8. Reflection Attacks
Do not directly attack the
Target.
Forge Reply to Address
Send request to normal
servers
Trick them to reply to the
Target
Makes it distributed and
harder to deal with.
14. SSDP
Simple Service Discovery Protocol (UPnP)
Example: Used to discover printers on your network
SSDP Discovery - HTTP over UDP sent to a multicast
address.
22. dmesg output
UDP: bad checksum. From 182.215.214.137:1900 to 182.253.224.184:80 ulen 318
UDP: bad checksum. From 182.215.214.137:1900 to 182.253.224.184:80 ulen 318
UDP: bad checksum. From 190.129.30.190:1900 to 182.253.224.184:80 ulen 347
UDP: bad checksum. From 190.129.169.3:1900 to 182.253.224.184:80 ulen 291
UDP: bad checksum. From 190.129.169.3:1900 to 182.253.224.184:80 ulen 291
UDP: bad checksum. From 200.87.245.44:1900 to 182.253.224.184:80 ulen 311
UDP: bad checksum. From 190.129.81.203:1900 to 182.253.224.184:80 ulen 281
UDP: bad checksum. From 190.129.6.33:1900 to 182.253.224.184:80 ulen 301
UDP: bad checksum. From 73.201.211.248:1900 to 182.253.224.184:80 ulen 253
UDP: bad checksum. From 190.129.199.12:1900 to 182.253.224.184:80 ulen 347
UDP: bad checksum. From 200.87.155.100:1900 to 182.253.224.184:80 ulen 285
UDP: bad checksum. From 182.215.214.137:1900 to 182.253.224.184:80 ulen 300
UDP: bad checksum. From 190.129.182.57:1900 to 182.253.224.184:80 ulen 280
UDP: bad checksum. From 190.129.165.180:1900 to 182.253.224.184:80 ulen 237
UDP: bad checksum. From 182.215.214.137:1900 to 182.253.224.184:80 ulen 306
UDP: bad checksum. From 190.129.81.26:1900 to 182.253.224.184:80 ulen 283
UDP: bad checksum. From 182.215.214.137:1900 to 182.253.224.184:80 ulen 300
UDP: bad checksum. From 172.97.240.102:1900 to 182.253.224.184:80 ulen 343
UDP: bad checksum. From 190.129.195.29:1900 to 182.253.224.184:80 ulen 246
UDP: bad checksum. From 172.97.240.102:1900 to 182.253.224.184:80 ulen 237
UDP: bad checksum. From 190.129.165.171:1900 to 182.253.224.184:80 ulen 301
UDP: bad checksum. From 172.97.240.102:1900 to 182.253.224.184:80 ulen 237
UDP: bad checksum. From 182.215.214.137:1900 to 182.253.224.184:80 ulen 302
UDP: bad checksum. From 190.129.30.176:1900 to 182.253.224.184:80 ulen 289
23. First Response
sudo iptables -A INPUT -p udp -sport 1900 -j DROP
Drops all incoming packets with source Port 1900
saves some resources, but remember that packets still
have to be processed by NIC card, and the pipe is
still clogged.
dmesg output goes away, but recovery isn’t complete.
29. During Q4 (2015), repeat
DDoS attacks were the norm,
with an average of 24 attacks
per targeted customer in Q4.
Three targets were subject to
more than 100 attacks each
and one customer suffered
188 attacks – an average of
more than two per day.
Source: Akamai
Attacker’s persist,
especially if they don’t get
what they wanted.
30. Attack 2
The very next day, at 2 PM
Same attack vector, but more distributed
Lot’s of Indonesian IP addresses
Attacked all of our public IP’s, not DNS based.
35. tc / firehol
Ensure you can ssh to the
server when your network
is congested
Limit bandwidth
class ssh commit 2Mbit
server ssh
client ssh
class rsync commit 2Mbit max
10Mbit
server rsync
client rsync