Monday, May 13, 2019
They aren't attacking, they're being attacked
So that list of IP addresses I listed yesterday … it turns out they weren't the attackers, but the victims! And I was unwittingly helping to facilitate a DDoS amplification attack.
Sigh.
When we left off yesterday, I had modified my QOTD server to log the IP address, port number, and the incoming UDP packet to help figure out what the heck was going on. So pretty much off the bat, I'm seeing this (which goes on for nearly 4,000 entries):
38.21.240.153:6951 "\001" 38.21.240.153:7333 "\001" 38.21.240.153:37152 "\001" 38.21.240.153:6951 "\001" 38.21.240.153:7333 "\001" 38.21.240.153:37152 "\001" 38.21.240.153:6951 "\001" 38.21.240.153:7333 "\001" 38.21.240.153:37152 "\001"
What had me puzzled are the ports—I wasn't familar with them. It may be that port 6951 deals with online transaction processing, port 7333 seems to have something to do with the Swiss Exchange, and nothing at all about port 37152. It's not exactly looking good, but the ports being attacked are rather all over the place (I'm only going to list two of the attacked IP addresses—there are more though):
| host address | port number | requests |
|---|---|---|
| host address | port number | requests |
| 38.21.240.153 | 10947 | 1508 |
| 38.21.240.153 | 11860 | 1425 |
| 38.21.240.153 | 14485 | 1420 |
| 38.21.240.153 | 65033 | 1418 |
| 38.21.240.153 | 4625 | 1409 |
| 38.21.240.153 | 4808 | 1401 |
| 38.21.240.153 | 37152 | 1400 |
| 38.21.240.153 | 65277 | 1394 |
| 38.21.240.153 | 27683 | 1389 |
| 38.21.240.153 | 17615 | 1389 |
| 38.21.240.153 | 48235 | 1388 |
| 38.21.240.153 | 27227 | 1386 |
| 38.21.240.153 | 14503 | 1386 |
| 38.21.240.153 | 43174 | 1385 |
| 38.21.240.153 | 43069 | 1377 |
| 38.21.240.153 | 47040 | 1372 |
| 38.21.240.153 | 6991 | 1370 |
| 38.21.240.153 | 18235 | 1369 |
| 38.21.240.153 | 57696 | 1360 |
| 38.21.240.153 | 7333 | 1233 |
| 38.21.240.153 | 6951 | 1204 |
| 38.21.240.153 | 36965 | 1171 |
| 38.21.240.153 | 16306 | 1139 |
| 47.99.152.166 | 47673 | 145 |
| 47.99.152.166 | 39606 | 144 |
| 47.96.172.52 | 48309 | 142 |
| 47.96.172.52 | 46769 | 142 |
| 47.107.64.105 | 59669 | 142 |
| 47.107.64.105 | 35763 | 142 |
| 47.107.64.105 | 22100 | 141 |
| 47.99.152.166 | 4302 | 140 |
| 47.107.64.105 | 53336 | 140 |
| 47.99.152.166 | 35758 | 138 |
| 47.96.172.52 | 44529 | 138 |
| 47.96.172.52 | 26878 | 138 |
| 47.107.64.105 | 52337 | 138 |
A lot of the ports are high values, which tend not to have defined services and are typically used for outbound requests to a service, like making a request to a QOTD service.
The data being sent is just a single byte, which is all that's really needed for the QOTD protocol to return a quote via UDP. So this looks like legitimate traffic, except for the volume.
But as I kept searching for “QOTD attacks” I kept coming across UDP amplification attacks (more of the same). It appears that the vast majority of traffic is forged (it's easy enough to forge UDP packets), and because QOTD sends more data than it receives, it's a rather cheap method to attack a target with a ton of traffic regardless of what the attacked machine is being used for (and my UDP based server probably isn't the only one unwittingly facilitating this attack).
A bit more research revealed a few servers that made a request (or a very small number of requests):
| host address | requests | first request |
|---|---|---|
| host address | requests | first request |
| 74.82.47.61 | 2 | May 03 |
| 185.94.111.1 | 4 | May 04 |
| 74.82.47.37 | 1 | May 04 |
| 74.82.47.17 | 1 | May 05 |
| 71.6.233.171 | 1 | May 06 |
| 74.82.47.29 | 1 | May 06 |
| 104.152.52.39 | 1 | May 07 |
| 74.82.47.57 | 2 | May 07 |
| 74.82.47.33 | 1 | May 08 |
| 206.189.86.188 | 1 | May 10 |
| 74.82.47.49 | 1 | May 10 |
I'm guessing these machines made the query to see if my machine could be used for a UDP DDoS amplification attack, and would periodically check back to see if such attacks could continue from my server, which would explain the periodic nature of the deluge of traffic I saw (they weren't continuous but would happen in very random bursts). I also suspect there may be two different groups doing an attack, given the volume of traffic to certain targets.
It was also amusing to see 104.152.52.39 attempt to spam me with email,
and attempt to log in via ssh on the 7TH as well.
I've since disabled the UDP protocol on my QOTD server. Sigh. This is why we can't have nice things on the Intarwebs.
“If you strike me down, I shall become more powerful than you can possibly imagine”
Of all the lightsaber duels in the Star Wars movies, the one in “Star Wars: Episode IV—A New Hope is probably the most sedate. But that's okay, because in 1977 this is the first time we're seeing freaking lightsabers! So cool! And it blew my 8-year old mind at the time.
But this reimagining of that fight? (link via Kirk Israel)
![[Do you know just how painful it is to fall into a lava pit? Do you?]](/2019/05/13/Darth-ObiWan.jpg "Do you know just how painful it is to fall into a lava pit? Do you?")
Had I seen that as an 8-year old, my head would have exploded!
