Block DDOS came from UDP

ViREnG · October 19, 2013, 9:57am

Hello friends.
My network attack with DDOS on UDP protocol . How can I block it .
My Scenario :

[INTERNET] ---> CCR1036 ---> USERS/NETWORK

I read all wiki pages too , Please specify a way with below Torch windows :

Thanks

samsung172 · October 19, 2013, 11:40am

Dissable the dns service that allow access from outside your network.

SurferTim · October 19, 2013, 11:52am

You can block dns requests from the internet. Insure they are above any udp or tcp allow rules.

/ip firewall filter
add chain=input action=drop dst-port=53 protocol=udp in-interface=ether1
add chain=input action=drop dst-port=53 protocol=tcp in-interface=ether1

If ether1 is not your WAN interface, change that.

ViREnG · October 19, 2013, 2:23pm

Thanks but not always from DNS (53) if you check second image , Attack came from Port 16464 , 16465 , 16470 on UDP Protocol and anytime can be changed to other port numbers.
I block IP attackers IP Range manually but this is not a good idea . I try to find a automatic rule to detect and block it .

Thanks.

samsung172 · October 19, 2013, 6:33pm

ZeroAccess (Sirefef, Vobfus, 0access), is a rather prolific piece of malware.

On Sophos’ research blog, James Wyke summarizes the ongoing tracking of the ZeroAccess rootkit and its botnet:

http://nakedsecurity.sophos.com/2012/09/19/zeroaccess-botnet-uncovered/

Over 9 million computers compromised with this rootkit! I suggest reading through this and following all the links to previous zeroaccess articles. One of the more imporant ones is the Sophos ZeroAccess Botnet technical paper you can download at http://www.sophos.com/en-us/why-sophos/our-people/technical-papers/zeroaccess-botnet.aspx.

If somehow reading “9 million computers compromised” wasn’t enough, Sean at F-Secure’s blog posted a visual representation using Google Earth:

http://www.f-secure.com/weblog/archives/00002430.html

So what does ZeroAccess actually do? It mines bitcoins and runs click fraud. If you aren’t that familiar with bitcoin currency, you may want to read up on it quick: http://en.wikipedia.org/wiki/Bitcoin#Mining_and_node_operation

The botnet operates on different ports depending on which version of the rootkit is installed.

Version 1 uses a P2P protocol over UDP 21810, 22292, 34354, 34355. Version 2 uses a P2P protocol over UDP 16464, 16465, 16470, and 16471. In my observation port 16464 seems to be the most popular. Each P2P node keeps a list of 256 other IP addresses. Here is a hint for network administrators - if you notice a large count of outbound UDP/16464 traffic going to a repeating list of IP addresses registered to many different countires, then you are likely looking at a ZeroAccess infection.

During the install of the rootkit, there is some other suspicious activity that happens. One request is masked as a hit against a counter:

http://[counter_site]/[unique_id]/counter.img?theme=[number]&digits=10&siteId=[number]

The counter site is hosted on 213.108.252.185. The Sophos paper notes bigfatcounters.com, legitfreecounters.com, and forever-counters.com being used. There are other counter sites hosted here as well.

Then an encrypted copy of information is also sent via dns.

Next a site is resolved via Google’s 8.8.8.8, and a geo lookup is performed. The Sophos paper notes promos.fling.com/geo/txt/city.php, but I have seen it hit other sites with geo scripts as well. These are legitimate sites that are being abused for this lookup.

Here is another technical analysis of ZeroAccess (Version 1) by Kindsight:

http://www.kindsight.net/sites/default/files/Kindsight_Malware_Analysis-ZeroAcess-Botnet-final.pdf

Except for a few key details, it reads like a completely different malware. It notes that ports 22292, 21810, and 34354 are TCP, not UDP.

With this variant, it periodically sends a request to counter.yadro.ru. It also sends a request with the url /new/links.php?w=40&n=1 (in the example the host was rfwufnai.cn), that returns a list of links to perform click fraud against.

Here is another analysis by Kindsight:

http://www.kindsight.net/sites/default/files/Kindsight_Malware_Analysis-New_CC_protocol_ZeroAccess-final2.pdf

This one includes some of the newer details that match the Sophos analysis. It additionally mentions at some point malformed DNS requests were sent to 66.85.130.234. That is likely one of the checkins with the encrypted payload on port 53.

Other interesting articles related to the evolution of ZeroAccess:

ZeroAccess Rootkit Launched by Signed Installers:
http://blogs.mcafee.com/mcafee-labs/zeroaccess-rootkit-launched-by-signed-installers

An Advanced Kernel Mode Rootkit:
http://pxnow.prevx.com/content/blog/zeroaccess_analysis.pdf

ZeroAccess Code Injection Chronicals:
http://blog.eset.com/2012/06/25/zeroaccess-code-injection-chronicles

ZeroAccess Botnet Cashing in on Click Fraud and Bitcoin Mining:
http://threatpost.com/en_us/blogs/zeroaccess-botnet-cashing-click-fraud-and-bitcoin-mining-103012

Read the full article at ZeroAccess Rootkit and Botnet

xwf · November 5, 2013, 8:09am

what will experts say about this. lot of traffic coming to Local port, and its bringing down my mt again and again every 2 hours !

aybike · April 13, 2014, 6:42am

Hello;

My WordPress site under botnet attack is a period of time and I can not help it. Mikrotik nat or layer7 Is there a possibility of blocking the site with reference.

URL filtering want.

For example: Direct domain.com/index.php entrants to domain.com/secure.php verify whether you’re there, the robot follow a path and how I should keep going.

BOTNET ATAK TO REFEREL:

88.227.162.31 - - [12/Apr/2014:20:10:13 +0300] "GET /TpIGVJUB HTTP/1.1" 404 7863 “http://www.birdirbir.com/?utm_source=taskbar&utm_campaign=igen” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36”
78.190.70.170 - - [12/Apr/2014:20:10:21 +0300] "GET /20ohQryr HTTP/1.1" 404 7895 “-” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36”
46.19.140.138 - - [12/Apr/2014:20:10:12 +0300] “GET /V9TJheVg HTTP/1.1” 404 7897 “-” “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36”
189.148.60.201 - - [12/Apr/2014:20:09:57 +0300] “GET /hqagiJ9A HTTP/1.1” 200 1605 “-” “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.116 Safari/537.36”
88.230.210.116 - - [12/Apr/2014:20:09:57 +0300] “GET /zxlEjxuo HTTP/1.1” 200 7865 “-” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36”
82.222.68.96 - - [12/Apr/2014:20:10:20 +0300] “GET /2PZM5Huc HTTP/1.1” 404 7863 “-” “Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36”
88.235.95.10 - - [12/Apr/2014:20:10:20 +0300] “GET /UfUc47vR HTTP/1.1” 404 7865 “https://www.google.com.tr/” "Mozil

vpnvyrtual · June 23, 2014, 3:20am

Para bloquear esse tipo de ataque é facil. Abaixo as regras.

Rules for Botnet.

/ip firewall filter
add action=drop chain=forward comment=“Botnet Sirefef/ZeroAccess” dst-port=21810,22292,34354,34355 protocol=tcp
add action=drop chain=forward comment=“Botnet Sirefef/ZeroAccess” dst-port=21810,22292,34354,34355 protocol=udp
add action=drop chain=forward comment=“Botnet Sirefef/ZeroAccess” dst-port=16460-16480 protocol=tcp
add action=drop chain=forward comment=“Botnet Sirefef/ZeroAccess” dst-port=16460-16480 protocol=udp

Espero ter ajudado.

Use google for translate.

Thx

vpnvyrtual · July 4, 2014, 2:01am

Resolveu?