version=pmwiki-2.2.130 ordered=1 urlencoded=1 agent=Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0 author=mkf charset=UTF-8 csum= ctime=1608201354 host=80.191.34.206 name=Openbsd.ACKFlood rev=10 targets=Openbsd.Tcpdump,Openbsd.Police,Openbsd.Buyvm,Openbsd.Pf,Openbsd.Ddos text=(:title TCP Ack Flood:)%0a%0a!! TCP Ack Flood%0a%0aAn attacker can flood a server with ACK packets. The server receives so many packets then it cannot handle normal traffic.%0a%0aIn a TCP connection, a three-way handshake occurs:%0a%0a# The client sends a SYN packet to start a TCP connection%0a# The server replies with a SYN-ACK packet to accept the TCP connection%0a# The client replies with an ACK packet packet to begin sending data%0a%0aThe SYN (synchronize) packet initiates a TCP connection, and an ACK (acknowledgment) packet acknowledges that a TCP connection has been established. This handshake is performed every time data is sent over TCP.%0a%0aIn addition, ACK packets are sent periodically by a device to acknowledge that packets are received.%0a%0aServers must process every ACK packet they receive, so ACK floods waste a lot of server resources. Real and fake ACK packets look the same, the only difference is that a fake ACK packet lacks a payload (there's no real content).%0a%0a!! Sample Pcap%0a%0aFollow the [[openbsd/tcpdump|tcpdump]] guide to record a pcap during an attack to analyze it.%0a%0a[@%0a2001:db8::/32 %0a18:34:34.318888 2001:db8::2940:5fe2:fb93:3fd7.42028 > 2605:6400:30:f8de:19c6:1e63:ffd1:5a1d.56815: . [tcp sum ok] ack 0 win 16440 [class 0x14] (len 20, hlim 246)%0aa@...... .A.....)@_...?.&.d..0.....c..Z..,..U.1{....P.@8*...%0a18:34:34.318888 2001:db8::7b61:8030:655d:59f3.9312 > 2605:6400:30:f8de:19c6:1e63:ffd1:5a1d.9005: . [tcp sum ok] ack 0 win 16440 [class 0x14] (len 20, hlim 245)%0aa@...... .A.....{a.0e]Y.&.d..0.....c..Z.$`#-.1O.....P.@8....%0a18:34:34.318889 2001:db8::6820:2b6f:c23a:769b.6570 > 2605:6400:30:f8de:19c6:1e63:ffd1:5a1d.65117: . [tcp sum ok] ack 0 win 16440 (len 20, hlim 236)%0a`.......*..p....h +o.:v.&.d..0.....c..Z....]9.G.....P.@8....%0a18:34:34.318889 2001:db8::afa4:565f:994c:1970.14808 > 2605:6400:30:f8de:19c6:1e63:ffd1:5a1d.57643: . [tcp sum ok] ack 0 win 16440 [class 0x14] (len 20, hlim 246)%0aa@...... .A.......V_.L.p&.d..0.....c..Z.9..+........P.@8e...%0a18:34:34.318889 2001:db8::6443:797e:c8f3:e29d.22693 > 2605:6400:30:f8de:19c6:1e63:ffd1:5a1d.8369: . [tcp sum ok] ack 0 win 16440 [class 0x14] (len 20, hlim 245)%0aa@...... .A.....dCy~....&.d..0.....c..Z.X. .#.7t....P.@8.y..%0a18:34:34.318889 2001:db8::76b0:adba:bb48:873f.17347 > 2605:6400:30:f8de:19c6:1e63:ffd1:5a1d.15413: . [tcp sum ok] ack 0 win 16440 (len 20, hlim 236)%0a`.......*..p..b.v....H.?&.d..0.....c..Z.C.%3c5$.(.....P.@8....%0a18:34:34.318889 2001:db8::664d:ea08:52b8:305c.61968 > 2605:6400:30:f8de:19c6:1e63:ffd1:5a1d.10304: . [tcp sum ok] ack 0 win 16440 (len 20, hlim 237)%0a`.......*..p..'.fM..R.0\&.d..0.....c..Z...(@`..\....P.@8.B..%0a@]%0a%0aIn the above, we see the source IP subnet (2001:db8::/64) is sending TCP ack packets to random ports to IP 2605:6400:30:f8de:19c6:1e63:ffd1:5a1d. This user is being targeted by an IPv6 TCP ACK flood, so you can run:%0a%0a[@%0a$ dig -x 2605:6400:30:f8de:19c6:1e63:ffd1:5a1d%0auser.fig.ircnow.org%0a@]%0a%0aYou should contact this user; he may have clues as to who is attacking him. You can then investigate by following the [[openbsd/police|police guide]].%0a%0a!! How to Block%0a%0aFirst, you want to make sure that you have no exposed public IPs that are not DDoS filtered. If you are [[openbsd/buyvm|BuyVM]], check the [[https://manage.buyvm.net|web panel]] to see if any non-filtered IPs are exposed. These should be disabled. You will also want to remove them from any publicly visible DNS records in /var/nsd/zones/master/.%0a%0aUsing the [[openbsd/pf|packet filter]] firewall, you will want to block packets coming from the subnet 2001:db8::/64. You could put these two rules at the beginning of /etc/pf.conf:%0a%0a[@%0aext_ip="2605:6400:30:f8de::/64"%0abad_ip="2001:db8::/64"%0ablock drop quick proto {udp tcp} from $bad_ip to $ext_ip%0a@]%0a%0a!! See Also%0a%0a[[openbsd/Ddos|DDoS Defense]] time=1622269221 title=TCP Ack Flood author:1622269221=mkf diff:1622269221:1608356660:minor=5c5%0a%3c An attacker can flood a server with ACK packets. The server receives so many packets then it cannot handle normal traffic.%0a---%0a> An attacker can flood a server with ACK packets. The server receives so many packets it cannot handle normal traffic.%0a host:1622269221=80.191.34.206 author:1608356660=jrmu diff:1608356660:1608356342:=54,55c54,55%0a%3c Using the [[openbsd/pf|packet filter]] firewall, you will want to block packets coming from the subnet 2001:db8::/64. You could put these two rules at the beginning of /etc/pf.conf:%0a%3c %0a---%0a> Using the [[openbsd/pf|packet filter]] firewall, you will want to block UDP packets on port 1900. You could put these two rules at the beginning of /etc/pf.conf:%0a> %0a57,59c57,58%0a%3c ext_ip="2605:6400:30:f8de::/64"%0a%3c bad_ip="2001:db8::/64"%0a%3c block drop quick proto {udp tcp} from $bad_ip to $ext_ip%0a---%0a> ext_ip="192.168.0.1"%0a> block drop quick proto udp from any to $ext_ip port 1900%0a60a60,69%0a> %0a> A better solution is to block all udp packets except for a few ports that you whitelist:%0a> %0a> [@%0a> ext_ip="192.168.0.1"%0a> pass in quick proto udp to $ext_ip port {domain ntp}%0a> block drop quick proto udp to $ext_ip port 1900%0a> @]%0a> %0a> This would whitelist DNS and NTP packets but drop all other UDP packets.%0a host:1608356660=198.251.81.119 author:1608356342=jrmu diff:1608356342:1608355360:=24,25c24,26%0a%3c 2001:db8::/32 %0a%3c 18:34:34.318888 2001:db8::2940:5fe2:fb93:3fd7.42028 > 2605:6400:30:f8de:19c6:1e63:ffd1:5a1d.56815: . [tcp sum ok] ack 0 win 16440 [class 0x14] (len 20, hlim 246)%0a---%0a> %0a> 18:34:34.318888 2001:41d0:b:0:2940:5fe2:fb93:3fd7.42028 > 2605:6400:30:f8de:19c6:1e63:ff%0a> d1:5a1d.56815: . [tcp sum ok] ack 0 win 16440 [class 0x14] (len 20, hlim 246)%0a27c28%0a%3c 18:34:34.318888 2001:db8::7b61:8030:655d:59f3.9312 > 2605:6400:30:f8de:19c6:1e63:ffd1:5a1d.9005: . [tcp sum ok] ack 0 win 16440 [class 0x14] (len 20, hlim 245)%0a---%0a> 18:34:34.318888 2001:41d0:b:0:7b61:8030:655d:59f3.9312 > 2605:6400:30:f8de:19c6:1e63:ffd1:5a1d.9005: . [tcp sum ok] ack 0 win 16440 [class 0x14] (len 20, hlim 245)%0a29c30%0a%3c 18:34:34.318889 2001:db8::6820:2b6f:c23a:769b.6570 > 2605:6400:30:f8de:19c6:1e63:ffd1:5a1d.65117: . [tcp sum ok] ack 0 win 16440 (len 20, hlim 236)%0a---%0a> 18:34:34.318889 2a00:c70:1:fca5:6820:2b6f:c23a:769b.6570 > 2605:6400:30:f8de:19c6:1e63:ffd1:5a1d.65117: . [tcp sum ok] ack 0 win 16440 (len 20, hlim 236)%0a31c32%0a%3c 18:34:34.318889 2001:db8::afa4:565f:994c:1970.14808 > 2605:6400:30:f8de:19c6:1e63:ffd1:5a1d.57643: . [tcp sum ok] ack 0 win 16440 [class 0x14] (len 20, hlim 246)%0a---%0a> 18:34:34.318889 2001:41d0:b:0:afa4:565f:994c:1970.14808 > 2605:6400:30:f8de:19c6:1e63:ffd1:5a1d.57643: . [tcp sum ok] ack 0 win 16440 [class 0x14] (len 20, hlim 246)%0a33c34%0a%3c 18:34:34.318889 2001:db8::6443:797e:c8f3:e29d.22693 > 2605:6400:30:f8de:19c6:1e63:ffd1:5a1d.8369: . [tcp sum ok] ack 0 win 16440 [class 0x14] (len 20, hlim 245)%0a---%0a> 18:34:34.318889 2001:41d0:b:0:6443:797e:c8f3:e29d.22693 > 2605:6400:30:f8de:19c6:1e63:ffd1:5a1d.8369: . [tcp sum ok] ack 0 win 16440 [class 0x14] (len 20, hlim 245)%0a35c36%0a%3c 18:34:34.318889 2001:db8::76b0:adba:bb48:873f.17347 > 2605:6400:30:f8de:19c6:1e63:ffd1:5a1d.15413: . [tcp sum ok] ack 0 win 16440 (len 20, hlim 236)%0a---%0a> 18:34:34.318889 2a00:c70:1:62db:76b0:adba:bb48:873f.17347 > 2605:6400:30:f8de:19c6:1e63:ffd1:5a1d.15413: . [tcp sum ok] ack 0 win 16440 (len 20, hlim 236)%0a37c38%0a%3c 18:34:34.318889 2001:db8::664d:ea08:52b8:305c.61968 > 2605:6400:30:f8de:19c6:1e63:ffd1:5a1d.10304: . [tcp sum ok] ack 0 win 16440 (len 20, hlim 237)%0a---%0a> 18:34:34.318889 2a00:c70:1:27ad:664d:ea08:52b8:305c.61968 > 2605:6400:30:f8de:19c6:1e63:ffd1:5a1d.10304: . [tcp sum ok] ack 0 win 16440 (len 20, hlim 237)%0a41,48c42%0a%3c In the above, we see the source IP subnet (2001:db8::/64) is sending TCP ack packets to random ports to IP 2605:6400:30:f8de:19c6:1e63:ffd1:5a1d. This user is being targeted by an IPv6 TCP ACK flood, so you can run:%0a%3c %0a%3c [@%0a%3c $ dig -x 2605:6400:30:f8de:19c6:1e63:ffd1:5a1d%0a%3c user.fig.ircnow.org%0a%3c @]%0a%3c %0a%3c You should contact this user; he may have clues as to who is attacking him. You can then investigate by following the [[openbsd/police|police guide]].%0a---%0a> In the above, we see the source IP (192.168.0.1) port 3306 is sending a TCP packet to 198.251.81.119 port 41000 (our server). The content shows that it is coming from an SQL database. In this case, we know port 3306 is for MySQL by checking /etc/services.%0a host:1608356342=198.251.81.119 author:1608355360=jrmu diff:1608355360:1608292859:=24,39c24,26%0a%3c %0a%3c 18:34:34.318888 2001:41d0:b:0:2940:5fe2:fb93:3fd7.42028 > 2605:6400:30:f8de:19c6:1e63:ff%0a%3c d1:5a1d.56815: . [tcp sum ok] ack 0 win 16440 [class 0x14] (len 20, hlim 246)%0a%3c a@...... .A.....)@_...?.&.d..0.....c..Z..,..U.1{....P.@8*...%0a%3c 18:34:34.318888 2001:41d0:b:0:7b61:8030:655d:59f3.9312 > 2605:6400:30:f8de:19c6:1e63:ffd1:5a1d.9005: . [tcp sum ok] ack 0 win 16440 [class 0x14] (len 20, hlim 245)%0a%3c a@...... .A.....{a.0e]Y.&.d..0.....c..Z.$`#-.1O.....P.@8....%0a%3c 18:34:34.318889 2a00:c70:1:fca5:6820:2b6f:c23a:769b.6570 > 2605:6400:30:f8de:19c6:1e63:ffd1:5a1d.65117: . [tcp sum ok] ack 0 win 16440 (len 20, hlim 236)%0a%3c `.......*..p....h +o.:v.&.d..0.....c..Z....]9.G.....P.@8....%0a%3c 18:34:34.318889 2001:41d0:b:0:afa4:565f:994c:1970.14808 > 2605:6400:30:f8de:19c6:1e63:ffd1:5a1d.57643: . [tcp sum ok] ack 0 win 16440 [class 0x14] (len 20, hlim 246)%0a%3c a@...... .A.......V_.L.p&.d..0.....c..Z.9..+........P.@8e...%0a%3c 18:34:34.318889 2001:41d0:b:0:6443:797e:c8f3:e29d.22693 > 2605:6400:30:f8de:19c6:1e63:ffd1:5a1d.8369: . [tcp sum ok] ack 0 win 16440 [class 0x14] (len 20, hlim 245)%0a%3c a@...... .A.....dCy~....&.d..0.....c..Z.X. .#.7t....P.@8.y..%0a%3c 18:34:34.318889 2a00:c70:1:62db:76b0:adba:bb48:873f.17347 > 2605:6400:30:f8de:19c6:1e63:ffd1:5a1d.15413: . [tcp sum ok] ack 0 win 16440 (len 20, hlim 236)%0a%3c `.......*..p..b.v....H.?&.d..0.....c..Z.C.%3c5$.(.....P.@8....%0a%3c 18:34:34.318889 2a00:c70:1:27ad:664d:ea08:52b8:305c.61968 > 2605:6400:30:f8de:19c6:1e63:ffd1:5a1d.10304: . [tcp sum ok] ack 0 win 16440 (len 20, hlim 237)%0a%3c `.......*..p..'.fM..R.0\&.d..0.....c..Z...(@`..\....P.@8.B..%0a---%0a> 10:54:20.457417 192.168.0.1.3306 > 198.251.81.119.41000: . 153:1601(1448) ack 168 win 243 %3cnop,nop,timestamp 1306862229 3995777189> (DF) (ttl 64, id 29089, len 1500)%0a> E...q.@.@..F...3..QA...(............J......%0a> M."..*.......D....def.protonsql1_totohot.g5_apms_data.g5_apms_data.id.id.?.......B...H....def.protonsql1_totohot.g5_apms_data.g5_apms_data.type.type.?...........L....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_q.data_q.!...........L....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_1.data_1.!...........L....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_2.data_2.!...........L....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_3.data_3.!...........L....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_4.data_4.!...........L...def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_5.data_5.!...........L...def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_6.data_6.!...........L....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_7.data_7.!...........L....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_8.data_8.!...........L..^M.def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_9.data_9.!...........N....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_10.data_10.!...........P....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_set.data_set.!.................."......3.11..totohot.Basic...........a:24:{s:5:"thema";s:7:"totohot";s:6:"layout";s:0:"";s:2:"pc";s:0:"";s:4:"size";s:4:"1200";s:10:"background";s:0:"";s:7:"bgcolor";s:0:"";s:2:"bg";s:6:"center";s:5:"tmenu";s:0:"";s:3:"nav";s:4:"both";s:4:"subv";s:4:"show";s:4:"subh";s:0:"";s:4:"allm";s:0:"";s:4:"subw";s:0:%0a42a30,62%0a> %0a> Here are some other packets:%0a> %0a> [@%0a> 10:54:20.478357 199.195.255.40.33912 > 198.98.62.208.80: P [tcp sum ok] 0:719(719) ack 1 win 229 %3cnop,nop,timestamp 1400457072 731155732> (DF) (ttl 64, id 52288, len 771)%0a> E....@@.@......(.b>..x.Pw4.O........e\.....%0a> SyGp+...POST /apkdl_bot.php HTTP/1.1%0a> Host: apkdl.in%0a> User-Agent: Railgun/5.3.3%0a> Content-Length: 331%0a> Cdn-Loop: cloudflare%0a> Cf-Connecting-Ip: 91.108.6.32%0a> Cf-Ipcountry: AG%0a> Cf-Origin-Https: off%0a> Cf-Ray: 5f127601beabd8d5-AMS%0a> Cf-Request-Id: 065f6815140000d8d517335000000001%0a> Cf-Visitor: {"scheme":"https"}%0a> Content-Type: application/json%0a> X-Forwarded-For: 91.108.6.32%0a> X-Forwarded-Proto: https%0a> %0a> {"update_id":98363691,%0a> "message":{"message_id":78810276,"from":{"id":1203629066,"is_bot":false,"first_name":"Mi%0a> rjalol","language_code":"uz"},"chat":{"id":1203629066,"first_name":"Mirjalol","type":"pr%0a> ivate"},"date":1605207260,"text":"/preview_com_shadow_battle_superhero","entities":[{"of%0a> fset":0,"length":36,"type":"bot_command"}]}}%0a> @]%0a> %0a> [@%0a> 10:54:20.594535 199.195.255.40.33914 > 198.98.62.208.80: . [tcp sum ok] ack 1855138974 win 229 %3cnop,nop,timestamp 1400457101 731155849> (DF) (ttl 64, id 57129, len 52)%0a> E..4.)@.@..{...(.b>..z.P.R..n.,............%0a> SyG.+...%0a> @]%0a host:1608355360=198.251.81.119 author:1608292859=jrmu diff:1608292859:1608291527:=5,17d4%0a%3c An attacker can flood a server with ACK packets. The server receives so many packets it cannot handle normal traffic.%0a%3c %0a%3c In a TCP connection, a three-way handshake occurs:%0a%3c %0a%3c # The client sends a SYN packet to start a TCP connection%0a%3c # The server replies with a SYN-ACK packet to accept the TCP connection%0a%3c # The client replies with an ACK packet packet to begin sending data%0a%3c %0a%3c The SYN (synchronize) packet initiates a TCP connection, and an ACK (acknowledgment) packet acknowledges that a TCP connection has been established. This handshake is performed every time data is sent over TCP.%0a%3c %0a%3c In addition, ACK packets are sent periodically by a device to acknowledge that packets are received.%0a%3c %0a%3c Servers must process every ACK packet they receive, so ACK floods waste a lot of server resources. Real and fake ACK packets look the same, the only difference is that a fake ACK packet lacks a payload (there's no real content).%0a host:1608292859=198.251.81.119 author:1608291527=jrmu diff:1608291527:1608290920:=45a46,48%0a> 10:54:20.594127 199.195.255.40.33914 > 198.98.62.208.80: S [tcp sum ok] 106076325:106076325(0) win 29200 %3cmss 1400,sackOK,timestamp 1400457101 0,nop,wscale 7> (DF) (ttl 64, id 57128, len 60)%0a> E..%3c.(@.@..t...(.b>..z.P.R........r.KD.....x...%0a> SyG.........%0a host:1608291527=198.251.81.119 author:1608290920=jrmu diff:1608290920:1608289526:=21,51d20%0a%3c 10:54:20.478357 199.195.255.40.33912 > 198.98.62.208.80: P [tcp sum ok] 0:719(719) ack 1 win 229 %3cnop,nop,timestamp 1400457072 731155732> (DF) (ttl 64, id 52288, len 771)%0a%3c E....@@.@......(.b>..x.Pw4.O........e\.....%0a%3c SyGp+...POST /apkdl_bot.php HTTP/1.1%0a%3c Host: apkdl.in%0a%3c User-Agent: Railgun/5.3.3%0a%3c Content-Length: 331%0a%3c Cdn-Loop: cloudflare%0a%3c Cf-Connecting-Ip: 91.108.6.32%0a%3c Cf-Ipcountry: AG%0a%3c Cf-Origin-Https: off%0a%3c Cf-Ray: 5f127601beabd8d5-AMS%0a%3c Cf-Request-Id: 065f6815140000d8d517335000000001%0a%3c Cf-Visitor: {"scheme":"https"}%0a%3c Content-Type: application/json%0a%3c X-Forwarded-For: 91.108.6.32%0a%3c X-Forwarded-Proto: https%0a%3c %0a%3c {"update_id":98363691,%0a%3c "message":{"message_id":78810276,"from":{"id":1203629066,"is_bot":false,"first_name":"Mi%0a%3c rjalol","language_code":"uz"},"chat":{"id":1203629066,"first_name":"Mirjalol","type":"pr%0a%3c ivate"},"date":1605207260,"text":"/preview_com_shadow_battle_superhero","entities":[{"of%0a%3c fset":0,"length":36,"type":"bot_command"}]}}%0a%3c @]%0a%3c %0a%3c [@%0a%3c 10:54:20.594127 199.195.255.40.33914 > 198.98.62.208.80: S [tcp sum ok] 106076325:106076325(0) win 29200 %3cmss 1400,sackOK,timestamp 1400457101 0,nop,wscale 7> (DF) (ttl 64, id 57128, len 60)%0a%3c E..%3c.(@.@..t...(.b>..z.P.R........r.KD.....x...%0a%3c SyG.........%0a%3c 10:54:20.594535 199.195.255.40.33914 > 198.98.62.208.80: . [tcp sum ok] ack 1855138974 win 229 %3cnop,nop,timestamp 1400457101 731155849> (DF) (ttl 64, id 57129, len 52)%0a%3c E..4.)@.@..{...(.b>..z.P.R..n.,............%0a%3c SyG.+...%0a host:1608290920=198.251.81.119 author:1608289526=jrmu diff:1608289526:1608288843:=16c16%0a%3c In the above, we see the source IP (192.168.0.1) port 3306 is sending a TCP packet to 198.251.81.119 port 41000 (our server). The content shows that it is coming from an SQL database. In this case, we know port 3306 is for MySQL by checking /etc/services.%0a---%0a> In the above, we see the source IP (192.168.0.1) port 3306 is sending a TCP packet to 198.251.81.119 port 41000 (our server). The content shows that it is coming from a proton SQL database.%0a host:1608289526=198.251.81.119 author:1608288843=jrmu diff:1608288843:1608201354:=11,13d10%0a%3c 10:54:20.457417 192.168.0.1.3306 > 198.251.81.119.41000: . 153:1601(1448) ack 168 win 243 %3cnop,nop,timestamp 1306862229 3995777189> (DF) (ttl 64, id 29089, len 1500)%0a%3c E...q.@.@..F...3..QA...(............J......%0a%3c M."..*.......D....def.protonsql1_totohot.g5_apms_data.g5_apms_data.id.id.?.......B...H....def.protonsql1_totohot.g5_apms_data.g5_apms_data.type.type.?...........L....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_q.data_q.!...........L....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_1.data_1.!...........L....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_2.data_2.!...........L....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_3.data_3.!...........L....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_4.data_4.!...........L...def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_5.data_5.!...........L...def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_6.data_6.!...........L....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_7.data_7.!...........L....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_8.data_8.!...........L..^M.def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_9.data_9.!...........N....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_10.data_10.!...........P....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_set.data_set.!.................."......3.11..totohot.Basic...........a:24:{s:5:"thema";s:7:"totohot";s:6:"layout";s:0:"";s:2:"pc";s:0:"";s:4:"size";s:4:"1200";s:10:"background";s:0:"";s:7:"bgcolor";s:0:"";s:2:"bg";s:6:"center";s:5:"tmenu";s:0:"";s:3:"nav";s:4:"both";s:4:"subv";s:4:"show";s:4:"subh";s:0:"";s:4:"allm";s:0:"";s:4:"subw";s:0:%0a16,17c13,14%0a%3c In the above, we see the source IP (192.168.0.1) port 3306 is sending a TCP packet to 198.251.81.119 port 41000 (our server). The content shows that it is coming from a proton SQL database.%0a%3c %0a---%0a> In the above, we see the source IP (192.168.0.1) is sending a UDP packet to 198.251.81.119 port 1900 (our server). The content shows that it is an SSDP packet.%0a> %0a21a19,20%0a> %0a> This packet is coming from a Linux UPnP device. It could be a printer, a phone, a router...%0a host:1608288843=198.251.81.119 author:1608201354=jrmu diff:1608201354:1608201354:=1,45d0%0a%3c (:title TCP Ack Flood:)%0a%3c %0a%3c !! TCP Ack Flood%0a%3c %0a%3c %0a%3c !! Sample Pcap%0a%3c %0a%3c Follow the [[openbsd/tcpdump|tcpdump]] guide to record a pcap during an attack to analyze it.%0a%3c %0a%3c [@%0a%3c @]%0a%3c %0a%3c In the above, we see the source IP (192.168.0.1) is sending a UDP packet to 198.251.81.119 port 1900 (our server). The content shows that it is an SSDP packet.%0a%3c %0a%3c Here are some other packets:%0a%3c %0a%3c [@%0a%3c @]%0a%3c %0a%3c This packet is coming from a Linux UPnP device. It could be a printer, a phone, a router...%0a%3c %0a%3c !! How to Block%0a%3c %0a%3c First, you want to make sure that you have no exposed public IPs that are not DDoS filtered. If you are [[openbsd/buyvm|BuyVM]], check the [[https://manage.buyvm.net|web panel]] to see if any non-filtered IPs are exposed. These should be disabled. You will also want to remove them from any publicly visible DNS records in /var/nsd/zones/master/.%0a%3c %0a%3c Using the [[openbsd/pf|packet filter]] firewall, you will want to block UDP packets on port 1900. You could put these two rules at the beginning of /etc/pf.conf:%0a%3c %0a%3c [@%0a%3c ext_ip="192.168.0.1"%0a%3c block drop quick proto udp from any to $ext_ip port 1900%0a%3c @]%0a%3c %0a%3c A better solution is to block all udp packets except for a few ports that you whitelist:%0a%3c %0a%3c [@%0a%3c ext_ip="192.168.0.1"%0a%3c pass in quick proto udp to $ext_ip port {domain ntp}%0a%3c block drop quick proto udp to $ext_ip port 1900%0a%3c @]%0a%3c %0a%3c This would whitelist DNS and NTP packets but drop all other UDP packets.%0a%3c %0a%3c !! See Also%0a%3c %0a%3c [[openbsd/Ddos|DDoS Defense]]%0a\ No newline at end of file%0a host:1608201354=198.251.81.119