Re: HTTP DDoS attack on our servers

From: John Duksta (john_at_duksta.org)
Date: 07/09/03

  • Next message: Chris Ricker: "RE: Information Needed on Malicious Traffic"
    Date: Wed, 09 Jul 2003 15:14:45 -0400
    To: Markus Peter <warp@spin.de>, incidents@securityfocus.com
    
    

    Sounds like W32/Graps.worm.

    A quick googling for TCP port 45836 turns up the following page at
    Network Associates: http://vil.nai.com/vil/content/v_100467.htm

    I quote:

       "The worm scan scans the local class a subnet (#.*.*.*) for target
        systems. The worm creates a remote access server by listening on TCP
        port 45836. This server allows a remote attacker to perform the
        following tasks:

        - Retrieve the following information
        - Uptime
        - Download speed
        - CPU information
        - RAM
        - Disk Usage
        - Specify a target IP address to ICMP/HTTP flood
        - Download/execute files
        - Internet Relay Chat (IRC) functions
        - IP Port Redirection (to create proxies"

    -- 
    John Duksta, CISSP
    email:   john@duksta.org
    site:    http://duksta.org
    Markus Peter wrote:
    > Hello
    > 
    > Since yesterday, about 8pm CET, we observe a strange phenomenon on one 
    > of our servers, which appears like a DDoS attack. The characteristics do 
    > not match those of the typical known UDP DDoS tools but is TCP based.
    > 
    > Basically, > 8.000 IP numbers are sending HTTP requests to our server on 
    > a non-HTTP port (8000), which ran an entirely different, not HTTP 
    > related service on this machine. The IP numbers are mostly assigned to 
    > Europe and North America.
    > 
    > The requests always look the same way:
    > 
    > GET /index.htm HTTP/1.1
    > Accept: */*
    > User-Agent: UserAgent
    > Connection: close
    > Host: <our ip number>
    > 
    > Please note that they literally supplied "UserAgent" as User-Agent - I 
    > only removed our ip number from the requests. Each attacking host opens 
    > multiple connections per second. Even though the server which ran at 
    > 8000 could not handle HTTP requests at all and immediately closed the 
    > connection after the first sent line, the sheer number of connection 
    > attempts was enough to basically force us to put the service offline, as 
    > we had over 60.000 concurrent TCP connections due to this.
    > 
    > Due to the above described characteristics, I'm pretty sure that it's 
    > not just a misguided link on some large website, but some sort of 
    > non-browser program doing the requests.
    > 
    > We nmapped some of the requesting machines. All of the scanned hosts 
    > appear to be running windows, with all of them having TCP port 45836 
    > open. If we try connecting to that port, the connection is either 
    > immediately closed again by the remote end, or occasionally kept open 
    > indefinitely, but in neither case any data is sent back to us.
    > 
    > I'm now completely puzzled on what is happening and what kind of tool we 
    > confront. Anyone else experiences incidents like those?
    > 
    ----------------------------------------------------------------------------
    Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
    world's premier technical IT security event! 10 tracks, 15 training sessions, 
    1,800 delegates from 30 nations including all of the top experts, from CSO's to 
    "underground" security specialists.  See for yourself what the buzz is about!  
    Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
    ----------------------------------------------------------------------------
    

  • Next message: Chris Ricker: "RE: Information Needed on Malicious Traffic"

    Relevant Pages

    • RE: Configure Hardware Firewall for SBS 2003
      ... the corresponding ports to the SBS box. ... When a router is deployed at the SBS end, you must forward the port numbers ... TCP 110 This port is used for POP3 mail clients. ... TCP 1723 PPTP VPN connection ...
      (microsoft.public.windows.server.sbs)
    • Re: callbacks in TAO
      ... Most firewalls do not restrict access by inbound port number. ... Lets say your client application terminates while it still has the connection open. ... requests at the same time, the second thread will open a new connection if the existing connection is busy. ...
      (comp.object.corba)
    • Re: .NET SqlConnection: connect error SQL Server 2005 DEV on same
      ... If I wanted to specify the port in the conenct string, ... enable TCP in the surface area configuration? ... Rick Byham, SQL Server Books Online ... An error has occurred while establishing a connection to the ...
      (microsoft.public.sqlserver.connect)
    • SSH scans vs connection ratelimiting
      ... we're all seeing repeated bruteforce attempts on SSH. ... I've configured my pf install to ratelimit TCP connections to port 22 and to automatically add IP-addresses that connect too fast to a table that's filtered: ... My theory was/is that this particular scanner simply multiplexes multiple authentication attempts over a single connection. ...
      (FreeBSD-Security)
    • Re: determine if TCP or UDP port is working properly?
      ... For tcp you can try to telnet to the port on the other end as in [telnet ... would probably not get a connection but just a blinking cursor. ... Other ways are to try a network scanner that can scan tcp and udp such as Superscan4 ...
      (microsoft.public.win2000.networking)