Re: Fwd: Re: [oVirt-Infra] : New Gateway
--=-TsLC1+TQtXJ+Qzkr5Z24 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Le mardi 28 juin 2016 =C3=A0 10:14 -0400, Dave Neary a =C3=A9crit :
FYI. ----- Forwarded Message ----- From: Herv=C3=A9 Leclerc <herve.leclerc@alterway.fr> To: Dave Neary <dneary@redhat.com>, Infra@ovirt.org Cc: Arnaud CAZIN <arnaud.cazin@alterway.fr>, St=C3=A9phane Vincent <steph= ane.vincent@alterway.fr> Sent: Mon, 27 Jun 2016 13:06:17 -0400 (EDT) Subject: Re: [oVirt-Infra] : New Gateway =20 Hello, =20 Did you made the changes asked ? Can you please give us a status on your actions.
I stopped rpcbind, which sould solve the problem. But I wonder why we didn't got the mail in the first time, it didn't appear on the list, nor in moderation.=20
Regards =20 =20 =20 Herv=C3=A9 Leclerc CTO Alter Way 227 Bureaux de la colline 1 rue Royale - B=C3=A2t. D 92210 Saint-Cloud France *+33 141168336* +33 6 83979598 =20 =20 =20 `like a halo in reverse` =20 =20 =20 On Sun, Jun 26, 2016 at 3:54 PM, Herv=C3=A9 Leclerc <herve.leclerc@alterw= ay.fr> wrote: =20
Hello
Your vm alterway02.ovirt.org is participating in a ddos attack. Could please correct the problem rapidly ! eg. iptables -A INPUT -p udp --dport 111 -j DROP
Regards
Original message A public-facing device on your network, running on IP address 89.31. 150.216, operates a RPC port mapping service responding on UDP port 111 and participated in a large-scale attack against a customer of ours, generating responses to spoofed requests that claimed to be from the at= tack target.
Please consider reconfiguring this server in one or more of these ways:
1. Adding a firewall rule to block all access to this host's UDP port 1= 11 at your network edge (it would continue to be available on TCP port 111= in this case). 2. Adding firewall rules to allow connections to this service (on UDP p= ort 111) from authorized endpoints but block connections from all other hos= ts. 3. Disabling the port mapping service entirely (if it is not needed).
More information on this attack vector can be found at this third-party website (we did not create this content): http://blog.level3.com/security/a-new-ddos-reflection-attack-portmapper= -an-early-warning-to-the-industry/
Example responses from the host during this attack are given below. Date/timestamps (far left) are UTC.
2016-06-25 22:46:44.588895 IP 89.31.150.216.111 > 74.201.57.x.80: UDP, length 628 0x0000: 4500 0290 0000 4000 3111 d378 591f 96d8 E.....@.1..xY= ... 0x0010: 4ac9 3924 006f 0050 027c dc65 6572 0a37 J.9$.o.P.|.ee= r.7 0x0020: 0000 0001 0000 0000 0000 0000 0000 0000 .............= ... 0x0030: 0000 0000 0000 0001 0001 86a0 0000 0004 .............= ... 0x0040: 0000 0006 0000 006f 0000 0001 0001 86a0 .......o.....= ... 0x0050: 0000 .. 2016-06-25 22:46:44.588939 IP 89.31.150.216.111 > 74.201.57.x.80: UDP, length 628 0x0000: 4500 0290 0000 4000 3111 d378 591f 96d8 E.....@.1..xY= ... 0x0010: 4ac9 3924 006f 0050 027c dc65 6572 0a37 J.9$.o.P.|.ee= r.7 0x0020: 0000 0001 0000 0000 0000 0000 0000 0000 .............= ... 0x0030: 0000 0000 0000 0001 0001 86a0 0000 0004 .............= ... 0x0040: 0000 0006 0000 006f 0000 0001 0001 86a0 .......o.....= ... 0x0050: 0000 .. 2016-06-25 22:46:45.048914 IP 89.31.150.216.111 > 74.201.57.x.80: UDP, length 628 0x0000: 4500 0290 0000 4000 3111 d378 591f 96d8 E.....@.1..xY= ... 0x0010: 4ac9 3924 006f 0050 027c dc65 6572 0a37 J.9$.o.P.|.ee= r.7 0x0020: 0000 0001 0000 0000 0000 0000 0000 0000 .............= ... 0x0030: 0000 0000 0000 0001 0001 86a0 0000 0004 .............= ... 0x0040: 0000 0006 0000 006f 0000 0001 0001 86a0 .......o.....= ... 0x0050: 0000 .. 2016-06-25 22:46:45.048963 IP 89.31.150.216.111 > 74.201.57.x.80: UDP, length 628 0x0000: 4500 0290 0000 4000 3111 d378 591f 96d8 E.....@.1..xY= ... 0x0010: 4ac9 3924 006f 0050 027c dc65 6572 0a37 J.9$.o.P.|.ee= r.7 0x0020: 0000 0001 0000 0000 0000 0000 0000 0000 .............= ... 0x0030: 0000 0000 0000 0001 0001 86a0 0000 0004 .............= ... 0x0040: 0000 0006 0000 006f 0000 0001 0001 86a0 .......o.....= ... 0x0050: 0000 ..
(The final octet of our customer's IP address is masked in the above output because some automatic parsers become confused when multiple IP addresses are included. The value of that octet is "36".)
-John President Nuclearfallout, Enterprises, Inc. (NFOservers.com)
(We're sending out so many of these notices, and seeing so many auto-responses, that we can't go through this email inbox effectively. = If you have follow-up questions, please contact us at noc@nfoe.net.)
Herv=C3=A9 Leclerc CTO Alter Way 227 Bureaux de la colline 1 rue Royale - B=C3=A2t. D 92210 Saint-Cloud France *+33 141168336 <%2B33%20141168336>* +33 6 83979598
`like a halo in reverse`
On Wed, Feb 19, 2014 at 10:46 AM, Herv=C3=A9 Leclerc <herve.leclerc@alt= erway.fr
wrote:
Hello,
Our Internet gateway is changing. Could you please change your actual gateway (*89.31.150.249*) on your machines (89.31.150.215 and 216) and vms to *89.31.150.253* Thanks
Let us know when this modification is done.
Cheers
Herv=C3=A9 Leclerc CTO Alter Way 1, rue royale 9 =C3=A8me =C3=A9tage 92210 St Cloud *+33 1 41 16 83 36 <%2B33%201%2041%2016%2083%2036>* +33 6 83979598
=20
--=20 Michael Scherer Sysadmin, Community Infrastructure and Platform, OSAS --=-TsLC1+TQtXJ+Qzkr5Z24 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAABAgAGBQJXcoiiAAoJEE89Wa+PrSK9nKAP/2yufHdT4ISBe/IuaJttfu7H wLT/a6KLRGJ2y7Ifs11OxS/PJOrV4Z9T4Wtn/3oG87xsNMShNUZlvWSEF/TCQcR0 Hr6BQTimIRbCWbZ9xdvO9ieaNPiv3EF6VEw4jKToH2Vgwy/xkQAOZZGFt7Wyp6Kd IuABhhM/vaJ6vBeyFx5pNZPbXTqEOy/D2KMhwJFLLXk4UlzpZlMVBHDtQQ1WS6fN XoJQwqG/KecqiiebwYIIHfirGA7H+ufF7vvnjlgRKiyVuPzS8N5/0q3PDIfWRIol VImUJj8FY9gupzkizAWqI8X570Hmzwfedb6V9S/E2XTzi6XqfpBsM2sAp7DGATBl q3AT7UuScq0Y33mqYkeVrSvq9sfhAP1ZxBK8Emj2NKmiAthB1sEmvjcT5FHUp0F2 K+trprkEBoodvVcD9+HiefC8xuuBgHAnNdYXAglBLoOdYzD6eQyVCz823VfWn9+E sS0pWIXFjssKr9Qpigb2y55FmuIaSPfCjekCQyg5AwKJYsgT/50OkR+ab1eSfjEY NJ12TKyMOpWXfZAskeQ5DFVXgYe5hbohmSs3vrfeqnFIuXsamn3lzKW6EVK3IE6z 3RyX6lDKq1yVHZTK7J2EPZ4o+mx7NNHR7dE2Fp8mMapTLMEWjIh6D2wFkRp2x+hO VEevgXHkCTXrCYXfo5yi =OVh1 -----END PGP SIGNATURE----- --=-TsLC1+TQtXJ+Qzkr5Z24--
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --s7CTwlmkHREHQ3If7hFa7l8CiNrtsh8xQ Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable Quack,
Subject: Re: [oVirt-Infra] : New Gateway
This is not a subject I can see in the whole 2016 archive. So wonder where this comes from. \_o< --s7CTwlmkHREHQ3If7hFa7l8CiNrtsh8xQ Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCgAGBQJXcqf7AAoJEFXp+fesHEQ/po0QAISB+1+cGTPc9kmxU1UbdPxQ NYOEKdxWXbhC76B+TN2JXh29dJmcpEjm6gQC3fIhmsRkn4fE8kwybB9lF4uhoWbX Z/79kxRysx1rZTWGNRSuOszXyaBxKhggtvmiy8R+OOP5CiEFvPsqfFhS/tb8arxy QI900BRJXOfydlBN5vn0GV5s58zOMS59m7ud2HLdpwMMMdYNQJ5HA6uQGSCHJVlI 3x1/Ks3FHpN0bdUWhOJmPDaX0UD4WWfMBMCqVE2GJrcI2qE+Z9j8a+PpevOH092x le7YXqW8GoDb+sEuGTBMEn4icOjKIFZi4eZmtsRN0FKrH/uRi8aWBUkvjUW2j0BI 1tz/NEI4puWQqEvQaON5BQB1/J4ZzkSaxa/7mX2o6QKJqv0leLO6YXcye5AQvPqt tO53vLbaoLwWHMkJ5VSFY93QK8OvU9K51SpN28iYRcKclihaW12LccLYMadGoPKc zGzMfuriTtZQncOvRb7IVmvq8u06utT4kkJlIf+efmSFnXVjQZ7HJ+YpXX6BV7se dOLwTnzmFH+0Vx9g0wTnPeegaHxptLM9Uvv/roy8OYzxQiLz/Q4/DruA62RYrfmE OPYe0bCHaaJfE9LdrX6YhTtz3oTgo7e81cnXiPzmdFBVbwLbs65AGvcjNa4YUsaI A7uEAJufx0wQmboLvyUD =drAr -----END PGP SIGNATURE----- --s7CTwlmkHREHQ3If7hFa7l8CiNrtsh8xQ--
Content preview: On Wed, Jun 29, 2016 at 01:38:16AM +0900, Marc Dequènes (Duck) wrote: > >> Subject: Re: [oVirt-Infra] : New Gateway > > This is not a subject I can see in the whole 2016 archive. So wonder > where this comes from. [...] Content analysis details: (-1.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: ovirt.org] 0.7 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-SA-Exim-Connect-IP: 2a02:1398:804::199 X-SA-Exim-Mail-From: ewoud+ovirt@kohlvanwijngaarden.nl X-SA-Exim-Scanned: No (on mail.xentower.nl); SAEximRunCond expanded to false X-BeenThere: infra@ovirt.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "List for ovirt.org infrastructure team" <infra.ovirt.org> List-Unsubscribe: <http://lists.ovirt.org/mailman/options/infra>, <mailto:infra-request@ovirt.org?subject=unsubscribe> List-Archive: <http://lists.ovirt.org/pipermail/infra/> List-Post: <mailto:infra@ovirt.org> List-Help: <mailto:infra-request@ovirt.org?subject=help> List-Subscribe: <http://lists.ovirt.org/mailman/listinfo/infra>, <mailto:infra-request@ovirt.org?subject=subscribe> X-List-Received-Date: Wed, 29 Jun 2016 09:46:00 -0000 On Wed, Jun 29, 2016 at 01:38:16AM +0900, Marc Dequènes (Duck) wrote:
Subject: Re: [oVirt-Infra] : New Gateway
This is not a subject I can see in the whole 2016 archive. So wonder where this comes from.
http://lists.ovirt.org/pipermail/infra/2014-February/005468.html is the mail you're looking for.
Is the ovirt-infra list set to reject email from non-members? That would result in the behaviour you describe (and would be an error that would need to be fixed). Thanks, Dave. On 06/28/2016 10:24 AM, Michael Scherer wrote:
Le mardi 28 juin 2016 à 10:14 -0400, Dave Neary a écrit :
FYI. ----- Forwarded Message ----- From: Hervé Leclerc <herve.leclerc@alterway.fr> To: Dave Neary <dneary@redhat.com>, Infra@ovirt.org Cc: Arnaud CAZIN <arnaud.cazin@alterway.fr>, Stéphane Vincent <stephane.vincent@alterway.fr> Sent: Mon, 27 Jun 2016 13:06:17 -0400 (EDT) Subject: Re: [oVirt-Infra] : New Gateway
Hello,
Did you made the changes asked ? Can you please give us a status on your actions.
I stopped rpcbind, which sould solve the problem. But I wonder why we didn't got the mail in the first time, it didn't appear on the list, nor in moderation.
Regards
Hervé Leclerc CTO Alter Way 227 Bureaux de la colline 1 rue Royale - Bât. D 92210 Saint-Cloud France *+33 141168336* +33 6 83979598
`like a halo in reverse`
On Sun, Jun 26, 2016 at 3:54 PM, Hervé Leclerc <herve.leclerc@alterway.fr> wrote:
Hello
Your vm alterway02.ovirt.org is participating in a ddos attack. Could please correct the problem rapidly ! eg. iptables -A INPUT -p udp --dport 111 -j DROP
Regards
Original message A public-facing device on your network, running on IP address 89.31. 150.216, operates a RPC port mapping service responding on UDP port 111 and participated in a large-scale attack against a customer of ours, generating responses to spoofed requests that claimed to be from the attack target.
Please consider reconfiguring this server in one or more of these ways:
1. Adding a firewall rule to block all access to this host's UDP port 111 at your network edge (it would continue to be available on TCP port 111 in this case). 2. Adding firewall rules to allow connections to this service (on UDP port 111) from authorized endpoints but block connections from all other hosts. 3. Disabling the port mapping service entirely (if it is not needed).
More information on this attack vector can be found at this third-party website (we did not create this content): http://blog.level3.com/security/a-new-ddos-reflection-attack-portmapper-an-e...
Example responses from the host during this attack are given below. Date/timestamps (far left) are UTC.
2016-06-25 22:46:44.588895 IP 89.31.150.216.111 > 74.201.57.x.80: UDP, length 628 0x0000: 4500 0290 0000 4000 3111 d378 591f 96d8 E.....@.1..xY... 0x0010: 4ac9 3924 006f 0050 027c dc65 6572 0a37 J.9$.o.P.|.eer.7 0x0020: 0000 0001 0000 0000 0000 0000 0000 0000 ................ 0x0030: 0000 0000 0000 0001 0001 86a0 0000 0004 ................ 0x0040: 0000 0006 0000 006f 0000 0001 0001 86a0 .......o........ 0x0050: 0000 .. 2016-06-25 22:46:44.588939 IP 89.31.150.216.111 > 74.201.57.x.80: UDP, length 628 0x0000: 4500 0290 0000 4000 3111 d378 591f 96d8 E.....@.1..xY... 0x0010: 4ac9 3924 006f 0050 027c dc65 6572 0a37 J.9$.o.P.|.eer.7 0x0020: 0000 0001 0000 0000 0000 0000 0000 0000 ................ 0x0030: 0000 0000 0000 0001 0001 86a0 0000 0004 ................ 0x0040: 0000 0006 0000 006f 0000 0001 0001 86a0 .......o........ 0x0050: 0000 .. 2016-06-25 22:46:45.048914 IP 89.31.150.216.111 > 74.201.57.x.80: UDP, length 628 0x0000: 4500 0290 0000 4000 3111 d378 591f 96d8 E.....@.1..xY... 0x0010: 4ac9 3924 006f 0050 027c dc65 6572 0a37 J.9$.o.P.|.eer.7 0x0020: 0000 0001 0000 0000 0000 0000 0000 0000 ................ 0x0030: 0000 0000 0000 0001 0001 86a0 0000 0004 ................ 0x0040: 0000 0006 0000 006f 0000 0001 0001 86a0 .......o........ 0x0050: 0000 .. 2016-06-25 22:46:45.048963 IP 89.31.150.216.111 > 74.201.57.x.80: UDP, length 628 0x0000: 4500 0290 0000 4000 3111 d378 591f 96d8 E.....@.1..xY... 0x0010: 4ac9 3924 006f 0050 027c dc65 6572 0a37 J.9$.o.P.|.eer.7 0x0020: 0000 0001 0000 0000 0000 0000 0000 0000 ................ 0x0030: 0000 0000 0000 0001 0001 86a0 0000 0004 ................ 0x0040: 0000 0006 0000 006f 0000 0001 0001 86a0 .......o........ 0x0050: 0000 ..
(The final octet of our customer's IP address is masked in the above output because some automatic parsers become confused when multiple IP addresses are included. The value of that octet is "36".)
-John President Nuclearfallout, Enterprises, Inc. (NFOservers.com)
(We're sending out so many of these notices, and seeing so many auto-responses, that we can't go through this email inbox effectively. If you have follow-up questions, please contact us at noc@nfoe.net.)
Hervé Leclerc CTO Alter Way 227 Bureaux de la colline 1 rue Royale - Bât. D 92210 Saint-Cloud France *+33 141168336 <%2B33%20141168336>* +33 6 83979598
`like a halo in reverse`
On Wed, Feb 19, 2014 at 10:46 AM, Hervé Leclerc <herve.leclerc@alterway.fr
wrote:
Hello,
Our Internet gateway is changing. Could you please change your actual gateway (*89.31.150.249*) on your machines (89.31.150.215 and 216) and vms to *89.31.150.253* Thanks
Let us know when this modification is done.
Cheers
Hervé Leclerc CTO Alter Way 1, rue royale 9 ème étage 92210 St Cloud *+33 1 41 16 83 36 <%2B33%201%2041%2016%2083%2036>* +33 6 83979598
-- Dave Neary - NFV/SDN Community Strategy Open Source and Standards, Red Hat - http://community.redhat.com Ph: +1-978-399-2182 / Cell: +1-978-799-3338
participants (4)
-
Dave Neary -
Ewoud Kohl van Wijngaarden -
Marc Dequènes (Duck) -
Michael Scherer