So that list of IP (Internet Protocol) addresses I listed yesterday [1] … it turns out they weren't the attackers, but the victims! And I was unwittingly helping to facilitate a DDoS (Distributed Denial of Service) amplification attack.
Sigh.
When we left off yesterday, I had modified my QOTD (Quote of the Day) server to log the IP address, port number, and the incoming UDP (User Datagram Protocol) packet to help figure out what the heck was going on. So pretty much off the bat, I'm seeing this (which goes on for nearly 4,000 entries):
38.21.240.153:6951 "\001" 38.21.240.153:7333 "\001" 38.21.240.153:37152 "\001" 38.21.240.153:6951 "\001" 38.21.240.153:7333 "\001" 38.21.240.153:37152 "\001" 38.21.240.153:6951 "\001" 38.21.240.153:7333 "\001" 38.21.240.153:37152 "\001"
What had me puzzled are the ports—I wasn't familar with them. It may be that port 6951 deals with online transaction processing [2], port 7333 seems to have something to do with the Swiss Exchange [3], and nothing at all about port 37152. It's not exactly looking good, but the ports being attacked are rather all over the place (I'm only going to list two of the attacked IP addresses—there are more though):
Table: Ports being attacked host address port number requests ------------------------------ 38.21.240.153 10947 1508 38.21.240.153 11860 1425 38.21.240.153 14485 1420 38.21.240.153 65033 1418 38.21.240.153 4625 1409 38.21.240.153 4808 1401 38.21.240.153 37152 1400 38.21.240.153 65277 1394 38.21.240.153 27683 1389 38.21.240.153 17615 1389 38.21.240.153 48235 1388 38.21.240.153 27227 1386 38.21.240.153 14503 1386 38.21.240.153 43174 1385 38.21.240.153 43069 1377 38.21.240.153 47040 1372 38.21.240.153 6991 1370 38.21.240.153 18235 1369 38.21.240.153 57696 1360 38.21.240.153 7333 1233 38.21.240.153 6951 1204 38.21.240.153 36965 1171 38.21.240.153 16306 1139 47.99.152.166 47673 145 47.99.152.166 39606 144 47.96.172.52 48309 142 47.96.172.52 46769 142 47.107.64.105 59669 142 47.107.64.105 35763 142 47.107.64.105 22100 141 47.99.152.166 4302 140 47.107.64.105 53336 140 47.99.152.166 35758 138 47.96.172.52 44529 138 47.96.172.52 26878 138 47.107.64.105 52337 138 ------------------------------ host address port number requests
A lot of the ports are high values, which tend not to have defined services and are typically used for outbound requests to a service, like making a request to a QOTD service.
The data being sent is just a single byte, which is all that's really needed for the QOTD protocol [4] to return a quote via UDP. So this looks like legitimate traffic, except for the volume.
But as I kept searching for “QOTD attacks” I kept coming across UDP amplification attacks [5] (more of the same [6]). It appears that the vast majority of traffic is forged (it's easy enough to forge UDP packets), and because QOTD sends more data than it receives, it's a rather cheap method to attack a target with a ton of traffic regardless of what the attacked machine is being used for (and my UDP based server probably isn't the only one unwittingly facilitating this attack).
A bit more research revealed a few servers that made a request (or a very small number of requests):
Table: Requests to the UDP QOTD server host address requests first request ------------------------------ 74.82.47.61 2 May 03 185.94.111.1 4 May 04 74.82.47.37 1 May 04 74.82.47.17 1 May 05 71.6.233.171 1 May 06 74.82.47.29 1 May 06 104.152.52.39 1 May 07 74.82.47.57 2 May 07 74.82.47.33 1 May 08 206.189.86.188 1 May 10 74.82.47.49 1 May 10 ------------------------------ host address requests first request
I'm guessing these machines made the query to see if my machine could be used for a UDP DDoS amplification attack, and would periodically check back to see if such attacks could continue from my server, which would explain the periodic nature of the deluge of traffic I saw (they weren't continuous but would happen in very random bursts). I also suspect there may be two different groups doing an attack, given the volume of traffic to certain targets.
It was also amusing to see 104.152.52.39 attempt to spam me with email, and attempt to log in via ssh on the 7^TH as well.
I've since disabled the UDP protocol on my QOTD server. Sigh. This is why we can't have nice things on the Intarwebs.
[2] https://en.wikipedia.org/wiki/Online_transaction_processing
[3] https://www.speedguide.net/port.php?port=7333
[4] https://www.ietf.org/rfc/rfc865.txt
[5] https://christian-rossow.de/articles/Amplification_DDoS.php