Portal Home > Knowledgebase > Transparency Report > 09/08/2014 [SPAM] Nuclearfallout, Enterprises, Inc. @ U.S. Texas 7 (161)

09/08/2014 [SPAM] Nuclearfallout, Enterprises, Inc. @ U.S. Texas 7 (161)

Original report:

You appear to be running an open SNMP server at IP address 173.255.138.89 that
participated in an attack against a customer of ours today, generating large UDP
responses to spoofed queries, with those responses becoming fragmented because
of their size.

Please consider reconfiguring your SNMP system in one or more of these ways:

- Block queries made by unauthorized addresses. This can be done with an ACL or
other firewall rule.
- Use a different query string than "public" and which cannot be
easily guessed by a 3rd party.
- Disable SNMP entirely.

If you are an ISP, please also look at your network configuration and make sure
that you do not allow spoofed traffic (that pretends to be from external IP
addresses) to leave the network. Hosts that allow spoofed traffic make possible
this type of attack.

Example SNMP responses sent to us by your device during the attack are given
below.
Timestamps (far left) are PDT (UTC-7), and the date is 2014-08-01.

20:52:21.522195 IP (tos 0x0, ttl 56, id 0, offset 0, flags [DF], proto UDP (17),
length 1218) 173.255.138.89.161 > 74.91.113.x.3659: UDP, length 1190
0x0000: 4500 04c2 0000 4000 3811 49f7 adff 8a59 E.....@.8.I....Y
0x0010: 4a5b 7180 00a1 0e4b 04ae f0fb 3082 04a2 J[q....K....0...
0x0020: 0201 0104 0670 7562 6c69 63a2 8204 9302 .....public.....
0x0030: 024e 4702 0100 0201 0030 8204 8530 6806 .NG......0...0h.
0x0040: 082b 0601 0201 0101 0004 5c4c 696e 7578 .+........\\Linux
0x0050: 2063 .c
20:52:21.694213 IP (tos 0x0, ttl 56, id 0, offset 0, flags [DF], proto UDP (17),
length 1218) 173.255.138.89.161 > 74.91.113.x.3659: UDP, length 1190
0x0000: 4500 04c2 0000 4000 3811 49f7 adff 8a59 E.....@.8.I....Y
0x0010: 4a5b 7180 00a1 0e4b 04ae cdfb 3082 04a2 J[q....K....0...
0x0020: 0201 0104 0670 7562 6c69 63a2 8204 9302 .....public.....
0x0030: 024e 4702 0100 0201 0030 8204 8530 6806 .NG......0...0h.
0x0040: 082b 0601 0201 0101 0004 5c4c 696e 7578 .+........\\Linux
0x0050: 2063 .c

(The final octet of our customer's IP address is masked in the above output
because some automatic parsers become confused when multiple IP addresses are
included. The value of that octet is "128".)

-John
President
Nuclearfallout, Enterprises, Inc. (NFOservers.com)

(We're sending out so many of these notices, and seeing so many auto-responses,
that we can't go through this email inbox effectively. If you have follow-up
questions, please contact us at noc@nfoe.net.)

---------------------------------------------------------------------------
Regolithmedia | All In One Business Solution
One Stop Solutions For Your IT needs
http://www.regolithmedia.com
Facebook : http://www.facebook.com/Regolithmedia
Twitter : http://twitter.com/regolithmedia

Action that has been taken from Proxy.sh: Because the server is located in a jurisdiction with precise intellectual property laws, we have reset accounts who forwarded port 161 (nothing may identify a single account) and we have blocked port 161 via Firewall.

Related Knowledgebase Articles