The Boston Diaries

The ongoing saga of a programmer who doesn't live in Boston, nor does he even like Boston, but yet named his weblog/journal “The Boston Diaries.”

Go figure.

Monday, May 13, 2019

They aren't attacking, they're being attacked

So that list of IP addresses I listed yesterday … it turns out they weren't the attackers, but the victims! And I was unwittingly helping to facilitate a DDoS amplification attack.

Sigh.

When we left off yesterday, I had modified my QOTD server to log the IP address, port number, and the incoming UDP packet to help figure out what the heck was going on. So pretty much off the bat, I'm seeing this (which goes on for nearly 4,000 entries):

38.21.240.153:6951      "\001"
38.21.240.153:7333      "\001"
38.21.240.153:37152     "\001"
38.21.240.153:6951      "\001"
38.21.240.153:7333      "\001"
38.21.240.153:37152     "\001"
38.21.240.153:6951      "\001"
38.21.240.153:7333      "\001"
38.21.240.153:37152     "\001"

What had me puzzled are the ports—I wasn't familar with them. It may be that port 6951 deals with online transaction processing, port 7333 seems to have something to do with the Swiss Exchange, and nothing at all about port 37152. It's not exactly looking good, but the ports being attacked are rather all over the place (I'm only going to list two of the attacked IP addresses—there are more though):

Ports being attacked
host address port number requests
host address port number requests
38.21.240.153 10947 1508
38.21.240.153 11860 1425
38.21.240.153 14485 1420
38.21.240.153 65033 1418
38.21.240.153 4625 1409
38.21.240.153 4808 1401
38.21.240.153 37152 1400
38.21.240.153 65277 1394
38.21.240.153 27683 1389
38.21.240.153 17615 1389
38.21.240.153 48235 1388
38.21.240.153 27227 1386
38.21.240.153 14503 1386
38.21.240.153 43174 1385
38.21.240.153 43069 1377
38.21.240.153 47040 1372
38.21.240.153 6991 1370
38.21.240.153 18235 1369
38.21.240.153 57696 1360
38.21.240.153 7333 1233
38.21.240.153 6951 1204
38.21.240.153 36965 1171
38.21.240.153 16306 1139
47.99.152.166 47673 145
47.99.152.166 39606 144
47.96.172.52 48309 142
47.96.172.52 46769 142
47.107.64.105 59669 142
47.107.64.105 35763 142
47.107.64.105 22100 141
47.99.152.166 4302 140
47.107.64.105 53336 140
47.99.152.166 35758 138
47.96.172.52 44529 138
47.96.172.52 26878 138
47.107.64.105 52337 138

A lot of the ports are high values, which tend not to have defined services and are typically used for outbound requests to a service, like making a request to a QOTD service.

The data being sent is just a single byte, which is all that's really needed for the QOTD protocol to return a quote via UDP. So this looks like legitimate traffic, except for the volume.

But as I kept searching for “QOTD attacks” I kept coming across UDP amplification attacks (more of the same). It appears that the vast majority of traffic is forged (it's easy enough to forge UDP packets), and because QOTD sends more data than it receives, it's a rather cheap method to attack a target with a ton of traffic regardless of what the attacked machine is being used for (and my UDP based server probably isn't the only one unwittingly facilitating this attack).

A bit more research revealed a few servers that made a request (or a very small number of requests):

Requests to the UDP QOTD server
host address requests first request
host address requests first request
74.82.47.61 2 May 03
185.94.111.1 4 May 04
74.82.47.37 1 May 04
74.82.47.17 1 May 05
71.6.233.171 1 May 06
74.82.47.29 1 May 06
104.152.52.39 1 May 07
74.82.47.57 2 May 07
74.82.47.33 1 May 08
206.189.86.188 1 May 10
74.82.47.49 1 May 10

I'm guessing these machines made the query to see if my machine could be used for a UDP DDoS amplification attack, and would periodically check back to see if such attacks could continue from my server, which would explain the periodic nature of the deluge of traffic I saw (they weren't continuous but would happen in very random bursts). I also suspect there may be two different groups doing an attack, given the volume of traffic to certain targets.

It was also amusing to see 104.152.52.39 attempt to spam me with email, and attempt to log in via ssh on the 7TH as well.

I've since disabled the UDP protocol on my QOTD server. Sigh. This is why we can't have nice things on the Intarwebs.


“If you strike me down, I shall become more powerful than you can possibly imagine”

Of all the lightsaber duels in the Star Wars movies, the one in “Star Wars: Episode IV—A New Hope is probably the most sedate. But that's okay, because in 1977 this is the first time we're seeing freaking lightsabers! So cool! And it blew my 8-year old mind at the time.

But this reimagining of that fight? (link via Kirk Israel)

[Do you know just how painful it is to fall into a lava pit?  Do you?]

Had I seen that as an 8-year old, my head would have exploded!

Obligatory Picture

[The future's so bright, I gotta wear shades]

Obligatory Contact Info

Obligatory Feeds

Obligatory Links

Obligatory Miscellaneous

You have my permission to link freely to any entry here. Go ahead, I won't bite. I promise.

The dates are the permanent links to that day's entries (or entry, if there is only one entry). The titles are the permanent links to that entry only. The format for the links are simple: Start with the base link for this site: https://boston.conman.org/, then add the date you are interested in, say 2000/08/01, so that would make the final URL:

https://boston.conman.org/2000/08/01

You can also specify the entire month by leaving off the day portion. You can even select an arbitrary portion of time.

You may also note subtle shading of the links and that's intentional: the “closer” the link is (relative to the page) the “brighter” it appears. It's an experiment in using color shading to denote the distance a link is from here. If you don't notice it, don't worry; it's not all that important.

It is assumed that every brand name, slogan, corporate name, symbol, design element, et cetera mentioned in these pages is a protected and/or trademarked entity, the sole property of its owner(s), and acknowledgement of this status is implied.

Copyright © 1999-2024 by Sean Conner. All Rights Reserved.