(new Soapbox())->shout(array_map('strtoupper', $opinions)); //Shaun's blog


Me, elsewhere

GitHub
parseword
Miscellaneous public code

Twitter
@parseword
I don't tweet much

XMPP chat
xmpp@shaunc.com
(Pidgin, Miranda, Swift, etc.)

DDoS involving forged packets from 23.225.141.70

Posted September 25, 2018 by shaun

As noticed in a tweet from @AlecMuffett, there's a large DDoS attack taking place involving forged packets that appear to come from 23.225.141.70.

I have servers on a variety of networks, and tcpdump shows traffic "from" 23.225.141.70, destination port 80, at all of them. My points of observation are widespread, so this attack is likely spraying much of the IPv4 space. The volume I'm seeing to any given host is only ~25 packets per second, but reflected traffic could be millions of times that number.

CeraNetworks/CloudRadium, the owner of 23.224.0.0/15, is responding to abuse reports with a statement that 23.225.141.70 is the target and not the source of the DDoS.

Dropping traffic to and from 23.225.141.70 can prevent your system from contributing to the reflection:

    [root@host ~]# iptables -I OUTPUT -d 23.225.141.70 -j DROP
    [root@host ~]# iptables -I INPUT -s 23.225.141.70 -j DROP

...or the equivalent for your OS, until the DDoS gets filtered by transit providers.

If you're an AS, please implement BCP38 and prevent spoofed traffic from egressing your network.

If you're an end user, consider installing and running Spoofer to help CAIDA identify networks that still allow this malicious traffic to be sent.


Card image by Sagor Kumar, via Wikimedia Commons



Recent articles

📰 Generating vanity DNSSEC key tags

📰 DDoS involving forged packets from 23.225.141.70

📰 Website integrity monitoring through version control

📰 SpamAssassin 3.4.2 fixes security problems, adds HashBL and phishing plugins

📰 Bug or turf war? ICQ via Pidgin now fails with "startOSCARSession: Request Timeout"

📰 🎂

📰 SFSQuery, a PHP class to query the StopForumSpam API and DNSBL

📰 Resolving portmaster error "pkg-static: automake-1.16.1 conflicts with automake-wrapper-20131203"

📰 Resolving LibreNMS error "RuntimeException: The only supported ciphers are AES-128-CBC and AES-256-CBC with the correct key lengths"

📰 1.1.1.1: Fast, but not so accurate (yet)

📰 autodiscover.xml as an Indicator of Attack

📰 Blocking Facebook's Tracking and Surveillance: A Comprehensive Approach

📰 Let's Encrypt Readies for Certificate Transparency with Embedded SCTs

📰 Evaluating DNSBL Effectiveness with Postfix Logs

📰 Resolving subversion error E145001: Node has unexpectedly changed kind

▲ Back to top | Permalink to this page