Hallo @red51
Hallo Leute,
habe heute eine Abuse-Meldung von meinem Anbieter erhalten und leider kann ich nicht sonderlich viel damit anfangen:
(Es ist definitiv keine SPAM!)
Display More
Guten Tag Patrick Bronke,
wir haben folgende Abusemeldung für Ihr Produktv22018096903173322 - RS 4000 SSD G8 a1 erhalten und benötigen von Ihnen innerhalbder nächsten 48 Stunden eine Stellungnahme. Bitte beachten Sie, dass wir zurSicherheit jeder Abusemeldung nachgehen müssen. Sollten Sie uns keineStellungnahme zusenden oder weitere Abusemeldungen eintreffen, muss dasbetroffene Hostingprodukt gesperrt werden, um weiteren Schaden zu vermeiden.
Abusemeldung:
A public-facing device on your network, running on IPaddress 193.31.25.214, appears to operate a LDAP service responding on port 389that participated in a large-scale attack against a customer of ours,generating UDP responses to spoofed requests that claimed to be from the attacktarget.
Please consider reconfiguring this server in one or moreof these ways:
1. Adding a firewall rule to block all access to thishost's UDP port 389 at your network edge. (LDAP also uses TCP port 389 bydefault, and that can be left open without allowing the host to be used forreflection attacks; but, for security reasons, it is usually best to block both389/TCP and 389/UDP at the network edge.) 2. Adding firewall rules to allowconnections to this service (on UDP port 389) from authorized endpoints butblock connections from all other hosts.
3. Disabling LDAP/ActiveDirectory functionality on yoursystem. This would only be appropriate if this is not a service that you makeuse of.
More information on this type of attack can be found atthese links:
https://www.akamai.com/kr/ko/m…state-of-the-internet/cld[..]
https://www.scmagazine.com/zer…ctor-leverages-ldap-to-am[..]
https://www.us-cert.gov/ncas/alerts/TA14-017A
http://blog.netlab.360.com/cld…flection-amplified-ddos-a[..]
Example responses from the host during this attack aregiven below.
Date/timestamps (far left) are UTC.
2018-12-06 21:27:19.018664 IP 193.31.25.214.389 >192.223.25.x.35347: UDP, length 2987
0x0000:4500 05dc6e8b 2000 7611 fac7 c11f 19d6E...n...v.......
0x0010:c0df 19e90185 8a13 0bb3 63c5 3084 0000..........c.0...
0x0020:0b8f 02010764 8400 000b 8604 0030 8400.....d.......0..
0x0030:000b 7e308400 0000 2604 0b63 7572 7265..~0....&..curre
0x0040:6e74 54696d65 3184 0000 0013 0411 3230ntTime1.......20
0x0050:313818
2018-12-06 21:27:19.413833 IP 193.31.25.214.389 >192.223.25.x.35347: UDP, length 2987
0x0000:4500 05dc6e95 2000 7611 fabd c11f 19d6E...n...v.......
0x0010:c0df 19e90185 8a13 0bb3 63c5 3084 0000..........c.0...
0x0020:0b8f 02010764 8400 000b 8604 0030 8400.....d.......0..
0x0030:000b 7e308400 0000 2604 0b63 7572 7265..~0....&..curre
0x0040:6e74 54696d65 3184 0000 0013 0411 3230ntTime1.......20
0x0050:313818
2018-12-06 21:27:19.863459 IP 193.31.25.214.389 >192.223.25.x.35347: UDP, length 2987
0x0000:4500 05dc6ea1 2000 7611 fab1 c11f 19d6E...n...v.......
0x0010:c0df 19e90185 8a13 0bb3 63c4 3084 0000..........c.0...
0x0020:0b8f 02010764 8400 000b 8604 0030 8400.....d.......0..
0x0030:000b 7e308400 0000 2604 0b63 7572 7265..~0....&..curre
0x0040:6e74 54696d65 3184 0000 0013 0411 3230ntTime1.......20
0x0050:313818
(The final octet of our customer's IP address is maskedin the above output because some automatic parsers become confused whenmultiple IP addresses are included. The value of that octet is"233".)
-John
President
Nuclearfallout, Enterprises, Inc. (NFOservers.com)
(We're sending out so many of these notices, and seeingso many auto-responses, that we can't go through this email inbox effectively.If you have follow-up questions, please contact us at noc@nfoe.net.)
Mit freundlichen Grüßen / best regards
(MEIN ANBIETER)
Was soll ich machen?