Blame
Date:
Wed Feb 1 05:00:29 2023 UTC
Message:
Daily backup
01
2023-01-22
jrmu
version=pmwiki-2.2.130 ordered=1 urlencoded=1
02
2023-01-22
jrmu
agent=Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0
03
2023-01-22
jrmu
author=mkf
04
2023-01-22
jrmu
charset=UTF-8
05
2023-01-22
jrmu
csum=
06
2023-01-22
jrmu
ctime=1608201354
07
2023-01-22
jrmu
host=80.191.34.206
08
2023-01-22
jrmu
name=Openbsd.ACKFlood
09
2023-01-22
jrmu
rev=10
10
2023-01-22
jrmu
targets=Openbsd.Tcpdump,Openbsd.Police,Openbsd.Buyvm,Openbsd.Pf,Openbsd.Ddos
11
2023-01-22
jrmu
text=(:title TCP Ack Flood:)%0a%0a!! TCP Ack Flood%0a%0aAn attacker can flood a server with ACK packets. The server receives so many packets then it cannot handle normal traffic.%0a%0aIn a TCP connection, a three-way handshake occurs:%0a%0a# The client sends a SYN packet to start a TCP connection%0a# The server replies with a SYN-ACK packet to accept the TCP connection%0a# The client replies with an ACK packet packet to begin sending data%0a%0aThe SYN (synchronize) packet initiates a TCP connection, and an ACK (acknowledgment) packet acknowledges that a TCP connection has been established. This handshake is performed every time data is sent over TCP.%0a%0aIn addition, ACK packets are sent periodically by a device to acknowledge that packets are received.%0a%0aServers must process every ACK packet they receive, so ACK floods waste a lot of server resources. Real and fake ACK packets look the same, the only difference is that a fake ACK packet lacks a payload (there's no real content).%0a%0a!! Sample Pcap%0a%0aFollow the [[openbsd/tcpdump|tcpdump]] guide to record a pcap during an attack to analyze it.%0a%0a[@%0a2001:db8::/32 %0a18:34:34.318888 2001:db8::2940:5fe2:fb93:3fd7.42028 > 2605:6400:30:f8de:19c6:1e63:ffd1:5a1d.56815: . [tcp sum ok] ack 0 win 16440 [class 0x14] (len 20, hlim 246)%0aa@...... .A.....)@_...?.&.d..0.....c..Z..,..U.1{....P.@8*...%0a18:34:34.318888 2001:db8::7b61:8030:655d:59f3.9312 > 2605:6400:30:f8de:19c6:1e63:ffd1:5a1d.9005: . [tcp sum ok] ack 0 win 16440 [class 0x14] (len 20, hlim 245)%0aa@...... .A.....{a.0e]Y.&.d..0.....c..Z.$`#-.1O.....P.@8....%0a18:34:34.318889 2001:db8::6820:2b6f:c23a:769b.6570 > 2605:6400:30:f8de:19c6:1e63:ffd1:5a1d.65117: . [tcp sum ok] ack 0 win 16440 (len 20, hlim 236)%0a`.......*..p....h +o.:v.&.d..0.....c..Z....]9.G.....P.@8....%0a18:34:34.318889 2001:db8::afa4:565f:994c:1970.14808 > 2605:6400:30:f8de:19c6:1e63:ffd1:5a1d.57643: . [tcp sum ok] ack 0 win 16440 [class 0x14] (len 20, hlim 246)%0aa@...... .A.......V_.L.p&.d..0.....c..Z.9..+........P.@8e...%0a18:34:34.318889 2001:db8::6443:797e:c8f3:e29d.22693 > 2605:6400:30:f8de:19c6:1e63:ffd1:5a1d.8369: . [tcp sum ok] ack 0 win 16440 [class 0x14] (len 20, hlim 245)%0aa@...... .A.....dCy~....&.d..0.....c..Z.X. .#.7t....P.@8.y..%0a18:34:34.318889 2001:db8::76b0:adba:bb48:873f.17347 > 2605:6400:30:f8de:19c6:1e63:ffd1:5a1d.15413: . [tcp sum ok] ack 0 win 16440 (len 20, hlim 236)%0a`.......*..p..b.v....H.?&.d..0.....c..Z.C.%3c5$.(.....P.@8....%0a18:34:34.318889 2001:db8::664d:ea08:52b8:305c.61968 > 2605:6400:30:f8de:19c6:1e63:ffd1:5a1d.10304: . [tcp sum ok] ack 0 win 16440 (len 20, hlim 237)%0a`.......*..p..'.fM..R.0\&.d..0.....c..Z...(@`..\....P.@8.B..%0a@]%0a%0aIn the above, we see the source IP subnet (2001:db8::/64) is sending TCP ack packets to random ports to IP 2605:6400:30:f8de:19c6:1e63:ffd1:5a1d. This user is being targeted by an IPv6 TCP ACK flood, so you can run:%0a%0a[@%0a$ dig -x 2605:6400:30:f8de:19c6:1e63:ffd1:5a1d%0auser.fig.ircnow.org%0a@]%0a%0aYou should contact this user; he may have clues as to who is attacking him. You can then investigate by following the [[openbsd/police|police guide]].%0a%0a!! How to Block%0a%0aFirst, you want to make sure that you have no exposed public IPs that are not DDoS filtered. If you are [[openbsd/buyvm|BuyVM]], check the [[https://manage.buyvm.net|web panel]] to see if any non-filtered IPs are exposed. These should be disabled. You will also want to remove them from any publicly visible DNS records in /var/nsd/zones/master/.%0a%0aUsing the [[openbsd/pf|packet filter]] firewall, you will want to block packets coming from the subnet 2001:db8::/64. You could put these two rules at the beginning of /etc/pf.conf:%0a%0a[@%0aext_ip="2605:6400:30:f8de::/64"%0abad_ip="2001:db8::/64"%0ablock drop quick proto {udp tcp} from $bad_ip to $ext_ip%0a@]%0a%0a!! See Also%0a%0a[[openbsd/Ddos|DDoS Defense]]
12
2023-01-22
jrmu
time=1622269221
13
2023-01-22
jrmu
title=TCP Ack Flood
14
2023-01-22
jrmu
author:1622269221=mkf
15
2023-01-22
jrmu
diff:1622269221:1608356660:minor=5c5%0a%3c An attacker can flood a server with ACK packets. The server receives so many packets then it cannot handle normal traffic.%0a---%0a> An attacker can flood a server with ACK packets. The server receives so many packets it cannot handle normal traffic.%0a
16
2023-01-22
jrmu
host:1622269221=80.191.34.206
17
2023-01-22
jrmu
author:1608356660=jrmu
18
2023-01-22
jrmu
diff:1608356660:1608356342:=54,55c54,55%0a%3c Using the [[openbsd/pf|packet filter]] firewall, you will want to block packets coming from the subnet 2001:db8::/64. You could put these two rules at the beginning of /etc/pf.conf:%0a%3c %0a---%0a> Using the [[openbsd/pf|packet filter]] firewall, you will want to block UDP packets on port 1900. You could put these two rules at the beginning of /etc/pf.conf:%0a> %0a57,59c57,58%0a%3c ext_ip="2605:6400:30:f8de::/64"%0a%3c bad_ip="2001:db8::/64"%0a%3c block drop quick proto {udp tcp} from $bad_ip to $ext_ip%0a---%0a> ext_ip="192.168.0.1"%0a> block drop quick proto udp from any to $ext_ip port 1900%0a60a60,69%0a> %0a> A better solution is to block all udp packets except for a few ports that you whitelist:%0a> %0a> [@%0a> ext_ip="192.168.0.1"%0a> pass in quick proto udp to $ext_ip port {domain ntp}%0a> block drop quick proto udp to $ext_ip port 1900%0a> @]%0a> %0a> This would whitelist DNS and NTP packets but drop all other UDP packets.%0a
19
2023-01-22
jrmu
host:1608356660=198.251.81.119
20
2023-01-22
jrmu
author:1608356342=jrmu
21
2023-01-22
jrmu
diff:1608356342:1608355360:=24,25c24,26%0a%3c 2001:db8::/32 %0a%3c 18:34:34.318888 2001:db8::2940:5fe2:fb93:3fd7.42028 > 2605:6400:30:f8de:19c6:1e63:ffd1:5a1d.56815: . [tcp sum ok] ack 0 win 16440 [class 0x14] (len 20, hlim 246)%0a---%0a> %0a> 18:34:34.318888 2001:41d0:b:0:2940:5fe2:fb93:3fd7.42028 > 2605:6400:30:f8de:19c6:1e63:ff%0a> d1:5a1d.56815: . [tcp sum ok] ack 0 win 16440 [class 0x14] (len 20, hlim 246)%0a27c28%0a%3c 18:34:34.318888 2001:db8::7b61:8030:655d:59f3.9312 > 2605:6400:30:f8de:19c6:1e63:ffd1:5a1d.9005: . [tcp sum ok] ack 0 win 16440 [class 0x14] (len 20, hlim 245)%0a---%0a> 18:34:34.318888 2001:41d0:b:0:7b61:8030:655d:59f3.9312 > 2605:6400:30:f8de:19c6:1e63:ffd1:5a1d.9005: . [tcp sum ok] ack 0 win 16440 [class 0x14] (len 20, hlim 245)%0a29c30%0a%3c 18:34:34.318889 2001:db8::6820:2b6f:c23a:769b.6570 > 2605:6400:30:f8de:19c6:1e63:ffd1:5a1d.65117: . [tcp sum ok] ack 0 win 16440 (len 20, hlim 236)%0a---%0a> 18:34:34.318889 2a00:c70:1:fca5:6820:2b6f:c23a:769b.6570 > 2605:6400:30:f8de:19c6:1e63:ffd1:5a1d.65117: . [tcp sum ok] ack 0 win 16440 (len 20, hlim 236)%0a31c32%0a%3c 18:34:34.318889 2001:db8::afa4:565f:994c:1970.14808 > 2605:6400:30:f8de:19c6:1e63:ffd1:5a1d.57643: . [tcp sum ok] ack 0 win 16440 [class 0x14] (len 20, hlim 246)%0a---%0a> 18:34:34.318889 2001:41d0:b:0:afa4:565f:994c:1970.14808 > 2605:6400:30:f8de:19c6:1e63:ffd1:5a1d.57643: . [tcp sum ok] ack 0 win 16440 [class 0x14] (len 20, hlim 246)%0a33c34%0a%3c 18:34:34.318889 2001:db8::6443:797e:c8f3:e29d.22693 > 2605:6400:30:f8de:19c6:1e63:ffd1:5a1d.8369: . [tcp sum ok] ack 0 win 16440 [class 0x14] (len 20, hlim 245)%0a---%0a> 18:34:34.318889 2001:41d0:b:0:6443:797e:c8f3:e29d.22693 > 2605:6400:30:f8de:19c6:1e63:ffd1:5a1d.8369: . [tcp sum ok] ack 0 win 16440 [class 0x14] (len 20, hlim 245)%0a35c36%0a%3c 18:34:34.318889 2001:db8::76b0:adba:bb48:873f.17347 > 2605:6400:30:f8de:19c6:1e63:ffd1:5a1d.15413: . [tcp sum ok] ack 0 win 16440 (len 20, hlim 236)%0a---%0a> 18:34:34.318889 2a00:c70:1:62db:76b0:adba:bb48:873f.17347 > 2605:6400:30:f8de:19c6:1e63:ffd1:5a1d.15413: . [tcp sum ok] ack 0 win 16440 (len 20, hlim 236)%0a37c38%0a%3c 18:34:34.318889 2001:db8::664d:ea08:52b8:305c.61968 > 2605:6400:30:f8de:19c6:1e63:ffd1:5a1d.10304: . [tcp sum ok] ack 0 win 16440 (len 20, hlim 237)%0a---%0a> 18:34:34.318889 2a00:c70:1:27ad:664d:ea08:52b8:305c.61968 > 2605:6400:30:f8de:19c6:1e63:ffd1:5a1d.10304: . [tcp sum ok] ack 0 win 16440 (len 20, hlim 237)%0a41,48c42%0a%3c In the above, we see the source IP subnet (2001:db8::/64) is sending TCP ack packets to random ports to IP 2605:6400:30:f8de:19c6:1e63:ffd1:5a1d. This user is being targeted by an IPv6 TCP ACK flood, so you can run:%0a%3c %0a%3c [@%0a%3c $ dig -x 2605:6400:30:f8de:19c6:1e63:ffd1:5a1d%0a%3c user.fig.ircnow.org%0a%3c @]%0a%3c %0a%3c You should contact this user; he may have clues as to who is attacking him. You can then investigate by following the [[openbsd/police|police guide]].%0a---%0a> In the above, we see the source IP (192.168.0.1) port 3306 is sending a TCP packet to 198.251.81.119 port 41000 (our server). The content shows that it is coming from an SQL database. In this case, we know port 3306 is for MySQL by checking /etc/services.%0a
22
2023-01-22
jrmu
host:1608356342=198.251.81.119
23
2023-01-22
jrmu
author:1608355360=jrmu
24
2023-01-22
jrmu
diff:1608355360:1608292859:=24,39c24,26%0a%3c %0a%3c 18:34:34.318888 2001:41d0:b:0:2940:5fe2:fb93:3fd7.42028 > 2605:6400:30:f8de:19c6:1e63:ff%0a%3c d1:5a1d.56815: . [tcp sum ok] ack 0 win 16440 [class 0x14] (len 20, hlim 246)%0a%3c a@...... .A.....)@_...?.&.d..0.....c..Z..,..U.1{....P.@8*...%0a%3c 18:34:34.318888 2001:41d0:b:0:7b61:8030:655d:59f3.9312 > 2605:6400:30:f8de:19c6:1e63:ffd1:5a1d.9005: . [tcp sum ok] ack 0 win 16440 [class 0x14] (len 20, hlim 245)%0a%3c a@...... .A.....{a.0e]Y.&.d..0.....c..Z.$`#-.1O.....P.@8....%0a%3c 18:34:34.318889 2a00:c70:1:fca5:6820:2b6f:c23a:769b.6570 > 2605:6400:30:f8de:19c6:1e63:ffd1:5a1d.65117: . [tcp sum ok] ack 0 win 16440 (len 20, hlim 236)%0a%3c `.......*..p....h +o.:v.&.d..0.....c..Z....]9.G.....P.@8....%0a%3c 18:34:34.318889 2001:41d0:b:0:afa4:565f:994c:1970.14808 > 2605:6400:30:f8de:19c6:1e63:ffd1:5a1d.57643: . [tcp sum ok] ack 0 win 16440 [class 0x14] (len 20, hlim 246)%0a%3c a@...... .A.......V_.L.p&.d..0.....c..Z.9..+........P.@8e...%0a%3c 18:34:34.318889 2001:41d0:b:0:6443:797e:c8f3:e29d.22693 > 2605:6400:30:f8de:19c6:1e63:ffd1:5a1d.8369: . [tcp sum ok] ack 0 win 16440 [class 0x14] (len 20, hlim 245)%0a%3c a@...... .A.....dCy~....&.d..0.....c..Z.X. .#.7t....P.@8.y..%0a%3c 18:34:34.318889 2a00:c70:1:62db:76b0:adba:bb48:873f.17347 > 2605:6400:30:f8de:19c6:1e63:ffd1:5a1d.15413: . [tcp sum ok] ack 0 win 16440 (len 20, hlim 236)%0a%3c `.......*..p..b.v....H.?&.d..0.....c..Z.C.%3c5$.(.....P.@8....%0a%3c 18:34:34.318889 2a00:c70:1:27ad:664d:ea08:52b8:305c.61968 > 2605:6400:30:f8de:19c6:1e63:ffd1:5a1d.10304: . [tcp sum ok] ack 0 win 16440 (len 20, hlim 237)%0a%3c `.......*..p..'.fM..R.0\&.d..0.....c..Z...(@`..\....P.@8.B..%0a---%0a> 10:54:20.457417 192.168.0.1.3306 > 198.251.81.119.41000: . 153:1601(1448) ack 168 win 243 %3cnop,nop,timestamp 1306862229 3995777189> (DF) (ttl 64, id 29089, len 1500)%0a> E...q.@.@..F...3..QA...(............J......%0a> M."..*.......D....def.protonsql1_totohot.g5_apms_data.g5_apms_data.id.id.?.......B...H....def.protonsql1_totohot.g5_apms_data.g5_apms_data.type.type.?...........L....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_q.data_q.!...........L....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_1.data_1.!...........L....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_2.data_2.!...........L....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_3.data_3.!...........L....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_4.data_4.!...........L...def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_5.data_5.!...........L...def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_6.data_6.!...........L....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_7.data_7.!...........L....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_8.data_8.!...........L..^M.def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_9.data_9.!...........N....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_10.data_10.!...........P....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_set.data_set.!.................."......3.11..totohot.Basic...........a:24:{s:5:"thema";s:7:"totohot";s:6:"layout";s:0:"";s:2:"pc";s:0:"";s:4:"size";s:4:"1200";s:10:"background";s:0:"";s:7:"bgcolor";s:0:"";s:2:"bg";s:6:"center";s:5:"tmenu";s:0:"";s:3:"nav";s:4:"both";s:4:"subv";s:4:"show";s:4:"subh";s:0:"";s:4:"allm";s:0:"";s:4:"subw";s:0:%0a42a30,62%0a> %0a> Here are some other packets:%0a> %0a> [@%0a> 10:54:20.478357 199.195.255.40.33912 > 198.98.62.208.80: P [tcp sum ok] 0:719(719) ack 1 win 229 %3cnop,nop,timestamp 1400457072 731155732> (DF) (ttl 64, id 52288, len 771)%0a> E....@@.@......(.b>..x.Pw4.O........e\.....%0a> SyGp+...POST /apkdl_bot.php HTTP/1.1%0a> Host: apkdl.in%0a> User-Agent: Railgun/5.3.3%0a> Content-Length: 331%0a> Cdn-Loop: cloudflare%0a> Cf-Connecting-Ip: 91.108.6.32%0a> Cf-Ipcountry: AG%0a> Cf-Origin-Https: off%0a> Cf-Ray: 5f127601beabd8d5-AMS%0a> Cf-Request-Id: 065f6815140000d8d517335000000001%0a> Cf-Visitor: {"scheme":"https"}%0a> Content-Type: application/json%0a> X-Forwarded-For: 91.108.6.32%0a> X-Forwarded-Proto: https%0a> %0a> {"update_id":98363691,%0a> "message":{"message_id":78810276,"from":{"id":1203629066,"is_bot":false,"first_name":"Mi%0a> rjalol","language_code":"uz"},"chat":{"id":1203629066,"first_name":"Mirjalol","type":"pr%0a> ivate"},"date":1605207260,"text":"/preview_com_shadow_battle_superhero","entities":[{"of%0a> fset":0,"length":36,"type":"bot_command"}]}}%0a> @]%0a> %0a> [@%0a> 10:54:20.594535 199.195.255.40.33914 > 198.98.62.208.80: . [tcp sum ok] ack 1855138974 win 229 %3cnop,nop,timestamp 1400457101 731155849> (DF) (ttl 64, id 57129, len 52)%0a> E..4.)@.@..{...(.b>..z.P.R..n.,............%0a> SyG.+...%0a> @]%0a
25
2023-01-22
jrmu
host:1608355360=198.251.81.119
26
2023-01-22
jrmu
author:1608292859=jrmu
27
2023-01-22
jrmu
diff:1608292859:1608291527:=5,17d4%0a%3c An attacker can flood a server with ACK packets. The server receives so many packets it cannot handle normal traffic.%0a%3c %0a%3c In a TCP connection, a three-way handshake occurs:%0a%3c %0a%3c # The client sends a SYN packet to start a TCP connection%0a%3c # The server replies with a SYN-ACK packet to accept the TCP connection%0a%3c # The client replies with an ACK packet packet to begin sending data%0a%3c %0a%3c The SYN (synchronize) packet initiates a TCP connection, and an ACK (acknowledgment) packet acknowledges that a TCP connection has been established. This handshake is performed every time data is sent over TCP.%0a%3c %0a%3c In addition, ACK packets are sent periodically by a device to acknowledge that packets are received.%0a%3c %0a%3c Servers must process every ACK packet they receive, so ACK floods waste a lot of server resources. Real and fake ACK packets look the same, the only difference is that a fake ACK packet lacks a payload (there's no real content).%0a
28
2023-01-22
jrmu
host:1608292859=198.251.81.119
29
2023-01-22
jrmu
author:1608291527=jrmu
30
2023-01-22
jrmu
diff:1608291527:1608290920:=45a46,48%0a> 10:54:20.594127 199.195.255.40.33914 > 198.98.62.208.80: S [tcp sum ok] 106076325:106076325(0) win 29200 %3cmss 1400,sackOK,timestamp 1400457101 0,nop,wscale 7> (DF) (ttl 64, id 57128, len 60)%0a> E..%3c.(@.@..t...(.b>..z.P.R........r.KD.....x...%0a> SyG.........%0a
31
2023-01-22
jrmu
host:1608291527=198.251.81.119
32
2023-01-22
jrmu
author:1608290920=jrmu
33
2023-01-22
jrmu
diff:1608290920:1608289526:=21,51d20%0a%3c 10:54:20.478357 199.195.255.40.33912 > 198.98.62.208.80: P [tcp sum ok] 0:719(719) ack 1 win 229 %3cnop,nop,timestamp 1400457072 731155732> (DF) (ttl 64, id 52288, len 771)%0a%3c E....@@.@......(.b>..x.Pw4.O........e\.....%0a%3c SyGp+...POST /apkdl_bot.php HTTP/1.1%0a%3c Host: apkdl.in%0a%3c User-Agent: Railgun/5.3.3%0a%3c Content-Length: 331%0a%3c Cdn-Loop: cloudflare%0a%3c Cf-Connecting-Ip: 91.108.6.32%0a%3c Cf-Ipcountry: AG%0a%3c Cf-Origin-Https: off%0a%3c Cf-Ray: 5f127601beabd8d5-AMS%0a%3c Cf-Request-Id: 065f6815140000d8d517335000000001%0a%3c Cf-Visitor: {"scheme":"https"}%0a%3c Content-Type: application/json%0a%3c X-Forwarded-For: 91.108.6.32%0a%3c X-Forwarded-Proto: https%0a%3c %0a%3c {"update_id":98363691,%0a%3c "message":{"message_id":78810276,"from":{"id":1203629066,"is_bot":false,"first_name":"Mi%0a%3c rjalol","language_code":"uz"},"chat":{"id":1203629066,"first_name":"Mirjalol","type":"pr%0a%3c ivate"},"date":1605207260,"text":"/preview_com_shadow_battle_superhero","entities":[{"of%0a%3c fset":0,"length":36,"type":"bot_command"}]}}%0a%3c @]%0a%3c %0a%3c [@%0a%3c 10:54:20.594127 199.195.255.40.33914 > 198.98.62.208.80: S [tcp sum ok] 106076325:106076325(0) win 29200 %3cmss 1400,sackOK,timestamp 1400457101 0,nop,wscale 7> (DF) (ttl 64, id 57128, len 60)%0a%3c E..%3c.(@.@..t...(.b>..z.P.R........r.KD.....x...%0a%3c SyG.........%0a%3c 10:54:20.594535 199.195.255.40.33914 > 198.98.62.208.80: . [tcp sum ok] ack 1855138974 win 229 %3cnop,nop,timestamp 1400457101 731155849> (DF) (ttl 64, id 57129, len 52)%0a%3c E..4.)@.@..{...(.b>..z.P.R..n.,............%0a%3c SyG.+...%0a
34
2023-01-22
jrmu
host:1608290920=198.251.81.119
35
2023-01-22
jrmu
author:1608289526=jrmu
36
2023-01-22
jrmu
diff:1608289526:1608288843:=16c16%0a%3c In the above, we see the source IP (192.168.0.1) port 3306 is sending a TCP packet to 198.251.81.119 port 41000 (our server). The content shows that it is coming from an SQL database. In this case, we know port 3306 is for MySQL by checking /etc/services.%0a---%0a> In the above, we see the source IP (192.168.0.1) port 3306 is sending a TCP packet to 198.251.81.119 port 41000 (our server). The content shows that it is coming from a proton SQL database.%0a
37
2023-01-22
jrmu
host:1608289526=198.251.81.119
38
2023-01-22
jrmu
author:1608288843=jrmu
39
2023-01-22
jrmu
diff:1608288843:1608201354:=11,13d10%0a%3c 10:54:20.457417 192.168.0.1.3306 > 198.251.81.119.41000: . 153:1601(1448) ack 168 win 243 %3cnop,nop,timestamp 1306862229 3995777189> (DF) (ttl 64, id 29089, len 1500)%0a%3c E...q.@.@..F...3..QA...(............J......%0a%3c M."..*.......D....def.protonsql1_totohot.g5_apms_data.g5_apms_data.id.id.?.......B...H....def.protonsql1_totohot.g5_apms_data.g5_apms_data.type.type.?...........L....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_q.data_q.!...........L....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_1.data_1.!...........L....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_2.data_2.!...........L....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_3.data_3.!...........L....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_4.data_4.!...........L...def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_5.data_5.!...........L...def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_6.data_6.!...........L....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_7.data_7.!...........L....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_8.data_8.!...........L..^M.def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_9.data_9.!...........N....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_10.data_10.!...........P....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_set.data_set.!.................."......3.11..totohot.Basic...........a:24:{s:5:"thema";s:7:"totohot";s:6:"layout";s:0:"";s:2:"pc";s:0:"";s:4:"size";s:4:"1200";s:10:"background";s:0:"";s:7:"bgcolor";s:0:"";s:2:"bg";s:6:"center";s:5:"tmenu";s:0:"";s:3:"nav";s:4:"both";s:4:"subv";s:4:"show";s:4:"subh";s:0:"";s:4:"allm";s:0:"";s:4:"subw";s:0:%0a16,17c13,14%0a%3c In the above, we see the source IP (192.168.0.1) port 3306 is sending a TCP packet to 198.251.81.119 port 41000 (our server). The content shows that it is coming from a proton SQL database.%0a%3c %0a---%0a> In the above, we see the source IP (192.168.0.1) is sending a UDP packet to 198.251.81.119 port 1900 (our server). The content shows that it is an SSDP packet.%0a> %0a21a19,20%0a> %0a> This packet is coming from a Linux UPnP device. It could be a printer, a phone, a router...%0a
40
2023-01-22
jrmu
host:1608288843=198.251.81.119
41
2023-01-22
jrmu
author:1608201354=jrmu
42
2023-01-22
jrmu
diff:1608201354:1608201354:=1,45d0%0a%3c (:title TCP Ack Flood:)%0a%3c %0a%3c !! TCP Ack Flood%0a%3c %0a%3c %0a%3c !! Sample Pcap%0a%3c %0a%3c Follow the [[openbsd/tcpdump|tcpdump]] guide to record a pcap during an attack to analyze it.%0a%3c %0a%3c [@%0a%3c @]%0a%3c %0a%3c In the above, we see the source IP (192.168.0.1) is sending a UDP packet to 198.251.81.119 port 1900 (our server). The content shows that it is an SSDP packet.%0a%3c %0a%3c Here are some other packets:%0a%3c %0a%3c [@%0a%3c @]%0a%3c %0a%3c This packet is coming from a Linux UPnP device. It could be a printer, a phone, a router...%0a%3c %0a%3c !! How to Block%0a%3c %0a%3c First, you want to make sure that you have no exposed public IPs that are not DDoS filtered. If you are [[openbsd/buyvm|BuyVM]], check the [[https://manage.buyvm.net|web panel]] to see if any non-filtered IPs are exposed. These should be disabled. You will also want to remove them from any publicly visible DNS records in /var/nsd/zones/master/.%0a%3c %0a%3c Using the [[openbsd/pf|packet filter]] firewall, you will want to block UDP packets on port 1900. You could put these two rules at the beginning of /etc/pf.conf:%0a%3c %0a%3c [@%0a%3c ext_ip="192.168.0.1"%0a%3c block drop quick proto udp from any to $ext_ip port 1900%0a%3c @]%0a%3c %0a%3c A better solution is to block all udp packets except for a few ports that you whitelist:%0a%3c %0a%3c [@%0a%3c ext_ip="192.168.0.1"%0a%3c pass in quick proto udp to $ext_ip port {domain ntp}%0a%3c block drop quick proto udp to $ext_ip port 1900%0a%3c @]%0a%3c %0a%3c This would whitelist DNS and NTP packets but drop all other UDP packets.%0a%3c %0a%3c !! See Also%0a%3c %0a%3c [[openbsd/Ddos|DDoS Defense]]%0a\ No newline at end of file%0a
43
2023-01-22
jrmu
host:1608201354=198.251.81.119
IRCNow