4

So for over 2 weeks, Im receiving what appears a combination of attacks non-stop 24/7.

First this UDP flood at a strangely small rate of 280 Kbps / 110 pps (360 bytes length)

02:29:41.978484 IP (tos 0x0, ttl 48, id 56020, offset 0, flags [DF], proto UDP (17), length 360)
    120.xxx.xxx.xxx.15070 > 200.xxx.xxx.xxx.7072: [udp sum ok] UDP, length 332

        0x0030:  fefe 7f7f fefe 7f7f fffe ff7f fffe fe7f  ................
        0x0040:  7ffe fe7f 7ffe ff7f 7eff feff ff7e fefe  ........~....~..
        0x0050:  ff7e 7ffe ffff 7e7f feff 7f7e fffe 7f7f  .~....~....~....
        0x0060:  7efe ffff 7e7f fefe ff7e ffff ffff 7efe  ~...~....~....~.
        0x0070:  ff7f 7e7f feff 7f7e ffff 7f7e 7ffe 7f7e  ..~....~...~...~
        0x0080:  7eff ffff 7e7f feff 7e7e feff 7f7e ffff  ~...~...~~...~..
        0x0090:  ff7f ffff 7f7e fffe 7f7f 7efe ff7f 7ffe  .....~....~.....
        0x00a0:  fe7f 7f7f fefe 7f7e fffe ff7f 7efe feff  .......~....~...
        0x00b0:  7eff feff 7f7e fffe ff7f 7ffe feff 7efe  ~....~........~.
        0x00c0:  feff 7e7f feff ff7f fefe 7f7f 7ffe fe7f  ..~.............
        0x00d0:  7e7f feff 7f7f fefe 7f7e fefe ff7e feff  ~........~...~..
        0x00e0:  7f7e ffff ff7e fffe ff7f 7ffe ff7f 7eff  .~...~........~.
        0x00f0:  feff 7f7e fffe 7f7e 7efe ff7f 7e7f fefe  ...~...~~...~...
        0x0100:  7f7e 7fff ff7f 7fff fe7f 7e7f feff 7e7e  .~........~...~~
        0x0110:  fffe 7f7e 7ffe 7f7e 7eff fe7f 7e7e fefe  ...~...~~...~~..
        0x0120:  7f7e fffe ff7e 7efe ff7f 7eff ff7f 7efe  .~...~~...~...~.
        0x0130:  ff7f 7eff feff 7fff feff 7e7f feff 7e7e  ..~.......~...~~
        0x0140:  fefe ff7f 7ffe feff 7f7e fefe 7f7e fffe  .........~...~..
        0x0150:  fe7f 7ffe feff ff7f fefe ff7f fffe feff  ................
        0x0160:  7ffe fefe 7f7f fefe                      ........

These are non stop packets with same port destination and same source IP.

Simultaniously, Im getting hit at a combination of random TCP ports + port 445, at a smaller rate of 5 packets per second. They just seem to be SYN scanners / 445 port knocking attempt.

    43.xxx.xxx.xxx.1000 > 200.xxx.xxx.xxx.40476: Flags [S.], cksum 0xaee4 (incorrect -> 0xaedc), seq xxx:xxx, ack xxx, win 8760, length 8
02:30:49.862649 IP (tos 0x0, ttl 239, id 19108, offset 0, flags [DF], proto TCP (6), length 48)
    43.xxx.xxx.xxx.1000 > 200.xxx.xxx.xxx.9752: Flags [S.], cksum 0x4dcf (incorrect -> 0x4dc7), seq xxx:xxx, ack xxx, win 8760, length 8
02:30:50.644298 IP (tos 0x0, ttl 239, id 61707, offset 0, flags [DF], proto TCP (6), length 48)
    43.xxx.xxx.xxx.1000 > 200.xxx.xxx.xxx.22728: Flags [S.], cksum 0x9ee6 (incorrect -> 0x9ede), seq xxx:xxx, ack xxx, win 8760, length 8
02:31:11.700387 IP (tos 0x48, ttl 106, id 18219, offset 0, flags [DF], proto TCP (6), length 52)

    Now begins 445 probes...

    36.xxx.xxx.xxx.63133 > 200.xxx.xxx.xxx.445: Flags [S], cksum 0x5f48 (correct), seq xxx:xxx, ack xxx, win 8192, options [mss 1452,nop,wscale 2,nop,nop,sackOK], length 0
02:31:21.049800 IP (tos 0x0, ttl 106, id 3996, offset 0, flags [DF], proto TCP (6), length 52)
    123.xxx.xxx.xxx.7264 > 200.xxx.xxx.xxx.445: Flags [S], cksum 0x745e (correct), seq seq xxx:xxx, ack xxx, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
02:31:32.355143 IP (tos 0x48, ttl 110, id 2945, offset 0, flags [DF], proto TCP (6), length 52)
    45.xxx.xxx.xxx.61134 > 200.xxx.xxx.xxx.445: Flags [S], cksum 0xda92 (correct), seq xxx:xxx, ack xxx, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
02:31:33.441688 IP (tos 0x28, ttl 109, id 8648, offset 0, flags [DF], proto TCP (6), length 52)

Simultaneously too, there is a ~3 packets per second to 4 ports in the range 5000-5100.

02:51:50.124083 IP 49.xxx.xxx.xxx.5060 > 200.xxx.xxx.xxx.50xx: SIP, length: 364
02:51:50.278002 IP 49.xxx.xxx.xxx.5060 > 200.xxx.xxx.xxx.50xx: SIP, length: 371
02:51:51.202326 IP 221.xxx.xxx.xxx.5060 > 200.xxx.xxx.xxx.50xx: SIP, length: 364
02:51:54.078075 IP 49.xxx.xxx.xxx.5060 > 200.xxx.xxx.xxx.50xx: SIP, length: 360
02:51:54.123284 IP 49.xxx.xxx.xxx.5060 > 200.xxx.xxx.xxx.50xx: SIP, length: 364
02:51:54.314175 IP 49.xxx.xxx.xxx.5060 > 200.xxx.xxx.xxx.50xx: SIP, length: 371

On top of that, every 1 hour or so, there is a rapid 300 packets per second SYN probe from a single IP to multiple hosts in my subnet, including my DNS server provider.

01:40:42.257034 IP 43.xxx.xxx.xxx.9594 > 200.xxx.xxx.xxx.25792: Flags [S.], seq xxx:xxx, ack xxx, win 8760, length 8
01:40:42.257243 IP 43.xxx.xxx.xxx.9594 > 200.xxx.xxx.xxx.62826: Flags [S.], seq xxx:xxx, ack xxx, ack xxx, win 8760, length 8
01:40:42.258176 IP 43.xxx.xxx.xxx.9594 > 200.xxx.xxx.xxx.2613: Flags [S.], seq xxx:xxx, ack xxx, win 8760, length 8
01:40:42.258203 IP 43.xxx.xxx.xxx.9594 > 200.xxx.xxx.xxx.6335: Flags [S.], seq xxx:xxx, ack xxx, win 8760, length 8
01:40:42.258890 IP 43.xxx.xxx.xxx.9594 > DNS.provider: Flags [S.], seq xxx:xxx, ack xxx, win 8760, length 8
01:40:42.258921 IP 43.xxx.xxx.xxx.9594 > 200.xxx.xxx.xxx.32031: Flags [S.], seq xxx:xxx, ack xxx, win 8760, length 8

ALL my ports are filtered (DROP), including blocking UDP, ICMP completly. This is an isolated machine that eventually will open port 80.

So the question Im interested in is this 280 Kbps UDP flood. What purpose is it serving? Is it a DDoS warning sign?

Combined all IPs, there have been over +5000 unique IPs (I was also attempted to SSH brute force when I open 22, 5GB log)

Jonas
  • 81
  • 3
  • 2
    If the UDP packets keep coming from the same source, absolutely do consider reporting the activity to the ISP in question. They'll probably want to know what their customer is up to. – user Aug 31 '17 at 07:45

2 Answers2

1

My steps would be fallowing:

  1. As Michael said - report!

  2. Investigate intersection of source addresses in different kinds of attacks - do addresses from UDP port 7072 intersect with addresses scanning SIP ports? If you have IP facing to the internet, it's pretty common to catch several port scanning attempts. Basically divide traffic to multiple groups by your assumption on who the attacker is and focus on the attacker who is targeting specially your IP, that would be most dangerous.

  3. To learn more about attackers intension, I would open affected ports for few connections and investigate incoming payload. But do not let attacker connect to real services! You can use simple netcat: nc -l -u IP 7020.

-2

It may be some sort of rodent/shrew DoS (since you said the packets source address is always the same) attack, although these normally target TCP services. In summary, these attacks try to consume the resources of a machine not by sending huge amounts of data like regular DoS/DDoS, but by playing with timeout, retransmission window, etc. in order to achieve the same results. See this paper for more information about these type of attacks: http://www.cs.cornell.edu/People/egs/cornellonly/syslunch/spring04/p75-kuzmanovic.pdf

Checking the UDP destination port and the payload (binary content) you show in the trace another possibility is that it could be directed towards some game server or a streaming service (https://www.speedguide.net/port.php?port=7072) that maybe is vulnerable to DrDoS (common for UDP services). This may be a good starting point for your investigation.

Hope it helps.

b0rt
  • 335
  • 1
  • 4
  • 2
    I don't think UDP is vulnerable in any way to the first attacks you are describing. There is no retransmission window or timeouts for UDP connections because there are no such things as UDP connections - it's stateless. – forest Jan 29 '18 at 23:58