3 million packets per second . Good Summer Holidays!

3 million packets per second . Good Summer Holidays!

Good Summer!

As i saw during last week i can say that booters do not go on vacation. New botnet is turning around the city, i see the shadow but i not identified yet.

Different customers, with different services and from different countries, has been hitted by same botnet, which makes me think to be paid booter. This bootnet is interesting due to his flexibility, attacker switch within seconds from 40byte TCP attacks to GRE traffic, can speed up to about 3Gbps (for few minutes) or keep 1,5Gbps for hours (maybe days?) and obviously the source are random ports and you can customize attacked port/ips.

As you read is not the size of the attack that can create issue, but the ability to switch 3 million PPS “on fly”. If the attack is managed by expertise hands, it can create some noise to dynamic filters. so we need to analyze the packets to find a valid solution.

First of all we cut of the peaks and we can see the average size:

rx: 1.54 Gbit/s
pps: 3331150 p/s
3,3 millions PPS can kill any x86 machine and some low end routers. So how to protect?

If you’re inside SeFlow Network we patched the filters when we received first attack so you’re safe. But my post was written to patch every network and make botnet harmless. Here some packets:

 

 

01:53:52.000365 IP (tos 0x0, ttl 238, id 30552, offset 0, flags [none], proto TCP (6), length 40)
54.207.192.237.64392 > 83.136.106.xx.http: Flags [S], cksum 0x5c4c (correct), seq 2725052416, win 0, length 0
0x0000: 4500 0028 7758 0000 ee06 a027 36cf c0ed E..(wX.....'6...
0x0010: 5388 6a0b fb88 0050 a26d 0000 0000 0000 S.j....P.m......
0x0020: 5002 0000 5c4c 0000 0000 0000 0000 P...\L........
01:53:52.000366 IP (tos 0x0, ttl 241, id 26544, offset 0, flags [none], proto TCP (6), length 40)
154.141.170.228.45837 > 83.136.106.xx.http: Flags [S], cksum 0x6e65 (correct), seq 2333736960, win 0, length 0
0x0000: 4500 0028 67b0 0000 ee06 621a 9a8d aae4 E..(g.....b.....
0x0010: 5388 6a0b b30d 0050 8b1a 0000 0000 0000 S.j....P........
0x0020: 5002 0000 6e65 0000 0000 0000 0000 P...ne........
01:53:52.000358 IP (tos 0x0, ttl 247, id 17287, offset 0, flags [none], proto TCP (6), length 40)
61.164.205.75.59140 > 83.136.106.xx.http: Flags [S], cksum 0x1a92 (correct), seq 3849846784, win 0, length 0
0x0000: 4500 0028 4387 0000 ee06 c0c5 3da4 cd4b E..(C.......=..K
0x0010: 5388 6a0b e704 0050 e578 0000 0000 0000 S.j....P.x......
0x0020: 5002 0000 1a92 0000 0000 0000 0000 P.............
01:53:52.000359 IP (tos 0x0, ttl 238, id 23280, offset 0, flags [none], proto TCP (6), length 40)
137.239.125.62.41284 > 83.136.106.xx.http: Flags [S], cksum 0x5298 (correct), seq 4143185920, win 0, length 0
0x0000: 4500 0028 5af0 0000 ee06 ad1e 89ef 7d3e E..(Z.........}>
0x0010: 5388 6a0b a144 0050 f6f4 0000 0000 0000 S.j..D.P........
0x0020: 5002 0000 5298 0000 0000 0000 0000 P...R.........
01:53:52.000369 IP (tos 0x0, ttl 238, id 33671, offset 0, flags [none], proto TCP (6), length 40)
97.124.97.240.39459 > 83.136.106.xx.http: Flags [S], cksum 0x4281 (correct), seq 1374552064, win 0, length 0
0x0000: 4500 0028 8387 0000 ee06 c848 617c 61f0 E..(.......Ha|a.
0x0010: 5388 6a0b 9a23 0050 51ee 0000 0000 0000 S.j..#.PQ.......
0x0020: 5002 0000 4281 0000 0000 0000 0000 P...B.........
01:53:52.000370 IP (tos 0x0, ttl 238, id 4837, offset 0, flags [none], proto TCP (6), length 40)
120.242.113.172.34206 > 83.136.106.xx.http: Flags [S], cksum 0x7374 (correct), seq 239992832, win 0, length 0
0x0000: 4500 0028 12e5 0000 ee06 11b9 78f2 71ac E..(........x.q.
0x0010: 5388 6a0b 859e 0050 0e4e 0000 0000 0000 S.j....P.N......
0x0020: 5002 0000 7374 0000 0000 0000 0000 P...st........

In this example is a syn 40 byte attacks. After few minutes we saw attack switching to GRE and finally to generic empty TCP. Analyzing the packets we see that source port is random, ttls is different and we can’t rate limit SYN. So how to filter? We need to be creative!

Analyzing full log we see that 40% of packets have ttl 237 and 238, so filtering out these TTL can drop attack power to about 2mil PPS.

If you have cisco router (like us) you can apply static ACL

deny ip  any any ttl eq 237 238

 

On Mikrotik enter in your winbox and create a raw route where you block these ttl (please take my rule as an example and adjust accordly)

	/ip firewall raw set 1 protocol=tcp ttl=equal:237 action=drop
	/ip firewall raw set 2 protocol=tcp ttl=equal:238 action=drop

If you run a linux box drop in iptables

	iptables -A FORWARD -m ttl --ttl-eq 237 -j DROP
	iptables -A FORWARD -m ttl --ttl-eq 238 -j DROP

Ok now we mitigated part of them. To complete the mitigation now we need to drop the payload. If you analyze the packets we find the strings |5388 6a0b| and |5388 6a0a| that are equal so we can block it. We use some tilera servers to do advanced filtering, you can filter with string match on iptables. Here some usefull rules

iptables -A FORWARD -p tcp -m tcp -m length --length 40 -m string --hex-string "|53886a6a|" --algo bm -j DROP
    iptables -A FORWARD -p tcp -m tcp -m length --length 40 -m string --hex-string "|53886a0b|" --algo bm -j DROP
    iptables -A FORWARD -p gre -m string --hex-string "|53886a6a|" --algo bm -j DROP

Please remember that this botnet can switch from tcp to gre packets within seconds so is important that you add gre protocol filtering in your iptables rule.

If you use x86 server as a firewall, to absorb that attack you need at least 2 of them with good Intel 10Gig nics. In this case is VERY IMPORTANT that you disable irqbalance from your O.S. and do irq tune. If your NIC have ntuple capabilities we suggest to enable it and start do hardware filtering.