Abuse 31.131.251.198

Здравствуйте.

В наш адрес поступила жалоба на Ваш сервер(31.131.251.198). Просим Вас разобраться в ситуации и принять соответствующие меры.
Текст жалобы:
It appears that a public «chargen» service on your network, running on IP address 31.131.251.198, participated in a large-scale attack against a customer of ours, generating large UDP responses to spoofed probes that claimed to be from the attack target.

chargen is an old testing service that generates large quantities of traffic with only a small request required. It is commonly enabled by default on old printers and other connected appliances, but it has no useful purpose over the open internet.

Please block UDP port 19 (inbound and outbound) at your network edge, as this should stop these chargen attacks without blocking legitimate traffic. If the endpoint device that generated this traffic is configurable, please further investigate whether it is running a chargen service (and disable it, if so) — commonly exploited devices include Cisco hardware that has «udp small servers» mistakenly enabled, old printers, old UNIX boxes with «chargen» running under inetd, and Windows boxes with the «Simple TCP/IP services» package installed. Also, it is worth checking if it is a machine that has been compromised, as some malware directly generates port 19 traffic, simulating chargen, and in this way masks its presence.

If you are an ISP, please also look at your network configuration and make sure that you do not allow spoofed traffic (that pretends to be from external IP addresses) to leave the network. Hosts that allow spoofed traffic make possible this type of attack.

Example responses from your host during this attack are given below.
Timestamps (far left) are PDT (UTC-7), and the date is 2014-10-21.

21:55:56.610348 IP 31.131.251.198.19 > 162.248.88.x.49890: UDP, length 1369
0x0000: 4500 0575 6719 0000 7811 bf5e 1f83 fbc6 E..ug…x..^….
0x0010: a2f8 58be 0013 c2e2 0561 4150 2021 2223 ..X……aAP.!»#
0x0020: 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 $%&'()*+,-./0123
0x0030: 3435 3637 3839 3a3b 3c3d 3e3f 4041 4243 456789:;<=>?@ABC
0x0040: 4445 4647 4849 4a4b 4c4d 4e4f 5051 5253 DEFGHIJKLMNOPQRS
0x0050: 5455 TU
21:55:56.698360 IP 31.131.251.198.19 > 162.248.88.x.49890: UDP, length 1435
0x0000: 4500 05b7 671f 0000 7811 bf16 1f83 fbc6 E…g…x…….
0x0010: a2f8 58be 0013 c2e2 05a3 71d9 2021 2223 ..X…….q..!»#
0x0020: 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 $%&amp;'()*+,-./0123
0x0030: 3435 3637 3839 3a3b 3c3d 3e3f 4041 4243 456789:;<=>?@ABC
0x0040: 4445 4647 4849 4a4b 4c4d 4e4f 5051 5253 DEFGHIJKLMNOPQRS
0x0050: 5455 TU

(The final octet of our customer's IP address is masked in the above output because some automatic parsers become confused when multiple IP addresses are included. The value of that octet is «190».)

-John
President
Nuclearfallout, Enterprises, Inc. (NFOservers.com)

(We're sending out so many of these notices, and seeing so many auto-responses, that we can't go through this email inbox effectively. If you have follow-up questions, please contact us at noc@nfoe.net.)

Об авторе

Vitaliy Nixenkin

Просмотреть все сообщения