Level3.com DoS attack using TCP/UDP Chargen

jobeard

Posts: 13,959   +1,774
As shown below from my router log, Level3.com is engaged in in flooding TCP/UDP Chargen requests. My router has SPI support and thus caught these events

I'm showing just ONE, but the log has many:
[DoS Attack: TCP/UDP Chargen] from source: 4.79.142.206, port 43573, Friday, August 16, 2019 15:22:37
now take the IP and find out where it came from
$ whois -H 4.79.142.206

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/resources/registry/whois/tou/
#
# Copyright 1997-2019, American Registry for Internet Numbers, Ltd.
#


NetRange: 4.0.0.0 - 4.127.255.255
CIDR: 4.0.0.0/9
NetName: LVLT-ORG-4-8
NetHandle: NET-4-0-0-0-1
Parent: NET4 (NET-4-0-0-0-0)
NetType: Direct Allocation
OriginAS:
Organization: Level 3 Parent, LLC (LPL-141)
RegDate: 1992-12-01
Updated: 2019-07-17
Ref: https://rdap.arin.net/registry/ip/4.0.0.0

OrgName: Level 3 Parent, LLC
OrgId: LPL-141
Address: 100 CenturyLink Drive
City: Monroe
StateProv: LA
PostalCode: 71203
Country: US
RegDate: 2018-02-06
Updated: 2018-02-22
Ref: https://rdap.arin.net/registry/entity/LPL-141

OrgAbuseHandle: IPADD5-ARIN
OrgAbuseName: ipaddressing
OrgAbusePhone: +1-877-453-8353
OrgAbuseEmail: ipaddressing@level3.com
OrgAbuseRef: https://rdap.arin.net/registry/entity/IPADD5-ARIN


OrgTechHandle: IPADD5-ARIN
OrgTechName: ipaddressing
OrgTechPhone: +1-877-453-8353
OrgTechEmail: ipaddressing@level3.com
OrgTechRef: https://rdap.arin.net/registry/entity/IPADD5-ARIN

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/resources/registry/whois/tou/
#
 
  • Like
Reactions: Gabriel Pike

jobeard

Posts: 13,959   +1,774
  • Thread Starter Thread Starter
  • #3
SPI:- Stateful Packet Inspection.
eg: looking to see that the first packet was received when the current packet is number two. If not, then reject packet two and await number one.

NAT & SPI are common features of any modern router.
 

MattS

Posts: 666   +180
SPI:- Stateful Packet Inspection.
eg: looking to see that the first packet was received when the current packet is number two. If not, then reject packet two and await number one.



NAT & SPI are common features of any modern router.
Ahh, I've heard of stateless and stateful on firewalls but never on routers then again every router has its own firewall so makes sense.
 

Gabriel Pike

Posts: 237   +61
In Mikrotik land you can do this in the rules you write. SPI occurs in the connection tracking layer of the router. I regularly use this in conjunction with address lists to create ban lists of IP addresses.The list can be exported and shared to the entire network creating a dynamic ACL group shared between all routers. This can be done with accepted traffic and invalid/rejected traffic.
 

Gabriel Pike

Posts: 237   +61
It looks like that is a single IP address belonging to Level 3. It could be a leased IP address by some other organization or individual. I am curious do you get this from multiple IP addresses in that subnet range?
 

jobeard

Posts: 13,959   +1,774
  • Thread Starter Thread Starter
  • #7
While the attack is underway, it's a solo IP. Later, it arrives from other subnets, including ... Russia & China.