Server Used In DOS Attack On UDP Port 0

Home » CentOS » Server Used In DOS Attack On UDP Port 0
CentOS 4 Comments

Hi,

One of our AWS machines was used in an DOS attack last night and I am looking for possible attack vectors. AWS tells me it was sending UDP port 0
traffic to a cloudflare address.

This instance had an incorrectly configured AWS security group exposing all ports.

The server in question is a CentOS 7 based FreeIPA server, OpenVPN
concentrator and DNS server.

With a brief inspection before the instance was stopped no evidence of intrusion could be detected in the obvious places and the machine is protected by standard SELinux policies.

On this machine Firewalld is currently configured with a single zone with masquerade enabled

firewalld config. public (default, active)
interfaces: eth0
sources:
services: dhcpv6-client dns http https kerberos kpasswd ldap ldaps ntp openvpn ssh
ports: 81/tcp
masquerade: yes
forward-ports:
icmp-blocks:
rich rules:

Thanks,

Andrew

4 thoughts on - Server Used In DOS Attack On UDP Port 0

  • Did you run basic checks like rkhunter and so on?

    Is there password login enabled or only public key on SSH service.

    Weak passwords on SSH is usually primary reason on system compromise.

    Eero
    4.11.2015 12.23 ip. “Andrew Holway” kirjoitti:

  • Is it AWS as in Amazon Web Services?

    Ironic, cloudflare is known as you can not get abused who hides behind them (therefore some people just block all traffic to/from them), and now they are becoming the victims of the same. I would recommend to block traffic to cloudflare address blocks on the level of routing tables
    (google that) – may help you in a future.

    As far as I know (someone correct me) regular user can send UDP packets
    (regular user can not do UDP port scan but that is purely as root access is necessary to _read_ raw socket, i.e. read response, sending is doable). That is for this particular incident I wouldn’t suspect root compromise right away. Check which users were connected (run processes rather) at a time in question, and check the activity. psacct (if enabled) is your friend.

    Hm, I personally am a bit sceptical about SELinux. Its protection (of vulnerable system) IMHO is grossly overestimated. It helps some, but I’d rather have kernel without SELinux (not possible already, of course, the tons of SELinux code _is_ already in the kernel, with all potential bugs…)

    Somebody already suggested nice tool (rootkit hunter). I would mention http://www.chkrootkit.org/. I also would add to forensics (especially if you didn’t reboot yet) comparison of what you get internally (like open ports, and whole tree of files on machine with file checksums) and externally (like external port scan after you turned off machine firewall)
    with list of files after you mount machine’s drive(s) on sane box.

    Good luck on forensics!

    Valeri

    ++++++++++++++++++++++++++++++++++++++++
    Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247
    ++++++++++++++++++++++++++++++++++++++++