2

My company recently received an email from Amazon which notified us of malicious activities occurring on our running EC2 Instance.

The email states: We observed machines under your control participating in a DDoS attack targeting Google IPs.

The attack was a UDP amplification attack. In this attack, a UDP-based service is abused to attack others, wasting your bandwidth and computing resources.

I am fairly new to all of this stuff in addition to AWS and have no idea as to where to start. What should be the first steps for me to take to mitigate this?

After running the commands from @ximaera

Davids-MacBook-Pro:~ davidpham$ ntpdc -nc monlist *ip*
*ip*: timed out, nothing received
***Request timed out
Davids-MacBook-Pro:~ davidpham$ dig @ip +edns=0 +ignore com ANY

<<>> DiG 9.10.6 <<>> @ip +edns=0 +ignore com ANY
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
Davids-MacBook-Pro:~ davidpham$

This was the output I received. Am i missing something?

Improve this question

1 Answer 1

Reset to default
1

Generally, there's a long list of servers and protocols vulnerable for UDP amplification. A few command line calls to determine the presence of some of the most prominent amplification vectors might be found here. All the commands should better be invoked remotely. E.g. if your server is 192.0.2.1, then, to check for an NTP amplifier, you do

ntpdc -nc monlist 192.0.2.1

from your laptop or an adjacent datacenter machine.

I'd recommend to check NTP and DNS first, and if there's no match, then to dive into details.

tcpdump -ni any udp on the server itself will definitely help you to dive. If you're able to spot any traffic you don't expect to see in the dump, you can then track down the vulnerable application listening on the port seen in the dump by looking (or greping) at the output of ss -lpn.

EDIT. So now, as you've provided the IP address of your server, I've been able to check it myself, and it turns out you have a PORTMAP amplifier active:

$ rpcinfo -T udp $ip | wc -l
      17
$

So you basically needed to go through the rest of the checks past DNS and NTP ones.

The fix is obviously to disable port mapper (here's how you do it on Debian/Ubuntu) or at least block the access to the port 111/UDP via firewall.

Improve this answer
5
  • Thank you for replying. Would i run these commands as normal queries in terminal through to the server? Please note that I am completely brand new to this stuff.
    – David Pham
    Commented Oct 8, 2018 at 21:30
  • Basically the command you gave me: tcpdump -ni any udp works on the terminal on my mac. How would i run that command for the amazon instance/server in which the problem exists?
    – David Pham
    Commented Oct 8, 2018 at 22:48
  • As for 17, it is the number of lines of data you get in return for a short data request, which actually goes for the amplifying "feature".
    – ximaera
    Commented Oct 10, 2018 at 22:43
  • After running rpcinfo -T udp without the "| wc -l" it gives me a list. Can you explain to me what this list is? Are they all portmappers?
    – David Pham
    Commented Oct 10, 2018 at 22:47
  • Another question is: The server is an instance of Amazon's EC2/AWS service. IF you know anything about it, is there away for me to disable this port or would I have to contact amazon?
    – David Pham
    Commented Oct 10, 2018 at 22:58

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .