1. TechSpot is dedicated to computer enthusiasts and power users. Ask a question and give support. Join the community here.
    TechSpot is dedicated to computer enthusiasts and power users.
    Ask a question and give support.
    Join the community here, it only takes a minute.
    Dismiss Notice

Level3.com DoS attack using TCP/UDP Chargen

By jobeard ยท 8 replies
Aug 17, 2019
Post New Reply
  1. As shown below from my router log, Level3.com is engaged in in flooding TCP/UDP Chargen requests. My router has SPI support and thus caught these events

    I'm showing just ONE, but the log has many:
    now take the IP and find out where it came from
     
    Gabriel Pike likes this.
  2. MattS

    MattS TS Evangelist Posts: 589   +152

    Whats SPI support if you don't mind me asking @jobeard?
     
  3. jobeard

    jobeard TS Ambassador Topic Starter Posts: 13,112   +1,593

    SPI:- Stateful Packet Inspection.
    eg: looking to see that the first packet was received when the current packet is number two. If not, then reject packet two and await number one.

    NAT & SPI are common features of any modern router.
     
  4. MattS

    MattS TS Evangelist Posts: 589   +152

    Ahh, I've heard of stateless and stateful on firewalls but never on routers then again every router has its own firewall so makes sense.
     
  5. Gabriel Pike

    Gabriel Pike TS Booster Posts: 167   +41

    In Mikrotik land you can do this in the rules you write. SPI occurs in the connection tracking layer of the router. I regularly use this in conjunction with address lists to create ban lists of IP addresses.The list can be exported and shared to the entire network creating a dynamic ACL group shared between all routers. This can be done with accepted traffic and invalid/rejected traffic.
     
  6. Gabriel Pike

    Gabriel Pike TS Booster Posts: 167   +41

    It looks like that is a single IP address belonging to Level 3. It could be a leased IP address by some other organization or individual. I am curious do you get this from multiple IP addresses in that subnet range?
     
  7. jobeard

    jobeard TS Ambassador Topic Starter Posts: 13,112   +1,593

    While the attack is underway, it's a solo IP. Later, it arrives from other subnets, including ... Russia & China.
     
  8. Gabriel Pike

    Gabriel Pike TS Booster Posts: 167   +41

    You can report your findings to Level 3. There may be a pivot point on their network somewhere.
     
  9. jobeard

    jobeard TS Ambassador Topic Starter Posts: 13,112   +1,593

    First thing I did :)
     

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...