Open melicherm opened 1 week ago
Hi @melicherm is it possible to have a pcap / small portion of that attack (in case we will talk by email)?
@MatteoBiscosi - we have just this dump:
Frame 15: 1490 bytes on wire (11920 bits), 1490 bytes captured (11920 bits) on interface team0.295, id 0 Section number: 1 Interface id: 0 (team0.295) Interface name: team0.295 Encapsulation type: Ethernet (1) Arrival Time: Sep 16, 2024 15:30:33.079046360 CEST UTC Arrival Time: Sep 16, 2024 13:30:33.079046360 UTC Epoch Arrival Time: 1726493433.079046360 [Time shift for this packet: 0.000000000 seconds] [Time delta from previous captured frame: 0.000002343 seconds] [Time delta from previous displayed frame: 0.000002343 seconds] [Time since reference or first frame: 0.000012911 seconds] Frame Number: 15 Frame Length: 1490 bytes (11920 bits) Capture Length: 1490 bytes (11920 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ethertype:ip:data] Ethernet II, Src: HuaweiTechno_c3:55:fa (80:e1:bf:c3:55:fa), Dst: 52:54:00:dd:34:65 (52:54:00:dd:34:65) Destination: 52:54:00:dd:34:65 (52:54:00:dd:34:65) Address: 52:54:00:dd:34:65 (52:54:00:dd:34:65) .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: HuaweiTechno_c3:55:fa (80:e1:bf:c3:55:fa) Address: HuaweiTechno_c3:55:fa (80:e1:bf:c3:55:fa) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IPv4 (0x0800) Internet Protocol Version 4, Src: node-5o0.pool-1-0.dynamic.totinternet.net (1.0.156.176), Dst: AAA.BBB.CCC.DDD (AAA.BBB.CCC.DDD) 0100 .... = Version: 4 .... 0101 = Header Length: 20 bytes (5) Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT) 0000 00.. = Differentiated Services Codepoint: Default (0) .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0) Total Length: 1476 Identification: 0x9371 (37745)
Hope this helps. Will ask for .pcap if it's available.
DST IP is hidden.
@MatteoBiscosi - got the .pcap (around 1Mil packets available @1.2GB) i have extracted 200 packets. Would like to send it to you per email - 256 KB. Can you give me your address?
Thank you!
@melicherm Please send me the URL from which I can download the pcap. My email is deri@ntop.org
using this setup
nprobe --zmq tcp://127.0.0.1:1234 -i ~/Downloads/attack_export.pcapng -b 2 --zmq-probe-mode
ntopng -i tcp://127.0.0.1:1234c
and the pcap you sent us, we see the traffic. Can you please check how your sFlow exporter behaves in case of fragmented traffic? Theoretically, it should not matter.
Hello dear community, based on our latest DDOS attack- that we have encountered - we found out, that around 20Gbit of traffic was not visible in ntopng.
It seems that nProbe / ntopng ignores UDP fragments. We think nProbe or ntopng checks for valid flows. Because a DDOS does not need to use valid flow packets -> e.g. the flow does not have a start packet and it's just random data in UDP fragments -> they are invisible using nptobe+ntopng.
Could someone check if my assumption is OK?
Environment:
How did you reproduce it?
UDP packets, random length, random data inside packets send out over a router that has sFlow -> nProbe -> ntopng and look in flows to find nothing.
Thank you community!