version=pmwiki-2.2.130 ordered=1 urlencoded=1 agent=Mozilla/5.0 (X11; OpenBSD amd64; rv:82.0) Gecko/20100101 Firefox/82.0 author=jrmu charset=UTF-8 csum= ctime=1608112794 host=198.251.81.119 name=Openbsd.Tcpackflood rev=2 targets=Openbsd.Tcpdump,Openbsd.Buyvm,Openbsd.Pf,Openbsd.Ddos text=(:title TCP Ack Flood:)%0a%0a!! TCP Ack Flood%0a%0a%0a!! Sample Pcap%0a%0aFollow the [[openbsd/tcpdump|tcpdump]] guide to record a pcap during an attack to analyze it.%0a%0a[@%0a@]%0a%0aIn the above, we see the source IP (192.168.0.1) is sending a UDP packet to 198.251.81.119 port 1900 (our server). The content shows that it is an SSDP packet.%0a%0aHere are some other packets:%0a%0a[@%0a@]%0a%0aThis packet is coming from a Linux UPnP device. It could be a printer, a phone, a router...%0a%0a!! How to Block%0a%0aFirst, you want to make sure that you have no exposed public IPs that are not DDoS filtered. If you are [[openbsd/buyvm|BuyVM]], check the [[https://manage.buyvm.net|web panel]] to see if any non-filtered IPs are exposed. These should be disabled. You will also want to remove them from any publicly visible DNS records in /var/nsd/zones/master/.%0a%0aUsing the [[openbsd/pf|packet filter]] firewall, you will want to block UDP packets on port 1900. You could put these two rules at the beginning of /etc/pf.conf:%0a%0a[@%0aext_ip="192.168.0.1"%0ablock drop quick proto udp from any to $ext_ip port 1900%0a@]%0a%0aA better solution is to block all udp packets except for a few ports that you whitelist:%0a%0a[@%0aext_ip="192.168.0.1"%0apass in quick proto udp to $ext_ip port {domain ntp}%0ablock drop quick proto udp to $ext_ip port 1900%0a@]%0a%0aThis would whitelist DNS and NTP packets but drop all other UDP packets.%0a%0a!! See Also%0a%0a[[openbsd/Ddos|DDoS Defense]] time=1608112941 title=TCP Ack Flood author:1608112941=jrmu diff:1608112941:1608112794:=1,5c1,6%0a%3c (:title TCP Ack Flood:)%0a%3c %0a%3c !! TCP Ack Flood%0a%3c %0a%3c %0a---%0a> (:title SSDP Attacks:)%0a> %0a> !! SSDP Attacks%0a> %0a> Many devices today use Universal Plug and Play (UPnP) in order to communicate. They use the Simple Service Discovery Protocol (SSDP) to tell other devices that they exist on the network. For example, a UPnP printer would broadcast all services it has to offer to all devices on the network. Attackers can spoof traffic to take advantage of these plug-and-play devices in an amplification attack. The attackers messages these UPnP devices using your IP address, and the devices reply with a message that is much larger than the original message. This amplifies the attack and floods your server with useless SSDP packets.%0a> %0a10a12,17%0a> 16:47:17.409684 192.168.0.1 > 198.251.81.119: icmp: 192.168.0.2 udp port 1900 unreachable [icmp cksum ok] [tos 0xc0] (ttl 55, id 51372, len 146)%0a> E.......7....8LH..Qw........E..v......!...Qw.8LH...l.b..M-SEARCH * HTTP/1.1%0a> Host:239.255.255.250:1900%0a> ST:ssdp:all%0a> Man:"ssdp:discover"%0a> MX:3%0a17a25,40%0a> 16:47:17.411700 192.168.0.1 > 198.251.81.119: icmp: 172.16.0.1 udp port 1900 unreachable [icmp cksum ok] (ttl 53, id 60583, len 56)%0a> E..8....5..o.. n..Qw..;.....E..vtW....vq..Qw.. n...l.b..%0a> 16:47:17.411751 192.168.0.1 > 198.251.81.119: icmp: 10.0.0.1 udp port 1900 unreachable [icmp cksum ok] (ttl 54, id 58810, len 56)%0a> E..8....6.....3...Qw..'.....E..v*.........Qw..3....l.b..%0a> 16:47:17.411888 192.168.0.1.46465 > 198.251.81.119.16546: [udp sum ok] udp 498 (DF) (ttl 58, id 0, len 526)%0a> E.....@.:..|H.....Qw..@.....HTTP/1.1 200 OK%0a> CACHE-CONTROL: max-age=1800%0a> DATE: Sat, 25 Jul 2020 00:47:17 GMT%0a> EXT:%0a> LOCATION: http://192.168.1.1:49152/IGDdevicedesc.xml%0a> OPT: "http://schemas.upnp.org/upnp/1/0/"; ns=01%0a> 01-NLS: d78a3592-1dd1-11b2-ae53-a94a2ae2af72%0a> SERVER: Linux/2.6.36, UPnP/1.0, Portable SDK for UPnP devices/1.6.17%0a> X-User-Agent: redsonic%0a> ST: urn:schemas-upnp-org:service:LANHostConfigManagement:1%0a> USN: uuid:ebf5a0a0-1dd1-11b2-a93f-94103e83c76b::urn:schemas-upnp-org:service:LANHostConfigManagement:1%0a host:1608112941=198.251.81.119 author:1608112794=jrmu diff:1608112794:1608112794:=1,68d0%0a%3c (:title SSDP Attacks:)%0a%3c %0a%3c !! SSDP Attacks%0a%3c %0a%3c Many devices today use Universal Plug and Play (UPnP) in order to communicate. They use the Simple Service Discovery Protocol (SSDP) to tell other devices that they exist on the network. For example, a UPnP printer would broadcast all services it has to offer to all devices on the network. Attackers can spoof traffic to take advantage of these plug-and-play devices in an amplification attack. The attackers messages these UPnP devices using your IP address, and the devices reply with a message that is much larger than the original message. This amplifies the attack and floods your server with useless SSDP packets.%0a%3c %0a%3c !! Sample Pcap%0a%3c %0a%3c Follow the [[openbsd/tcpdump|tcpdump]] guide to record a pcap during an attack to analyze it.%0a%3c %0a%3c [@%0a%3c 16:47:17.409684 192.168.0.1 > 198.251.81.119: icmp: 192.168.0.2 udp port 1900 unreachable [icmp cksum ok] [tos 0xc0] (ttl 55, id 51372, len 146)%0a%3c E.......7....8LH..Qw........E..v......!...Qw.8LH...l.b..M-SEARCH * HTTP/1.1%0a%3c Host:239.255.255.250:1900%0a%3c ST:ssdp:all%0a%3c Man:"ssdp:discover"%0a%3c MX:3%0a%3c @]%0a%3c %0a%3c In the above, we see the source IP (192.168.0.1) is sending a UDP packet to 198.251.81.119 port 1900 (our server). The content shows that it is an SSDP packet.%0a%3c %0a%3c Here are some other packets:%0a%3c %0a%3c [@%0a%3c 16:47:17.411700 192.168.0.1 > 198.251.81.119: icmp: 172.16.0.1 udp port 1900 unreachable [icmp cksum ok] (ttl 53, id 60583, len 56)%0a%3c E..8....5..o.. n..Qw..;.....E..vtW....vq..Qw.. n...l.b..%0a%3c 16:47:17.411751 192.168.0.1 > 198.251.81.119: icmp: 10.0.0.1 udp port 1900 unreachable [icmp cksum ok] (ttl 54, id 58810, len 56)%0a%3c E..8....6.....3...Qw..'.....E..v*.........Qw..3....l.b..%0a%3c 16:47:17.411888 192.168.0.1.46465 > 198.251.81.119.16546: [udp sum ok] udp 498 (DF) (ttl 58, id 0, len 526)%0a%3c E.....@.:..|H.....Qw..@.....HTTP/1.1 200 OK%0a%3c CACHE-CONTROL: max-age=1800%0a%3c DATE: Sat, 25 Jul 2020 00:47:17 GMT%0a%3c EXT:%0a%3c LOCATION: http://192.168.1.1:49152/IGDdevicedesc.xml%0a%3c OPT: "http://schemas.upnp.org/upnp/1/0/"; ns=01%0a%3c 01-NLS: d78a3592-1dd1-11b2-ae53-a94a2ae2af72%0a%3c SERVER: Linux/2.6.36, UPnP/1.0, Portable SDK for UPnP devices/1.6.17%0a%3c X-User-Agent: redsonic%0a%3c ST: urn:schemas-upnp-org:service:LANHostConfigManagement:1%0a%3c USN: uuid:ebf5a0a0-1dd1-11b2-a93f-94103e83c76b::urn:schemas-upnp-org:service:LANHostConfigManagement:1%0a%3c @]%0a%3c %0a%3c This packet is coming from a Linux UPnP device. It could be a printer, a phone, a router...%0a%3c %0a%3c !! How to Block%0a%3c %0a%3c First, you want to make sure that you have no exposed public IPs that are not DDoS filtered. If you are [[openbsd/buyvm|BuyVM]], check the [[https://manage.buyvm.net|web panel]] to see if any non-filtered IPs are exposed. These should be disabled. You will also want to remove them from any publicly visible DNS records in /var/nsd/zones/master/.%0a%3c %0a%3c Using the [[openbsd/pf|packet filter]] firewall, you will want to block UDP packets on port 1900. You could put these two rules at the beginning of /etc/pf.conf:%0a%3c %0a%3c [@%0a%3c ext_ip="192.168.0.1"%0a%3c block drop quick proto udp from any to $ext_ip port 1900%0a%3c @]%0a%3c %0a%3c A better solution is to block all udp packets except for a few ports that you whitelist:%0a%3c %0a%3c [@%0a%3c ext_ip="192.168.0.1"%0a%3c pass in quick proto udp to $ext_ip port {domain ntp}%0a%3c block drop quick proto udp to $ext_ip port 1900%0a%3c @]%0a%3c %0a%3c This would whitelist DNS and NTP packets but drop all other UDP packets.%0a%3c %0a%3c !! See Also%0a%3c %0a%3c [[openbsd/Ddos|DDoS Defense]]%0a\ No newline at end of file%0a host:1608112794=198.251.81.119