Jump to content
Калькуляторы

постоянно приходит такая фигня чего с этим делать? Если там всё ок.

A public-facing device on your network, running on IP address 91.ххх.ччч.ххх, operates an open SSDP service on port 1900 and participated in a large-scale attack against a customer of ours, generating UDP responses to spoofed M-SEARCH requests that claimed to be from the attack target.

 

Please consider reconfiguring this SSDP-speaking server in one or more of these ways:

 

1. Adding a firewall rule to block outside access to this host, or the network overall, on port 1900.

2. Disabling UPnP entirely (SSDP is a component of the overall UPnP subsystem and can't usually be disabled separately).

3. Reconfiguring the device to not respond to outside M-SEARCH requests, or to rate-limit its responses (the process to follow for this would differ from device to device and may not be possible for many devices).

 

If you represent an ISP, please consider a default-deny rule for outside traffic destined for UDP port 1900 within your network. Like chargen (UDP port 19), the SSDP port is rarely used legitimately by external hosts, and UPnP requires the use of broadcast traffic, so it doesn't apply outside of local subnets; as a result, a filter of UDP 1900 will not cause collateral damage.

 

Further reading:

 

http://www.internetsociety.org/sites/default/files/01_5.pdf

http://en.wikipedia.org/wiki/Simple_Service_Discovery_Protocol

http://en.wikipedia.org/wiki/Universal_Plug_and_Play#Discovery

 

Example SSDP responses from the host during this attack are given below.

Date/timestamps (far left) are UTC.

 

2015-04-02 22:40:45.219671 IP (tos 0x0, ttl 54, id 0, offset 0, flags [DF], proto UDP (17), length 257) 91.240.87.144.1900 > 192.223.27.x.6666: UDP, length 229

0x0000: 4500 0101 0000 4000 3611 b3f4 5bf0 5790 E.....@.6...[.W.

0x0010: c0df 1b98 076c 1a0a 00ed 9dd2 4854 5450 .....l......HTTP

0x0020: 2f31 2e31 2032 3030 204f 4b0d 0a43 4143 /1.1.200.OK..CAC

0x0030: 4845 2d43 4f4e 5452 4f4c 3a20 6d61 782d HE-CONTROL:.max-

0x0040: 6167 653d 3132 300d 0a53 543a 2075 706e age=120..ST:.upn

0x0050: 703a p:

2015-04-02 22:40:45.221720 IP (tos 0x0, ttl 54, id 0, offset 0, flags [DF], proto UDP (17), length 329) 91.240.87.144.1900 > 192.223.27.x.6666: UDP, length 301

0x0000: 4500 0149 0000 4000 3611 b3ac 5bf0 5790 E..I..@.6...[.W.

0x0010: c0df 1b98 076c 1a0a 0135 2ed4 4854 5450 .....l...5..HTTP

0x0020: 2f31 2e31 2032 3030 204f 4b0d 0a43 4143 /1.1.200.OK..CAC

0x0030: 4845 2d43 4f4e 5452 4f4c 3a20 6d61 782d HE-CONTROL:.max-

0x0040: 6167 653d 3132 300d 0a53 543a 2075 726e age=120..ST:.urn

0x0050: 3a73 :s

2015-04-02 22:40:45.222403 IP (tos 0x0, ttl 54, id 0, offset 0, flags [DF], proto UDP (17), length 325) 91.240.87.144.1900 > 192.223.27.x.6666: UDP, length 297

0x0000: 4500 0145 0000 4000 3611 b3b0 5bf0 5790 E..E..@.6...[.W.

0x0010: c0df 1b98 076c 1a0a 0131 5502 4854 5450 .....l...1U.HTTP

0x0020: 2f31 2e31 2032 3030 204f 4b0d 0a43 4143 /1.1.200.OK..CAC

0x0030: 4845 2d43 4f4e 5452 4f4c 3a20 6d61 782d HE-CONTROL:.max-

0x0040: 6167 653d 3132 300d 0a53 543a 2075 726e age=120..ST:.urn

0x0050: 3a73 :s

2015-04-02 22:40:45.222431 IP (tos 0x0, ttl 54, id 0, offset 0, flags [DF], proto UDP (17), length 305) 91.240.87.144.1900 > 192.223.27.x.6666: UDP, length 277

0x0000: 4500 0131 0000 4000 3611 b3c4 5bf0 5790 E..1..@.6...[.W.

0x0010: c0df 1b98 076c 1a0a 011d 693e 4854 5450 .....l....i>HTTP

0x0020: 2f31 2e31 2032 3030 204f 4b0d 0a43 4143 /1.1.200.OK..CAC

0x0030: 4845 2d43 4f4e 5452 4f4c 3a20 6d61 782d HE-CONTROL:.max-

0x0040: 6167 653d 3132 300d 0a53 543a 2075 726e age=120..ST:.urn

0x0050: 3a73 :s

2015-04-02 22:40:45.222457 IP (tos 0x0, ttl 54, id 0, offset 0, flags [DF], proto UDP (17), length 337) 91.240.87.144.1900 > 192.223.27.x.6666: UDP, length 309

0x0000: 4500 0151 0000 4000 3611 b3a4 5bf0 5790 E..Q..@.6...[.W.

0x0010: c0df 1b98 076c 1a0a 013d e176 4854 5450 .....l...=.vHTTP

0x0020: 2f31 2e31 2032 3030 204f 4b0d 0a43 4143 /1.1.200.OK..CAC

0x0030: 4845 2d43 4f4e 5452 4f4c 3a20 6d61 782d HE-CONTROL:.max-

0x0040: 6167 653d 3132 300d 0a53 543a 2075 726e age=120..ST:.urn

0x0050: 3a73 :s

 

 

(The final octet of our customer's IP address is masked in the above output because some automatic parsers become confused when multiple IP addresses are included. The value of that octet is "152".)

 

-John

President

Nuclearfallout, Enterprises, Inc. (NFOservers.com)

 

(We're sending out so many of these notices, and seeing so many auto-responses, that we can't go through this email inbox effectively. If you have follow-up questions, please contact us at noc@nfoe.net.)

Share this post


Link to post
Share on other sites

Это информация к размышлению или хотели какой вопрос задать?

Share this post


Link to post
Share on other sites

Закрыть ссдп на клиентов?

И порегаться на радаре - https://radar.qrator.net/ , чтобы видеть источники ддосов в своей сети.

У меня появляется желание сделать универсальный фильтр и вешать на клиентов с внешними адресами

Share this post


Link to post
Share on other sites

04 апреля 2015 - 12:51

А можете чуть поподробнее про этот радар рассказать?

Share this post


Link to post
Share on other sites

Сайт сообщает о уязвимостях в вашей сети (DDoS амплификаторы и т.п.), и прочих проблемах.

Share this post


Link to post
Share on other sites

Там при регистрации нужно просто номер своей AS вводить или еще какие параметры?

Share this post


Link to post
Share on other sites

Там при регистрации нужно просто номер своей AS вводить или еще какие параметры?

Они для валидации отправят письмо на адрес который указан в ripe для данной AS. После этого будет доступна админка с указанием паблик ip и амплификиейшинов которые на нем открыты

Share this post


Link to post
Share on other sites

хороший сервис , начал пользоваться qrator.net после нескольких ddos по ntp от своих же абонентов с открытыми портами наружу , постепенно вышел на fastnetmon exabgp openresolverproject.org openntpproject.org понятно что есть nmap но всетаки.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this