Random DDoS Statistics

Discussion in 'Systems Administration' started by RSNET-Radic, Jan 21, 2015.

  1. RSNET-Radic

    Supporter

    I wanted to create a simply information thread. As we started blocking attacks, we're seeing some interesting patterns in attack sizes, rates, etc.

    I'll update this thread as time goes along, but here's something to start with:

    Attacks between 4 PM and 5:30 PM, notice how many attacks there are and the size of the attacks:
    Manage Dedicated Servers.png

    Attacks between 5:30 PM and 7 AM, different picture altogether:
    Manage Dedicated Servers (1).png
     
    • Informative Informative x 4
    • Useful Useful x 1
  2. @RSNET-Radic have you guys seen any SSDP attacks yet?
    seems like more and more script kiddies are using SSDP
     
    • Agree Agree x 1
  3. MikeA

    MikeA Retired Moderator
    Retired Benefactor

    I'd guess that's what most of the >5Gbps attacks are.
     
    • Agree Agree x 2
    • Like Like x 1
  4. RSNET-Radic

    Supporter

    Yes, most of the attacks we see are SSDP reflection attacks.

    Here's a sample dump from a 20 Gbps attack, I removed the target IP:

    [2015-01-20 22:17:18] IP 89.122.214.215:1900 > XXX.XXX.XXX.50:25565 UDP, length 636956, packets 2048
    [2015-01-20 22:17:18] IP 84.209.21.115:1900 > XXX.XXX.XXX.50:25565 UDP, length 634908, packets 2048
    [2015-01-20 22:17:18] IP 166.102.112.69:1900 > XXX.XXX.XXX.50:25565 UDP, length 581660, packets 2048
    [2015-01-20 22:17:18] IP 70.95.139.158:1900 > XXX.XXX.XXX.50:25565 UDP, length 610332, packets 2048
    [2015-01-20 22:17:18] IP 115.160.55.12:1900 > XXX.XXX.XXX.50:25565 UDP, length 612380, packets 2048
    [2015-01-20 22:17:19] IP 91.159.57.25:1900 > XXX.XXX.XXX.50:25565 UDP, length 524316, packets 2048
    [2015-01-20 22:17:19] IP 24.9.119.27:1900 > XXX.XXX.XXX.50:25565 UDP, length 518172, packets 2048
    [2015-01-20 22:17:19] IP 173.30.99.118:1900 > XXX.XXX.XXX.50:25565 UDP, length 634908, packets 2048
    [2015-01-20 22:17:19] IP 95.8.175.68:1900 > XXX.XXX.XXX.50:25565 UDP, length 624668, packets 2048
    [2015-01-20 22:17:19] IP 188.193.165.73:1900 > XXX.XXX.XXX.50:25565 UDP, length 526364, packets 2048
    [2015-01-20 22:17:19] IP 109.100.98.104:1900 > XXX.XXX.XXX.50:25565 UDP, length 583708, packets 2048
    [2015-01-20 22:17:19] IP 216.36.106.131:1900 > XXX.XXX.XXX.50:25565 UDP, length 600092, packets 2048
    [2015-01-20 22:17:20] IP 24.186.248.36:1900 > XXX.XXX.XXX.50:25565 UDP, length 641052, packets 2048
    [2015-01-20 22:17:20] IP 216.60.71.133:1900 > XXX.XXX.XXX.50:25565 UDP, length 575516, packets 2048
    [2015-01-20 22:17:20] IP 90.188.30.87:1900 > XXX.XXX.XXX.50:25565 UDP, length 628764, packets 2048
    [2015-01-20 22:17:20] IP 193.192.109.162:1900 > XXX.XXX.XXX.50:25565 UDP, length 616476, packets 2048
    [2015-01-20 22:17:20] IP 31.208.33.100:1900 > XXX.XXX.XXX.50:25565 UDP, length 614428, packets 2048
    [2015-01-20 22:17:20] IP 89.121.186.138:1900 > XXX.XXX.XXX.50:25565 UDP, length 624668, packets 2048
    [2015-01-20 22:17:20] IP 89.121.186.138:1900 > XXX.XXX.XXX.50:25565 UDP, length 624668, packets 2048
    [2015-01-20 22:17:20] IP 89.121.186.138:1900 > XXX.XXX.XXX.50:25565 UDP, length 624668, packets 2048
    [2015-01-20 22:17:21] IP 98.232.177.124:1900 > XXX.XXX.XXX.50:25565 UDP, length 667676, packets 2048
    [2015-01-20 22:17:21] IP 62.220.188.197:1900 > XXX.XXX.XXX.50:25565 UDP, length 641052, packets 2048
    [2015-01-20 22:17:21] IP 75.71.169.135:1900 > XXX.XXX.XXX.50:25565 UDP, length 645148, packets 2048
    [2015-01-20 22:17:21] IP 162.40.88.25:1900 > XXX.XXX.XXX.50:25565 UDP, length 645148, packets 2048
    [2015-01-20 22:17:21] IP 50.191.196.36:1900 > XXX.XXX.XXX.50:25565 UDP, length 677916, packets 2048
    [2015-01-20 22:17:22] IP 216.60.71.133:1900 > XXX.XXX.XXX.50:25565 UDP, length 600092, packets 2048
    [2015-01-20 22:17:22] IP 69.73.110.85:1900 > XXX.XXX.XXX.50:25565 UDP, length 610332, packets 2048
    [2015-01-20 22:17:22] IP 109.96.140.87:1900 > XXX.XXX.XXX.50:25565 UDP, length 636956, packets 2048
    [2015-01-20 22:17:22] IP 184.91.74.188:1900 > XXX.XXX.XXX.50:25565 UDP, length 653340, packets 2048
    [2015-01-20 22:17:22] IP 109.124.163.144:1900 > XXX.XXX.XXX.50:25565 UDP, length 643100, packets 2048
    [2015-01-20 22:17:22] IP 71.238.131.159:1900 > XXX.XXX.XXX.50:25565 UDP, length 612380, packets 2048
    [2015-01-20 22:17:22] IP 69.245.105.207:1900 > XXX.XXX.XXX.50:25565 UDP, length 634908, packets 2048
    [2015-01-20 22:17:22] IP 72.175.121.12:1900 > XXX.XXX.XXX.50:25565 UDP, length 641052, packets 2048
    [2015-01-20 22:17:23] IP 173.241.78.14:1900 > XXX.XXX.XXX.50:25565 UDP, length 692252, packets 2048
    [2015-01-20 22:17:23] IP 109.101.231.51:1900 > XXX.XXX.XXX.50:25565 UDP, length 612380, packets 2048
    [2015-01-20 22:17:23] IP 109.102.193.49:1900 > XXX.XXX.XXX.50:25565 UDP, length 677916, packets 2048
    [2015-01-20 22:17:23] IP 81.214.130.209:1900 > XXX.XXX.XXX.50:25565 UDP, length 503836, packets 2048
    [2015-01-20 22:17:23] IP 67.141.53.49:1900 > XXX.XXX.XXX.50:25565 UDP, length 639004, packets 2048
    [2015-01-20 22:17:23] IP 24.18.125.133:1900 > XXX.XXX.XXX.50:25565 UDP, length 645148, packets 2048
    [2015-01-20 22:17:23] IP 31.18.40.224:1900 > XXX.XXX.XXX.50:25565 UDP, length 643100, packets 2048
    [2015-01-20 22:17:24] IP 194.236.220.242:1900 > XXX.XXX.XXX.50:25565 UDP, length 634908, packets 2048
    [2015-01-20 22:17:24] IP 83.117.8.73:1900 > XXX.XXX.XXX.50:25565 UDP, length 503836, packets 2048
    [2015-01-20 22:17:24] IP 81.214.135.103:1900 > XXX.XXX.XXX.50:25565 UDP, length 677916, packets 2048
    [2015-01-20 22:17:24] IP 64.7.1.231:1900 > XXX.XXX.XXX.50:25565 UDP, length 688156, packets 2048
    [2015-01-20 22:17:24] IP 75.71.169.29:1900 > XXX.XXX.XXX.50:25565 UDP, length 663580, packets 2048
    [2015-01-20 22:17:24] IP 185.27.209.13:1900 > XXX.XXX.XXX.50:25565 UDP, length 645148, packets 2048
    [2015-01-20 22:17:25] IP 166.102.234.201:1900 > XXX.XXX.XXX.50:25565 UDP, length 612380, packets 2048
    [2015-01-20 22:17:25] IP 71.207.112.216:1900 > XXX.XXX.XXX.50:25565 UDP, length 522268, packets 2048
    [2015-01-20 22:17:25] IP 67.224.68.113:1900 > XXX.XXX.XXX.50:25565 UDP, length 595996, packets 2048
    [2015-01-20 22:17:25] IP 213.215.89.100:1900 > XXX.XXX.XXX.50:25565 UDP, length 639004, packets 2048
    [2015-01-20 22:17:25] IP 75.149.36.35:1900 > XXX.XXX.XXX.50:25565 UDP, length 610332, packets 2048
    [2015-01-20 22:17:25] IP 64.32.156.136:1900 > XXX.XXX.XXX.50:25565 UDP, length 716828, packets 2048
    [2015-01-20 22:17:25] IP 162.40.88.25:1900 > XXX.XXX.XXX.50:25565 UDP, length 682012, packets 2048
    [2015-01-20 22:17:25] IP 162.40.88.25:1900 > XXX.XXX.XXX.50:25565 UDP, length 682012, packets 2048
     
    #4 RSNET-Radic, Jan 21, 2015
    Last edited: Jan 21, 2015
  5. wow, are they a problem at all?
    I don't know much about reflection based attacks but.. shouldn't they be dead by now?

    NTP went up for a while but then died, from what i've seen SSDP has been used for attacks for a few years now..
     
  6. RSNET-Radic

    Supporter

    NTP isn't dead, just less common since it was such a big deal. Reflection attacks are still the "thing" for large scale attacks. All attacks are a problem, but the reflection attacks are the easiest to detect and filter.
     
  7. Oh okay, wasn't sure if SSDP was tricky to detect and block or not..
    I'll keep you guys in mind next time I need a dedicated server
     
    • Like Like x 1
  8. How are you guys handling intra-ReliableSite attacks? Or have you not encountered that yet?
     
    • Agree Agree x 1
  9. ReliableSite -> ReliableSite goes through their vLan from Choopa and gets filtered as well (as I've heard from @kill_da_trolls )
     
    • Informative Informative x 1
  10. kill_da_trolls

    Supporter

    Yes, I had to have a private network setup as connections inter-ReliableSite were being rate limited.
     
    • Winner Winner x 1
  11. Yes, I agree. While NTP amplification's affect has been minimized due to the action against it being taken and the reduction in vulnerable servers (reflectors) it is still a big threat, there are now upstream providers doing filtering for clients in each of their PoPs to minimize the affect of it even more;however, once a amplification factor is out there in something as popular as NTP, you won't be seeing it go away anytime soon. Here's a nice site that keeps up to date scans of the internet for amplification factors:
    https://ntpmonitorscan.shadowserver.org/stats/

    As you can see, NTP is on a dangerous increase.
     
    • Like Like x 1
  12. RSNET-Radic

    Supporter

    All public traffic between different VLANs goes through the filtering. So intra-ReliableSite attacks aren't a problem.
     
  13. TitanicFreak

    Patron

    I strongly am against things like this. Causes major issues for networks...
     
    • Like Like x 1
    • Informative Informative x 1
  14. It's cancer
     
    • Agree Agree x 1
    • Funny Funny x 1
  15. RSNET-Radic

    Supporter

    The white lists well be live soon, in the meantime we're setting up private networks free of charge to work around any issues that may cause. If you haven't already, please either contact me or support.

    Back on track here. Internal filtering is required as seen by what's going on in OVH internally.

    We're seeing interesting patterns of attacks changing when a specific IP can't be taken down, increasing in size, type, etc. On average, looks like 3 to 4 attempts in a row, all different. I'll post more screenshots from our development server if I get a chance to tomorrow, specifically showing this.
     
    #15 RSNET-Radic, Jan 22, 2015
    Last edited: Jan 22, 2015
    • Informative Informative x 1
  16. While that is something to take into consideration I highly doubt that you'd want your whole network down because of an internal (D)DoS attack due to them not running through their devices for internal datacenter traffic. I do believe that doing so puts an unnecessary resource usage on the mitigation devices. I personally suggest to not do so as I believe your services are inline, correct? I believe a great example of the issue of internal attacks can be displayed by providers such as Voxility or OVH.
     
    • Agree Agree x 1
  17. RSNET-Radic

    Supporter

  18. RSNET-Radic

    Supporter

    Couldn't agree with you more. At least these are really simple to detect and filter.

    DDOS Attack Detail (1).png

    [2015-01-18 00:32:49] IP 136.159.126.250:123 > XXX.XXX.XXX.226:80 UDP, length 14680092, packets 32768
    [2015-01-18 00:32:49] IP 140.241.252.33:123 > XXX.XXX.XXX.226:80 UDP, length 14680092, packets 32768
    [2015-01-18 00:32:49] IP 94.247.232.241:123 > XXX.XXX.XXX.226:80 UDP, length 14680092, packets 32768
    [2015-01-18 00:32:49] IP 148.81.246.2:123 > XXX.XXX.XXX.226:80 UDP, length 14680092, packets 32768
    [2015-01-18 00:32:49] IP 136.159.180.93:123 > XXX.XXX.XXX.226:80 UDP, length 14680092, packets 32768
    [2015-01-18 00:32:49] IP 216.108.8.8:123 > XXX.XXX.XXX.226:80 UDP, length 14680092, packets 32768
    [2015-01-18 00:32:49] IP 69.50.40.5:123 > XXX.XXX.XXX.226:80 UDP, length 14680092, packets 32768
    [2015-01-18 00:32:49] IP 136.159.155.105:123 > XXX.XXX.XXX.226:80 UDP, length 14680092, packets 32768
    [2015-01-18 00:32:49] IP 213.143.111.117:123 > XXX.XXX.XXX.226:80 UDP, length 14680092, packets 32768
    [2015-01-18 00:32:49] IP 24.114.227.124:123 > XXX.XXX.XXX.226:80 UDP, length 3670044, packets 8192
    [2015-01-18 00:32:49] IP 173.247.202.154:123 > XXX.XXX.XXX.226:80 UDP, length 14680092, packets 32768
    [2015-01-18 00:32:49] IP 83.111.151.250:123 > XXX.XXX.XXX.226:80 UDP, length 14680092, packets 32768
    [2015-01-18 00:32:49] IP 203.109.250.198:123 > XXX.XXX.XXX.226:80 UDP, length 14680092, packets 32768
    [2015-01-18 00:32:49] IP 173.192.105.234:123 > XXX.XXX.XXX.226:80 UDP, length 14680092, packets 32768
    [2015-01-18 00:32:49] IP 41.210.140.140:123 > XXX.XXX.XXX.226:80 UDP, length 14680092, packets 32768
    [2015-01-18 00:32:49] IP 176.10.118.5:123 > XXX.XXX.XXX.226:80 UDP, length 14680092, packets 32768
    [2015-01-18 00:32:49] IP 64.141.8.114:123 > XXX.XXX.XXX.226:80 UDP, length 14680092, packets 32768
    [2015-01-18 00:32:49] IP 213.149.105.133:123 > XXX.XXX.XXX.226:80 UDP, length 14680092, packets 32768
    [2015-01-18 00:32:49] IP 203.26.17.140:123 > XXX.XXX.XXX.226:80 UDP, length 14680092, packets 32768
    [2015-01-18 00:32:49] IP 216.108.1.30:123 > XXX.XXX.XXX.226:80 UDP, length 14680092, packets 32768
    [2015-01-18 00:32:50] IP 200.16.70.198:123 > XXX.XXX.XXX.226:80 UDP, length 14680092, packets 32768
    [2015-01-18 00:32:50] IP 199.87.82.38:123 > XXX.XXX.XXX.226:80 UDP, length 14680092, packets 32768
    [2015-01-18 00:32:50] IP 93.123.21.211:123 > XXX.XXX.XXX.226:80 UDP, length 14680092, packets 32768
    [2015-01-18 00:32:50] IP 194.226.232.207:123 > XXX.XXX.XXX.226:80 UDP, length 14680092, packets 32768
    [2015-01-18 00:32:50] IP 207.198.124.88:123 > XXX.XXX.XXX.226:80 UDP, length 14680092, packets 32768
    [2015-01-18 00:32:50] IP 92.53.111.132:123 > XXX.XXX.XXX.226:80 UDP, length 14680092, packets 32768
    [2015-01-18 00:32:50] IP 91.93.38.244:123 > XXX.XXX.XXX.226:80 UDP, length 14680092, packets 32768
    [2015-01-18 00:32:50] IP 91.93.38.244:123 > XXX.XXX.XXX.226:80 UDP, length 14680092, packets 32768
    [2015-01-18 00:32:50] IP 199.192.104.10:123 > XXX.XXX.XXX.226:80 UDP, length 14680092, packets 32768
    [2015-01-18 00:32:50] IP 136.159.126.250:123 > XXX.XXX.XXX.226:80 UDP, length 14680092, packets 32768
    [2015-01-18 00:32:50] IP 176.10.118.5:123 > XXX.XXX.XXX.226:80 UDP, length 14680092, packets 32768
    [2015-01-18 00:32:50] IP 69.194.135.149:123 > XXX.XXX.XXX.226:80 UDP, length 14680092, packets 32768
    [2015-01-18 00:32:50] IP 202.153.161.50:123 > XXX.XXX.XXX.226:80 UDP, length 14680092, packets 32768
    [2015-01-18 00:32:50] IP 136.159.126.249:123 > XXX.XXX.XXX.226:80 UDP, length 14680092, packets 32768
    [2015-01-18 00:32:50] IP 24.114.19.58:123 > XXX.XXX.XXX.226:80 UDP, length 3670044, packets 8192
    [2015-01-18 00:32:50] IP 203.109.250.202:123 > XXX.XXX.XXX.226:80 UDP, length 14680092, packets 32768
    [2015-01-18 00:32:50] IP 66.196.49.6:123 > XXX.XXX.XXX.226:80 UDP, length 14680092, packets 32768
    [2015-01-18 00:32:50] IP 210.245.86.223:123 > XXX.XXX.XXX.226:80 UDP, length 14680092, packets 32768
    [2015-01-18 00:32:50] IP 50.93.208.76:123 > XXX.XXX.XXX.226:80 UDP, length 14680092, packets 32768
    [2015-01-18 00:32:50] IP 63.246.138.49:123 > XXX.XXX.XXX.226:80 UDP, length 14680092, packets 32768
    [2015-01-18 00:32:50] IP 195.19.50.131:123 > XXX.XXX.XXX.226:80 UDP, length 14680092, packets 32768
    [2015-01-18 00:32:50] IP 202.137.240.244:123 > XXX.XXX.XXX.226:80 UDP, length 14680092, packets 32768
    [2015-01-18 00:32:50] IP 203.26.17.140:123 > XXX.XXX.XXX.226:80 UDP, length 14680092, packets 32768
    [2015-01-18 00:32:50] IP 24.114.19.59:123 > XXX.XXX.XXX.226:80 UDP, length 3670044, packets 8192
    [2015-01-18 00:32:50] IP 208.66.99.108:123 > XXX.XXX.XXX.226:80 UDP, length 14680092, packets 32768
    [2015-01-18 00:32:50] IP 136.159.155.102:123 > XXX.XXX.XXX.226:80 UDP, length 14680092, packets 32768
    [2015-01-18 00:32:50] IP 12.132.90.248:123 > XXX.XXX.XXX.226:80 UDP, length 14680092, packets 32768
    [2015-01-18 00:32:50] IP 2.50.54.90:123 > XXX.XXX.XXX.226:80 UDP, length 14680092, packets 32768
     
  19. That was me messing around with ApacheBench GET attacks. I don't remember exactly how large the attack was, i'm going to try to find the log.