Backscatter’s the name. DoS the game.

Today, USU is seeing the backscatter from a large Denial of Service (DoS) attack. During the last week, we have been seeing more and more backscatter. This attack is the biggest so far.

One of the ways that attackers perform a DoS attack is to send a flood of requests against a service. If they are attacking a web server, these attack packets will be TCP/SYN packets directed to the web server’s port 80 or port 443. Usually, the attackers attempt to avoid retaliation by generating random source IP address.

In a variant of the previous attack, the attackers send a flood of requests to innocent servers. These requests have a single forged source IP. The target victim is at the forged source IP. This kind of indirect or ‘echo’ attack works with both TCP and UDP services.

The victim server will attempt to reply to each of these requests. These replies go to the random IP addresses. These replies are called Backscatter. The attacker doesn’t see or care about the replies. The attacker is just trying to drown the victim in a sea of bogus traffic.

Every IP address in the world sometimes receives backscatter packets. DoS attacks are so pervasive that every usable IP address is usually spoofed, sometimes multiple times a day. Since backscatter is a network anomaly, most good firewalls discard it without comment.

USU tracks backscatter when it arrives at our unallocated, dark IP addresses. We have a low priority local route that redirects packets from unallocated IPs to a darknet sensor. Here is
a typical sample:


15:13:14.516872 IP 206.217.203.90.80 > 129.123.37.0.24905: tcp 0
15:13:15.536700 IP 206.217.203.90.80 > 129.123.51.68.63505: tcp 0
15:13:16.659315 IP 206.217.203.90.80 > 129.123.174.47.20326: tcp 0
15:13:19.148559 IP 61.134.55.110.80 > 129.123.163.116.9280: tcp 0
15:13:19.704974 IP 61.134.55.110.80 > 129.123.153.27.56375: tcp 0
15:13:20.341612 IP 66.79.162.52.80 > 129.123.0.189.25977: tcp 0
15:13:20.619770 IP 222.211.80.133.80 > 129.123.135.33.8984: tcp 0
15:13:21.268089 IP 61.134.55.110.80 > 129.123.163.116.9280: tcp 0
15:13:22.276686 IP 61.134.55.110.80 > 129.123.153.27.56375: tcp 0
15:13:26.357499 IP 219.153.14.15.80 > 129.123.237.42.44338: tcp 0
15:13:28.755787 IP 219.153.14.15.80 > 129.123.237.42.44338: tcp 0
15:13:31.393294 IP 113.134.202.199.80 > 129.123.135.1.41854: tcp 0
15:13:32.719237 IP 66.79.162.52.80 > 129.123.51.16.1925: tcp 0
15:13:33.037530 IP 66.79.162.52.80 > 129.123.15.201.15155: tcp 0

In this 20 second sample, you can see backscatter from attacks against 6 different web servers:

  • 61.134.55.110 Shanxi(SN) province/China
  • 66.79.162.52 DCS Pacific Star/Los Altos, California
  • 113.134.202.199 Shanxi provice/China
  • 206.217.203.90 Hosting Services/Providence, Utah
  • 219.153.14.15 Chongqing province/China
  • 222.211.80.133 Sichuan province/China

It is not an accident that most of the DoS victims are in China. This has been the pattern for the last year or so. DoSing and being DoSed seems to be the Internet sport of choice in China. The Chinese are a major participant, but, they are not the only ones. This weeks backscatter seems to be dominated by two groups: One in China; The other in Europe.

On Sunday, the 22nd at about 6:00AM (GMT-600) a group of attackers, located in China (and Vietnam) started attacking several servers in China. The USU backscatter consisted of two parts. First was the normal backscatter traffic from TCP/80. But, there was a more informative ICMP component that looked like:


12:35:55.378659 IP 61.174.182.222 > 129.123.190.55: ICMP time exceeded in-transit, length 36
12:36:21.493396 IP 61.174.182.238 > 129.123.191.4: ICMP time exceeded in-transit, length 36
11:53:54.050195 IP 61.174.183.158 > 129.123.42.81: ICMP time exceeded in-transit, length 36
13:05:26.766663 IP 112.78.0.41 > 129.123.177.109: ICMP time exceeded in-transit, length 36
11:47:01.831991 IP 112.78.4.65 > 129.123.178.60: ICMP time exceeded in-transit, length 36
13:04:58.389374 IP 113.4.128.62 > 129.123.39.53: ICMP time exceeded in-transit, length 36
13:04:27.022539 IP 118.123.196.177 > 129.123.153.117: ICMP time exceeded in-transit, length 36
11:53:25.080097 IP 118.123.196.181 > 129.123.130.123: ICMP time exceeded in-transit, length 36
12:37:39.026498 IP 118.123.196.213 > 129.123.143.118: ICMP time exceeded in-transit, length 36
11:54:26.405964 IP 123.29.11.37 > 129.123.135.51: ICMP time exceeded in-transit, length 56
12:35:53.239611 IP 123.30.82.61 > 129.123.158.45: ICMP time exceeded in-transit, length 36
11:52:42.995340 IP 123.183.208.1 > 129.123.6.47: ICMP time exceeded in-transit, length 36
11:54:22.249470 IP 124.74.254.174 > 129.123.130.27: ICMP time exceeded in-transit, length 36
13:04:59.981694 IP 202.97.36.222 > 129.123.107.3: ICMP time exceeded in-transit, length 36
11:54:42.271394 IP 202.97.41.17 > 129.123.149.59: ICMP time exceeded in-transit, length 36
12:35:18.818277 IP 202.97.41.49 > 129.123.130.61: ICMP time exceeded in-transit, length 36
11:47:20.115682 IP 202.97.47.50 > 129.123.128.95: ICMP time exceeded in-transit, length 36
12:38:17.344188 IP 202.97.47.85 > 129.123.171.23: ICMP time exceeded in-transit, length 36
11:46:57.601117 IP 202.97.47.102 > 129.123.42.64: ICMP time exceeded in-transit, length 36
11:54:48.953623 IP 203.162.184.53 > 129.123.129.125: ICMP time exceeded in-transit, length 36
12:37:41.629461 IP 218.10.16.129 > 129.123.178.124: ICMP time exceeded in-transit, length 36
11:47:05.918146 IP 219.148.18.201 > 129.123.176.32: ICMP time exceeded in-transit, length 36
11:54:46.830498 IP 219.148.18.205 > 129.123.175.96: ICMP time exceeded in-transit, length 36
11:53:26.747395 IP 219.148.18.209 > 129.123.133.104: ICMP time exceeded in-transit, length 36
12:35:39.763482 IP 219.148.18.217 > 129.123.154.68: ICMP time exceeded in-transit, length 36
13:04:21.928089 IP 219.148.19.109 > 129.123.46.107: ICMP time exceeded in-transit, length 36
11:53:47.545635 IP 219.148.19.113 > 129.123.237.39: ICMP time exceeded in-transit, length 36
12:35:29.102630 IP 219.148.19.117 > 129.123.129.125: ICMP time exceeded in-transit, length 36
11:53:38.829090 IP 221.5.242.117 > 129.123.153.102: ICMP time exceeded in-transit, length 36
11:47:10.829739 IP 221.5.246.29 > 129.123.131.10: ICMP time exceeded in-transit, length 36
13:05:38.289993 IP 221.5.253.245 > 129.123.153.53: ICMP time exceeded in-transit, length 36
12:36:25.981512 IP 221.210.45.81 > 129.123.134.53: ICMP time exceeded in-transit, length 36
12:35:31.323099 IP 222.73.102.226 > 129.123.187.42: ICMP time exceeded in-transit, length 36
13:05:44.008452 IP 222.87.129.129 > 129.123.237.120: ICMP time exceeded in-transit, length 36
11:47:09.339258 IP 222.211.63.74 > 129.123.11.84: ICMP time exceeded in-transit, length 36

This traffic is sent out by Chinese routers. They are saying that they attempted to deliver an attack packet, but that packet exceeded it’s Time To Live (TTL). The routers thoughtfully include a sample of the original attack packet in their response. In more detail, this traffic looks like:


13:24:16.786355 IP 221.210.42.113 > 129.123.166.127: ICMP time exceeded in-transit, length 36
0x0000: 4500 0038 e55e 0000 f101 b427 ddd2 2a71 E..8.^.....'..*q
0x0010: 817b a67f 0b00 1ecd 0000 0000 4500 0030 .{..........E..0
0x0020: 744c 4000 0106 f0bd 817b a67f 3db4 af0f tL@......{..=...
0x0030: 867a 0458 e345 681a .z.X.Eh.
13:24:19.429358 IP 222.87.122.209 > 129.123.15.16: ICMP time exceeded in-transit, length 36
0x0000: 4500 0038 dbc6 0000 f101 044a de57 7ad1 E..8.......J.Wz.
0x0010: 817b 0f10 0b00 5e2d eace d038 4500 0030 .{....^-...8E..0
0x0020: 0401 4000 0106 b5e1 817b 0f10 ded3 5087 ..@......{....P.
0x0030: 605e 63a7 4768 d05c `^c.Gh.\
13:24:23.498285 IP 203.162.185.205 > 129.123.184.50: ICMP time exceeded in-transit, length 36
0x0000: 4500 0038 1584 0000 f101 f522 cba2 b9cd E..8......."....
0x0010: 817b b832 0b00 1a71 0000 0000 4500 0030 .{.2...q....E..0
0x0020: 3843 4000 0106 9dcb 817b b832 71a2 f869 8C@......{.2q..i
0x0030: f069 0e99 e93e f24c .i...>.L

A little pain with a hex converter revealed that some of these original attack packets were directed at:

  • 3da4 7171 61.164.113.113 Wenzhou lianzhong Network Technology/China
  • 3db4 af0f 61.180.175.15 Heilongjiang province/China
  • 71a2 406a 113.162.64.106 VietNam Post/Vietnam
  • 71a2 f869 113.162.248.105 VietNam Post/Vietnam
  • ded3 5087 222.211.80.135 Sichuan province/China

So, at least 36 attackers located around China and Vietnam attacking servers also located in China and Vietnam. Sounds good to me. Now, if only I could get them to stop lying about my IP addresses. Eventually, somebody is going to believe their lies and blame me. Maybe somebody like:

http://www.backscatterer.org/

Also active this week is a group that is attacking servers in the US and Europe. They have a unique signature. They source their TCP attack packets from TCP/1024 and TCP/3072.

There is a informative blog entry of the hacker tool that generates these packets at Cymru’s John Kristoff blog.

The backscatter looks like:


2010-08-22 11:45:45.0745 2010-08-22 11:45:45.0745 209.117.137.103 6667 129.123.204.35 1024 1 40 6 -S--A---
2010-08-22 11:45:45.0800 2010-08-22 11:45:45.0800 209.117.137.103 6667 129.123.55.123 3072 1 40 6 -S--A---
2010-08-22 11:45:45.0073 2010-08-22 11:45:45.0073 209.117.137.103 6667 129.123.128.23 3072 1 40 6 -S--A---
2010-08-22 11:45:44.0656 2010-08-22 11:45:44.0656 209.117.137.103 6667 129.123.136.87 3072 1 40 6 -S--A---
2010-08-22 11:45:46.0784 2010-08-22 11:45:46.0784 209.117.137.103 6667 129.123.68.24 3072 1 40 6 -S--A---
2010-08-22 11:45:45.0135 2010-08-22 11:45:45.0135 209.117.137.103 6667 129.123.219.111 1024 1 40 6 -S--A---
2010-08-22 11:45:45.0341 2010-08-22 11:45:45.0341 209.117.137.103 6667 129.123.36.111 3072 1 40 6 -S--A---
2010-08-22 11:45:46.0641 2010-08-22 11:45:46.0641 209.117.137.103 6667 129.123.6.119 1024 1 40 6 -S--A---
2010-08-22 11:45:51.0075 2010-08-22 11:45:51.0075 209.117.137.103 6667 129.123.114.25 3072 1 40 6 -S--A---
2010-08-22 11:45:47.0555 2010-08-22 11:45:47.0555 209.117.137.103 6667 129.123.145.56 1024 1 40 6 -S--A---
2010-08-22 11:45:47.0600 2010-08-22 11:45:47.0600 209.117.137.103 6667 129.123.55.73 1024 1 40 6 -S--A---
2010-08-22 11:45:51.0617 2010-08-22 11:45:51.0617 209.117.137.103 6667 129.123.132.19 1024 1 40 6 -S--A---
2010-08-22 11:45:51.0187 2010-08-22 11:45:51.0187 209.117.137.103 6667 129.123.90.78 3072 1 40 6 -S--A---

This report is based on NetFlow data. The right most field shows the TCP flags. These are almost always SYN/ACKs with an occasional RESET. This particular snippet is backscatter from an attack against an IRC server in the USA.

This group is fairly easy to track. You can just look for traffic to TCP/3072 or TCP/1024. Then you can confirm by looking at the NetFlow data. In the last 3 days, USU observed backscatter from attacks against:


2010-08-22 Sunday, IP Addresses sourcing backscatter to port 3072:

IP Address Hits
--------------- -----
209.117.137.103 6165 DoS to TCP/6667 XO/USA
109.169.21.38 4051 DoS to TCP/22 internetbilisim.net/Turkey
88.190.12.49 3033 DoS to TCP/6049 Free SAS/France
173.236.48.74 2818 DoS to TCP/22,80 SINGLEHOP/Chicago
94.23.243.160 2237 DoS to TCP/80 ovh.net/France
184.154.44.26 1894 DoS to TCP/80 SINGLEHOP/Chicago
123.138.24.11 886 DoS to TCP/0 Shannxi province/China
78.159.98.216 617 DoS to TCP/443 netdirect/Germany
85.13.137.190 468 DoS to TCP/80 Neue Medien Muennich/Germany
173.1.78.154 448 DoS to TCP/6005 GoGrid/San Francisco
93.182.186.2 424 DoS to TCP/53 ViaEuropa/Sweden
8.17.7.7 423 DoS to TCP/53 Level 3 Communications/USA
209.85.227.190 391 DoS to TCP/80 Google
94.76.229.236 297 DoS to TCP/6009 Blueconnex Networks/England
64.40.15.10 296 DoS to TCP/80 Paltalk/New York
206.217.210.155 278 DoS to TCP/19056 Hosting Services/Utah
174.36.1.70 229 DoS to TCP/6002 Hosting Services/Chicago
92.81.10.184 228 DoS to TCP/0 Romtelecom/Romania
67.213.222.127 227 DoS to TCP/80 Hosting Services/Utah
85.159.66.18 224 DoS to TCP/80 Cizgi Telekom/Turkey
174.36.55.66 1352 Chinese DoS to TCP/9999 Softlayer/Chicago
174.36.55.66 222 European DoS to TCP/5656 Softlayer/Chicago
200.93.168.186 203 DoS to TCP/53 Colombian government
94.101.91.24 152 DoS to TCP/22,80,27015 Senoyna Online Gaming/Turkey
208.83.20.130 140 DoS to TCP/6667 Desync Networks/Florida
206.217.220.196 128 DoS to TCP/6001 Hosting Services/Utah
64.13.250.37 119 DoS to TCP/53 Media Temple/California
174.120.243.99 103 DoS to TCP/443 The Planet/Houston
83.169.10.44 102 DoS to TCP/6055 Host Europe/Germany


2010-08-23 Monday, IP Addresses sourcing backscatter to port 3072:

IP Address Hits
--------------- -----
173.236.48.74 8060 DoS to TCP/80 SINGLEHOP/Chicago
88.191.109.110 3883 DoS to TCP/8220 Dedibox/France
188.121.46.128 1378 DoS to TCP/22 Go Daddy/Netherlands
173.192.16.200 879 DoS to TCP/6030 SoftLayer/Chicago
88.190.12.49 631 DoS to TCP/6049 Free SAS/France
208.43.135.140 381 DoS to TCP/6003 SoftLayer/Chicago
68.168.125.186 361 DoS to TCP/80 Genious Communications/Morocco
85.13.137.190 320 DoS to TCP/80 Neue Medien Muennich/Germany
69.64.52.207 311 DoS to TCP/6012 Hosting Solutions/Missouri
85.25.184.50 261 DoS to TCP/6005 PlusServer/Germany
91.121.142.227 249 DoS to TCP/6016 ovh.com/France
206.217.195.242 219 DoS to TCP/6005 Hosting Services/Utah
109.200.1.59 134 DoS to TCP/6001 Redstation/England
188.165.201.13 119 DoS to TCP/6005 ovh.com/France
92.81.10.184 119 DoS to TCP/0 ARtelecom/Romania


2010-08024 Tuesday, IP Addresses sourcing backscatter to port 3072:

IP Address Hits
--------------- -----
83.142.229.115 2242 DoS to TCP/80 RapidSwitch/England
88.191.109.110 1745 DoS to TCP/8220 Dedibox SAS/France
207.218.201.122 693 DoS to TCP/6010 ThePlanet/Houston
85.13.137.190 445 DoS to TCP/80 Neue Medien Muennich/Germany
92.51.187.150 177 DoS to TCP/19505 Host Europe/Germany
91.121.142.227 176 Dos to TCP/6016 ovh.com/France
178.77.127.75 136 DoS to TCP/19505 Host Europe/Germany
173.1.78.154 107 DoS to TCP/6000 GoGrid/San Francisco

This particular form of attack is winding down. As you can see, these guys have been very busy. They made many friends.

Finally, today USU is observing the largest amount of backscatter so far. It started at about 11:30 (GMT-600.) It is still going at 16:30. It looks like:


11:29:25.351440 IP 72.52.4.107.80 > 129.123.182.100.10419: tcp 0
11:29:25.407800 IP 72.52.4.107.80 > 129.123.15.252.50190: tcp 0
11:29:25.428517 IP 72.52.4.107.80 > 129.123.70.86.59460: tcp 0
11:29:25.441297 IP 72.52.4.107.80 > 129.123.188.119.4281: tcp 0
11:29:25.452979 IP 72.52.4.107.80 > 129.123.136.254.57477: tcp 0
11:29:25.463312 IP 72.52.4.107.80 > 129.123.42.180.22569: tcp 0
11:29:25.463914 IP 72.52.4.107.80 > 129.123.186.194.6327: tcp 0
11:29:25.475343 IP 72.52.4.107.80 > 129.123.143.170.50316: tcp 0
11:29:25.501002 IP 72.52.4.107.80 > 129.123.78.92.51276: tcp 0
11:29:25.553318 IP 72.52.4.107.80 > 129.123.74.68.55368: tcp 0
11:29:25.557961 IP 72.52.4.107.80 > 129.123.133.242.60546: tcp 0
11:29:25.564151 IP 72.52.4.107.80 > 129.123.228.218.28896: tcp 0
11:29:25.614323 IP 72.52.4.107.80 > 129.123.171.140.21672: tcp 0
11:29:25.660949 IP 72.52.4.107.80 > 129.123.74.129.55368: tcp 0
11:29:25.676523 IP 72.52.4.107.80 > 129.123.165.11.27810: tcp 0
11:29:25.720354 IP 72.52.4.107.80 > 129.123.164.196.28833: tcp 0
11:29:25.733484 IP 72.52.4.107.80 > 129.123.131.130.62592: tcp 0
11:29:25.751105 IP 72.52.4.107.80 > 129.123.70.124.59460: tcp 0
11:29:25.778561 IP 72.52.4.107.80 > 129.123.182.90.10419: tcp 0

12:31:00.931039 IP 72.52.4.107.80 > 129.123.162.123.30879: S 968344514:968344514(0) ack 1477005901 win 65535
0x0000: 4500 0028 d64d 0000 6506 0eed 4834 046b E..(.M..e...H4.k
0x0010: 817b a27b 0050 789f 39b7 c3c2 5809 524d .{.{.Px.9...X.RM
0x0020: 5012 ffff 1e7d 0000 0000 0000 0000 P....}........
12:31:00.949410 IP 72.52.4.107.80 > 129.123.143.183.50316: S 1087575375:1087575375(0) ack 3565772356 win 65535
0x0000: 4500 0028 b544 0000 5d06 4aba 4834 046b E..(.D..].J.H4.k
0x0010: 817b 8fb7 0050 c48c 40d3 154f d489 5e44 .{...P..@..O..^D
0x0020: 5012 ffff 0432 0000 0000 0000 0000 P....2........
12:31:00.981559 IP 72.52.4.107.80 > 129.123.42.231.22569: S 1519808016:1519808016(0) ack 3094006036 win 65535
0x0000: 4500 0028 2e14 0000 4a06 49bb 4834 046b E..(....J.I.H4.k
0x0010: 817b 2ae7 0050 5829 5a96 6e10 b86a c914 .{*..PX)Z.n..j..
0x0020: 5012 ffff 1430 0000 0000 0000 0000 P....0........

USU’s IP address space is a /16. Our DarkNet is about a /18. So, if the attackers are randomly using all the IP addresses, the poor victim is somehow replying to at least 5 million packets per second (20*(2^18th)). Neat trick. The actual number of attack packets are probably much larger. Or, the attacker is preferentially spoofing USU IP addresses.

I checked the current routing for 72.52.4.107 at the Cymru IP to ASN lookup tool: http://asn.cymru.com/

According to them, 72.52.4.0/24 is currently being handled by AS 32787 (PROLEXIC Prolexic Technologies, Inc.) Prolexic specializes in helping companies deal with DoS attacks. So, this attack has probably been going on for a while. It probably initially overwhelmed the victim. Then they called in the big guns at Prolexic. In the process Prolexic generated enough backscatter to draw our attention.

I sent Prolexic an email and asked about this attack. I was wondering if USU’s IP addresses were being preferentially used by the attackers. They promptly responded. One tech said they just discard the junk, they don’t waste a lot of time analyzing it. A more senior engineer said that this attack originates from China. And the attackers don’t seem to be spoofing USU any more than anybody else. He also had the impression that these kind of attacks were on the increase. I am very impressed with Prolexic’s professionalism.

I am left with a faint feeling that the world is out to get me, but again bereft of substantial proof.

Miles

Tags: ,

Comments are closed.