UDP DDOS Flood
- יום שני, 5 מרץ, 2012
- 12:57אחרי הצהריים
from 5AM we monitored udp ddos floods, the cPanel was put into protected state and the harmful link was cut on the edge network.
( some clients from europe were affected during this cut ).
during this time, we have taken the time to repair & optimize mysql and upgrade php minor version.
server is currently linked to a backup connections ( other side of the network ).
** update
some statistics of the UDP:
Max Entry : 75761.8 packet/s
** update #2
we are working with the datacenter staff to mitagate this attack,
during the operation the server will reboot several times and sites will go up and down for short periods of time.
** update #3
dmesg shows us some insight about a new type of attack.
the former attack involved random UDP packets, which was now amplified by syn floods .
TCP: Possible SYN flooding on port 80. Sending cookies.
TCP: Possible SYN flooding on port 80. Sending cookies.
net_ratelimit: 16 callbacks suppressed
TCP: Possible SYN flooding on port 80. Sending cookies.
TCP: Possible SYN flooding on port 80. Sending cookies.
TCP: Possible SYN flooding on port 80. Sending cookies.
TCP: Possible SYN flooding on port 80. Sending cookies.
TCP: Possible SYN flooding on port 80. Sending cookies.
TCP: Possible SYN flooding on port 80. Sending cookies.
TCP: Possible SYN flooding on port 80. Sending cookies.
TCP: Possible SYN flooding on port 80. Sending cookies.
TCP: Possible SYN flooding on port 80. Sending cookies.
after massive filtering , the last attack sources came from:
126.53.231.54.43206 > .gtrack-server: UDP, length 0
19:24:58.251879 IP (tos 0x8, ttl 247, id 32761, offset 0, flags [none], proto UDP (17), length 28)
42.116.145.68.15707 > .amx-icsp: UDP, length 0
19:24:58.251896 IP (tos 0x8, ttl 247, id 26734, offset 0, flags [none], proto UDP (17), length 28)
179.123.92.45.58331 > .46951: UDP, length 0
19:24:58.251913 IP (tos 0x8, ttl 248, id 27667, offset 0, flags [none], proto UDP (17), length 28)
190.250.216.50.31790 > .33887: UDP, length 0
19:24:58.251930 IP (tos 0x8, ttl 247, id 45112, offset 0, flags [none], proto UDP (17), length 28)
44.229.46.97.50859 > .43472: UDP, length 0
19:24:58.251947 IP (tos 0x8, ttl 248, id 42039, offset 0, flags [none], proto UDP (17), length 28)
189.243.160.77.58954 > .63818: UDP, length 0
19:24:58.251962 IP (tos 0x8, ttl 247, id 49075, offset 0, flags [none], proto UDP (17), length 28)
100.229.105.104.53009 > .31911: UDP, length 0
19:24:58.251978 IP (tos 0x8, ttl 248, id 62113, offset 0, flags [none], proto UDP (17), length 28)
201.105.138.39.31347 > .8942: UDP, length 0
19:24:58.251995 IP (tos 0x8, ttl 248, id 23519, offset 0, flags [none], proto UDP (17), length 28)
166.83.199.123.39365 > .44938: UDP, length 0
19:24:58.252012 IP (tos 0x8, ttl 247, id 10887, offset 0, flags [none], proto UDP (17), length 28)
23.78.43.101.13923 > .24612: UDP, length 0
19:24:58.252030 IP (tos 0x8, ttl 248, id 31360, offset 0, flags [none], proto UDP (17), length 28)
72.243.230.89.32489 > .63150: UDP, length 0
19:24:58.252050 IP (tos 0x8, ttl 248, id 57928, offset 0, flags [none], proto UDP (17), length 28)
54.157.38.44.37374 > .61633: UDP, length 0
19:24:58.252070 IP (tos 0x8, ttl 248, id 49133, offset 0, flags [none], proto UDP (17), length 28)
84.119.47.61.40444 > .62536: UDP, length 0
19:24:58.252087 IP (tos 0x8, ttl 248, id 3211, offset 0, flags [none], proto UDP (17), length 28)
.21813 > .11947: UDP, length 0
19:24:58.252106 IP (tos 0x8, ttl 247, id 58093, offset 0, flags [none], proto UDP (17), length 28)
.36415 > .35011: UDP, length 0
19:24:58.252126 IP (tos 0x8, ttl 248, id 11377, offset 0, flags [none], proto UDP (17), length 28)
19:41:04.855987 IP 34.53.128.25.xns-courier > .10361: UDP, length 0
19:41:04.855999 IP 115.205.82.61.servserv > .31613: UDP, length 0
19:41:04.856013 IP 20.160.10.78.44594 > .58734: UDP, length 0
19:41:04.856026 IP 129.136.34.113.pwdis > .65281: UDP, length 0
19:41:04.856040 IP 180.193.108.10.57574 > .25469: UDP, length 0
19:41:04.856052 IP 4.154.243.106.54904 > .34953: UDP, length 0
19:41:04.856064 IP 97.48.231.103.45730 > .22932: UDP, length 0
19:41:04.856078 IP 107.171.90.99.47401 > .20574: UDP, length 0
19:41:04.856091 IP 70.138.104.4.31280 > .65218: UDP, length 0
19:41:04.856103 IP 96.217.238.76.37691 > .21226: UDP, length 0
19:41:04.856116 IP 52.165.43.74.59159 > .8940: UDP, length 0
19:41:04.856128 IP 113.188.218.25.44143 > .60192: UDP, length 0
19:41:04.856140 IP 168.38.205.120.24819 > .51614: UDP, length 0
19:41:04.856152 IP 147.230.35.12.42240 > .31513: UDP, length 0
19:41:04.856166 IP 36.170.99.85.31396 > .33755: UDP, length 0
19:41:04.856178 IP 133.209.157.39.52348 > .63378: UDP, length 0
19:41:04.856191 IP 109.171.90.3.23230 > .45457: UDP, length 0
19:41:04.856203 IP 6.25.81.125.49794 > .4493: UDP, length 0
19:41:04.856217 IP 113.159.52.74.31686 > .42269: UDP, length 0
19:41:04.856230 IP 182.179.85.32.31014 > .55090: UDP, length 0
19:41:04.856243 IP 240.242.46.84.autocueds > .webster: UDP, length 0
19:41:04.856255 IP 165.235.242.91.xs-openstorage > .21387: UDP, length 0
19:41:04.856267 IP 174.93.85.25.47010 > .cleanerliverc: UDP, length 0
19:41:04.856281 IP 68.54.11.64.59802 > .27536: UDP, length 0
19:41:04.856294 IP 109.127.38.96.57793 > .20627: UDP, length 0
19:41:04.856306 IP 220.128.66.5.40902 > .35418: UDP, length 0
19:41:04.856318 IP 166.1.96.10.31534 > .42747: UDP, length 0
19:41:24.881052 IP 75.219.12.49.15871 > .bprd: UDP, length 0
19:41:44.898207 IP 97.242.241.103.32946 > .16196: UDP, length 0
19:42:04.918847 IP 177.117.105.51.30717 > .42612: UDP, length 0
19:42:24.939530 IP 71.52.222.10.21270 > .33035: UDP, length 0
19:42:44.960189 IP 20.107.47.81.31624 > .23098: UDP, length 0
19:43:04.980863 IP 253.180.85.72.4978 > .57175: UDP, length 0
19:43:25.001531 IP 33.141.219.32.13671 > .57068: UDP, length 0
19:43:45.022209 IP 54.211.250.117.52750 > .15156: UDP, length 0
19:44:05.042815 IP 57.42.54.112.60228 > .34697: UDP, length 0
19:44:25.063432 IP 178.133.5.59.15080 > .38591: UDP, length 0
19:44:45.084101 IP 61.85.24.22.14302 > .50002: UDP, length 0
19:45:05.104795 IP 142.34.123.116.20357 > .42779: UDP, length 0
19:45:25.125058 IP 117.170.124.22.58859 > .45625: UDP, length 0
19:45:45.145758 IP 77.172.253.126.54422 > .34875: UDP, length 0
19:46:05.163328 IP 105.193.92.102.44707 > .13776: UDP, length 0
19:46:25.183962 IP 80.56.111.106.57371 > .57304: UDP, length 0
19:46:45.204758 IP 171.85.212.32.28854 > .29586: UDP, length 0
19:47:05.225266 IP 68.31.65.2.57279 > .38349: UDP, length 0
19:47:25.245951 IP 122.37.137.118.6722 > .28218: UDP, length 0
19:47:45.266623 IP 63.206.118.68.gbjd816 > .14721: UDP, length 0
19:48:05.287305 IP 74.200.75.23.rrilwm > .35411: UDP, length 0
19:48:25.307947 IP 85.18.152.24.35015 > .60329: UDP, length 0
19:48:45.323899 IP 36.247.201.75.18468 > .46502: UDP, length 0
19:49:05.339982 IP 146.117.183.79.12471 > .26843: UDP, length 0
19:49:25.357077 IP 36.127.229.104.30306 > .21783: UDP, length 0
19:49:45.371844 IP 215.239.125.92.39276 > .64976: UDP, length 0
19:50:05.389102 IP 118.49.189.109.18222 > .42157: UDP, length 0
19:50:25.403952 IP 98.206.202.82.6115 > .40570: UDP, length 0
19:50:45.419897 IP 182.97.130.87.14251 > .28633: UDP, length 0
19:51:05.435971 IP 164.62.236.97.55939 > .27579: UDP, length 0
19:51:25.453090 IP 149.252.177.2.26189 > .51305: UDP, length 0
19:51:45.471318 IP 13.107.136.110.22899 > .16845: UDP, length 0
new botnets in the wild are still beeing found and monitored 24/7
the increase in current attacks may be related to the latest php hole. ( not on our side ).
http://downloads.securityfocus.com/vulnerabilities/exploits/51830.php
after each major global security fault , there is always a small hike in DDOS networks until server owners around the world make sure to update to the latest patch version of their software.
the datacenter staff is now in charge of the mitagation , during this phase the server is kept online , on a backup link to the internet core services ( dns / google / peering networks only ).
** update
long night with no sleep ,
we managed to halt the attack at 7AM~
server is now connected and sites are back online, in a limited state ( network protection and filtering in effect ).
from 16,000 connections down to 3000, but still fighting the attack.
* in case your site is not still showing online, that means your site is still under the influance of the attack.
