OVH Community, your new community space.

New type of UPNP ddos, bypassing filters?


martijnk
05-08-2014, 00:09
Hi,

I'm a happy OVH customer for a decent amount of time right now. I run several gameservers and DDoS attacks always bothered me so then I moved to OVH and it was a thing of the past. I've been hit with DNS and/or NTPD amplification attacks for years and my community barely survived, it was thanks to OVH's anti-ddos that it did.

However, after months and months of silence, my servers got attacked again today and successfully. I have been down for the good part of the day, both my BHS and RBX servers. The attacker found a new method which seems to bypass the OVH ddos filters. Usually the filter kicks in after a few seconds but not this time, my servers are going down for 10 minutes or more until the attacker stops the attack, which he usually does when the servers are empty.

Here's a tcpdump log, it seems like he's using some kind of port 1900/ UPNP reflection attack which is not being picked up by OVH (My real IP isn't here of course but tell me if you need it).

23:46:30.085196 IP 75.133.61.55.1900 > 1.1.1.1.27021: UDP, length 291
23:46:30.085211 IP 174.126.217.131.1900 > 1.1.1.1.27021: UDP, length 310
23:46:30.085226 IP 69.112.170.198.1900 > 1.1.1.1.27021: UDP, length 238
23:46:30.085268 IP 120.194.137.111.1900 > 1.1.1.1.27021: UDP, length 322
23:46:30.085271 IP 123.64.24.129.1900 > 1.1.1.1.27021: UDP, length 268
23:46:30.085273 IP 183.104.44.185.1900 > 1.1.1.1.27021: UDP, length 269
23:46:30.085275 IP 123.65.164.106.1900 > 1.1.1.1.27021: UDP, length 314
23:46:30.085285 IP 5.103.64.242.1900 > 1.1.1.1.27021: UDP, length 318
23:46:30.085301 IP 75.128.139.55.1900 > 1.1.1.1.27021: UDP, length 291
23:46:30.085318 IP 69.115.127.76.1900 > 1.1.1.1.27021: UDP, length 302
23:46:30.085331 IP 123.194.250.21.1900 > 1.1.1.1.27021: UDP, length 247
23:46:30.085346 IP 64.234.90.125.1900 > 1.1.1.1.27021: UDP, length 292
23:46:30.085362 IP 77.53.32.152.1900 > 1.1.1.1.27021: UDP, length 290
23:46:30.085376 IP 97.80.250.170.1900 > 1.1.1.1.27021: UDP, length 302
23:46:30.085393 IP 67.193.101.6.1900 > 1.1.1.1.27021: UDP, length 307
23:46:30.085409 IP 122.246.192.79.1900 > 1.1.1.1.27021: UDP, length 290
23:46:30.085424 IP 218.79.73.40.1900 > 1.1.1.1.27021: UDP, length 288
23:46:30.085469 IP 123.247.5.126.1900 > 1.1.1.1.27021: UDP, length 322
23:46:30.085472 IP 69.23.96.195.1900 > 1.1.1.1.27021: UDP, length 323
23:46:30.085474 IP 123.187.243.194.1900 > 1.1.1.1.27021: UDP, length 314
23:46:30.085476 IP 65.190.63.39.1900 > 1.1.1.1.27021: UDP, length 247
23:46:30.085485 IP 24.226.66.109.1900 > 1.1.1.1.27021: UDP, length 300

Unfortunately I don't have ddos pro with soyoustart and I can't afford OVH dedicated servers

Any idea how to battle this?

Thanks!