--=-TsLC1+TQtXJ+Qzkr5Z24 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Le mardi 28 juin 2016 =C3=A0 10:14 -0400, Dave Neary a =C3=A9crit :
FYI. ----- Forwarded Message ----- From: Herv=C3=A9 Leclerc <herve.leclerc@alterway.fr> To: Dave Neary <dneary@redhat.com>, Infra@ovirt.org Cc: Arnaud CAZIN <arnaud.cazin@alterway.fr>, St=C3=A9phane Vincent <steph= ane.vincent@alterway.fr> Sent: Mon, 27 Jun 2016 13:06:17 -0400 (EDT) Subject: Re: [oVirt-Infra] : New Gateway =20 Hello, =20 Did you made the changes asked ? Can you please give us a status on your actions.
I stopped rpcbind, which sould solve the problem. But I wonder why we didn't got the mail in the first time, it didn't appear on the list, nor in moderation.=20
Regards =20 =20 =20 Herv=C3=A9 Leclerc CTO Alter Way 227 Bureaux de la colline 1 rue Royale - B=C3=A2t. D 92210 Saint-Cloud France *+33 141168336* +33 6 83979598 =20 =20 =20 `like a halo in reverse` =20 =20 =20 On Sun, Jun 26, 2016 at 3:54 PM, Herv=C3=A9 Leclerc <herve.leclerc@alterw= ay.fr> wrote: =20
Hello
Your vm alterway02.ovirt.org is participating in a ddos attack. Could please correct the problem rapidly ! eg. iptables -A INPUT -p udp --dport 111 -j DROP
Regards
Original message A public-facing device on your network, running on IP address 89.31. 150.216, operates a RPC port mapping service responding on UDP port 111 and participated in a large-scale attack against a customer of ours, generating responses to spoofed requests that claimed to be from the at= tack target.
Please consider reconfiguring this server in one or more of these ways:
1. Adding a firewall rule to block all access to this host's UDP port 1= 11 at your network edge (it would continue to be available on TCP port 111= in this case). 2. Adding firewall rules to allow connections to this service (on UDP p= ort 111) from authorized endpoints but block connections from all other hos= ts. 3. Disabling the port mapping service entirely (if it is not needed).
More information on this attack vector can be found at this third-party website (we did not create this content): http://blog.level3.com/security/a-new-ddos-reflection-attack-portmapper= -an-early-warning-to-the-industry/
Example responses from the host during this attack are given below. Date/timestamps (far left) are UTC.
2016-06-25 22:46:44.588895 IP 89.31.150.216.111 > 74.201.57.x.80: UDP, length 628 0x0000: 4500 0290 0000 4000 3111 d378 591f 96d8 E.....@.1..xY= ... 0x0010: 4ac9 3924 006f 0050 027c dc65 6572 0a37 J.9$.o.P.|.ee= r.7 0x0020: 0000 0001 0000 0000 0000 0000 0000 0000 .............= ... 0x0030: 0000 0000 0000 0001 0001 86a0 0000 0004 .............= ... 0x0040: 0000 0006 0000 006f 0000 0001 0001 86a0 .......o.....= ... 0x0050: 0000 .. 2016-06-25 22:46:44.588939 IP 89.31.150.216.111 > 74.201.57.x.80: UDP, length 628 0x0000: 4500 0290 0000 4000 3111 d378 591f 96d8 E.....@.1..xY= ... 0x0010: 4ac9 3924 006f 0050 027c dc65 6572 0a37 J.9$.o.P.|.ee= r.7 0x0020: 0000 0001 0000 0000 0000 0000 0000 0000 .............= ... 0x0030: 0000 0000 0000 0001 0001 86a0 0000 0004 .............= ... 0x0040: 0000 0006 0000 006f 0000 0001 0001 86a0 .......o.....= ... 0x0050: 0000 .. 2016-06-25 22:46:45.048914 IP 89.31.150.216.111 > 74.201.57.x.80: UDP, length 628 0x0000: 4500 0290 0000 4000 3111 d378 591f 96d8 E.....@.1..xY= ... 0x0010: 4ac9 3924 006f 0050 027c dc65 6572 0a37 J.9$.o.P.|.ee= r.7 0x0020: 0000 0001 0000 0000 0000 0000 0000 0000 .............= ... 0x0030: 0000 0000 0000 0001 0001 86a0 0000 0004 .............= ... 0x0040: 0000 0006 0000 006f 0000 0001 0001 86a0 .......o.....= ... 0x0050: 0000 .. 2016-06-25 22:46:45.048963 IP 89.31.150.216.111 > 74.201.57.x.80: UDP, length 628 0x0000: 4500 0290 0000 4000 3111 d378 591f 96d8 E.....@.1..xY= ... 0x0010: 4ac9 3924 006f 0050 027c dc65 6572 0a37 J.9$.o.P.|.ee= r.7 0x0020: 0000 0001 0000 0000 0000 0000 0000 0000 .............= ... 0x0030: 0000 0000 0000 0001 0001 86a0 0000 0004 .............= ... 0x0040: 0000 0006 0000 006f 0000 0001 0001 86a0 .......o.....= ... 0x0050: 0000 ..
(The final octet of our customer's IP address is masked in the above output because some automatic parsers become confused when multiple IP addresses are included. The value of that octet is "36".)
-John President Nuclearfallout, Enterprises, Inc. (NFOservers.com)
(We're sending out so many of these notices, and seeing so many auto-responses, that we can't go through this email inbox effectively. = If you have follow-up questions, please contact us at noc@nfoe.net.)
Herv=C3=A9 Leclerc CTO Alter Way 227 Bureaux de la colline 1 rue Royale - B=C3=A2t. D 92210 Saint-Cloud France *+33 141168336 <%2B33%20141168336>* +33 6 83979598
`like a halo in reverse`
On Wed, Feb 19, 2014 at 10:46 AM, Herv=C3=A9 Leclerc <herve.leclerc@alt= erway.fr
wrote:
Hello,
Our Internet gateway is changing. Could you please change your actual gateway (*89.31.150.249*) on your machines (89.31.150.215 and 216) and vms to *89.31.150.253* Thanks
Let us know when this modification is done.
Cheers
Herv=C3=A9 Leclerc CTO Alter Way 1, rue royale 9 =C3=A8me =C3=A9tage 92210 St Cloud *+33 1 41 16 83 36 <%2B33%201%2041%2016%2083%2036>* +33 6 83979598
=20
--=20 Michael Scherer Sysadmin, Community Infrastructure and Platform, OSAS --=-TsLC1+TQtXJ+Qzkr5Z24 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAABAgAGBQJXcoiiAAoJEE89Wa+PrSK9nKAP/2yufHdT4ISBe/IuaJttfu7H wLT/a6KLRGJ2y7Ifs11OxS/PJOrV4Z9T4Wtn/3oG87xsNMShNUZlvWSEF/TCQcR0 Hr6BQTimIRbCWbZ9xdvO9ieaNPiv3EF6VEw4jKToH2Vgwy/xkQAOZZGFt7Wyp6Kd IuABhhM/vaJ6vBeyFx5pNZPbXTqEOy/D2KMhwJFLLXk4UlzpZlMVBHDtQQ1WS6fN XoJQwqG/KecqiiebwYIIHfirGA7H+ufF7vvnjlgRKiyVuPzS8N5/0q3PDIfWRIol VImUJj8FY9gupzkizAWqI8X570Hmzwfedb6V9S/E2XTzi6XqfpBsM2sAp7DGATBl q3AT7UuScq0Y33mqYkeVrSvq9sfhAP1ZxBK8Emj2NKmiAthB1sEmvjcT5FHUp0F2 K+trprkEBoodvVcD9+HiefC8xuuBgHAnNdYXAglBLoOdYzD6eQyVCz823VfWn9+E sS0pWIXFjssKr9Qpigb2y55FmuIaSPfCjekCQyg5AwKJYsgT/50OkR+ab1eSfjEY NJ12TKyMOpWXfZAskeQ5DFVXgYe5hbohmSs3vrfeqnFIuXsamn3lzKW6EVK3IE6z 3RyX6lDKq1yVHZTK7J2EPZ4o+mx7NNHR7dE2Fp8mMapTLMEWjIh6D2wFkRp2x+hO VEevgXHkCTXrCYXfo5yi =OVh1 -----END PGP SIGNATURE----- --=-TsLC1+TQtXJ+Qzkr5Z24--