM, Ken Hohhof via Af wrote:
I read somewhere, I think maybe Ars, that the DDoS attack has been
going on for several days and is using primarily NTP and SSDP (UPnP
discovery protocol) amplification. And that SSDP has succeeded NTP
and DNS as the amplification method for big (> 1Gbps) DDoS attacks.
Apparently because the industry jumped on securing open NTP servers.
And even though SSDP provides less amplification than NTP, there are
more targets and they are mostly home routers which consumers are not
going to patch even if there is patched firmware available. Plus UDP
makes it easier to spoof the source IP.
So I must have missed that UDP port 1900 is the new target for
amplification.
I did a quick torch and saw a bunch of traffic on udp/1900, some
inbound only which I assume are scans, some bidirectional which I’m
thinking is suspicious but maybe some port 1900 traffic is normal
because it is in the >1024 ephemeral port range.
I went and signed up for ShadowServer, figuring they will tell me what
IPs were responding to SSDP requests on what date and I can track down
the customer. Anyone have a better approach? If you identify
customers with UPnP open to the outside, are you contacting them and
pushing them to fix it?
It’s just amazing to me that some routers would have UPnP open on the
WAN side. What’s wrong with these companies? I saw DLink mentioned,
and sure enough, when I torched for udp/1900, I saw a lot of
connections for a customer that I seem to remember has a DLink DIR-655.
*From:* Jaime Solorza via Af <mailto:af@afmug.com>
*Sent:* Monday, December 22, 2014 7:58 PM
*To:* Animal Farm <mailto:af@afmug.com>
*Subject:* Re: [AFMUG] North Korea is down....
linksys modems for backhauls
Jaime Solorza
Wireless Systems Architect
915-861-1390
On Mon, Dec 22, 2014 at 2:48 PM, Tyson Burris @ Internet
Communications Inc via Af <af@afmug.com <mailto:af@afmug.com>> wrote:
No! No! They have Comcast Cable and Century Link DSL. Normal stuff.
*Tyson Burris, President**
**Internet Communications Inc.**
**739 Commerce Dr.**
**Franklin, IN 46131**
***
*317-738-0320 <tel:317-738-0320> Daytime #*
*317-412-1540 <tel:317-412-1540> Cell/Direct #*
*Online: **www.surfici.net* <http://www.surfici.net>
ICI
*What can ICI do for you?*
*Broadband Wireless - PtP/PtMP Solutions - WiMax - Mesh
Wifi/Hotzones - IP Security - Fiber - Tower - Infrastructure.*
**
*CONFIDENTIALITY NOTICE: This e-mail is intended for the*
*addressee shown. It contains information that is*
*confidential and protected from disclosure. Any review,*
*dissemination or use of this transmission or its contents by*
*unauthorized organizations or individuals is strictly*
*prohibited.*
*From:*Af [mailto:af-boun...@afmug.com
<mailto:af-boun...@afmug.com>] *On Behalf Of *Travis Johnson via Af
*Sent:* Monday, December 22, 2014 4:24 PM
*To:* af@afmug.com <mailto:af@afmug.com>
*Subject:* Re: [AFMUG] North Korea is down....
The FBI setup a P2P server in North Korea with the Sony movie as
the only download. LOL
Travis
On 12/22/2014 2:08 PM, CBB - Jay Fuller via Af wrote:
What did we do? Lol. How did we do it ?
Sent from my Verizon Wireless 4G LTE Smartphone
