Compromised host used for an attack: 80.76.43.34 [~57.1 Mbps]

An IP address (80.76.43.34) under your control appears to have attacked one of our customers as part of a coordinated DDoS botnet. We manually reviewed the captures from this attack and do not believe that your IP address was spoofed, based on the limited number of distinct hosts attacking us, the identicality of many attacking IP addresses to ones we've seen in the past, and the non-random distribution of IP addresses. 
  
It is possible that this host is one of the following, from the responses that others have sent us:

- A compromised router, such as a D-Link that is running with WAN access enabled; a China Telecom which still allows a default admin username and password; a Netis, with a built-in internet-accessible backdoor (http://blog.trendmicro.com/trendlabs-security-intelligence/netis-routers-leave-wide-open-backdoor/); or one running an old AirOS version with a vulnerable and exposed administrative interface
- An IPTV device that is vulnerable to compromise (such as HTV), either directly through the default firmware or through a trojan downloaded app
- A compromised webhost, such as one running a vulnerable version of Drupal (for instance, using the vulnerability discussed at https://groups.drupal.org/security/faq-2018-002), WordPress, phpMyAdmin, or zPanel
- A compromised DVR, such as a "Hikvision" brand device (ref: https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-notification-command-injection-vulnerability-in-some-hikvision-products/security-notification-command-injection-vulnerability-in-some-hikvision-products/)
- A compromised IPMI device, such as one made by Supermicro (possibly because it uses the default U/P of ADMIN/ADMIN or because its password was found through an exploit described at http://arstechnica.com/security/2014/06/at-least-32000-servers-broadcast-admin-passwords-in-the-clear-advisory-warns/)
- A compromised Xerox-branded device
- Some other compromised standalone device
- A server with an insecure password that was brute-forced, such as through SSH or RDP
- A server running an improperly secured Hadoop installation
- A server running a pre-13.10.3 GitLab instance that is vulnerable to CVE-2021-22205
- A compromised Microsoft DNS server (through the July 2020 critical vulnerability)

The overall botnet attack was Nx10Gbps in size (with traffic from your host as well as some others) and caused significant packet loss for our clients due to external link saturation. It required an emergency null-route operation on our side to mitigate.

Attacks like this are usually made very short, intentionally, so that they are not as noticeable and slip past certain automatic mitigation systems. From your side, you would be able to observe the attack as a burst of traffic that likely saturated the network adapter of the source device for perhaps 30 seconds. Since the source device is a member of a botnet that is being used for many attacks, you will see many other mysterious bursts of outbound traffic, as well.

This is example traffic from the IP address, as interpreted by the "tcpdump" utility and captured by our router during the attack. Source and destination IP addresses, protocols, and ports are included.

Date/timestamps (at the very left) are UTC.

2023-07-22 17:18:19.923194 IP (tos 0x0, ttl 51, id 17119, offset 0, flags [DF], proto UDP (17), length 1428)
    80.76.43.34.47900 > 216.52.148.x.53: 3115 zoneRef% [b2&3=0x7afc] [43781a] [8440q] [23624n] [12438au][|domain]
	0x0000:  4500 0594 42df 4000 3311 17cd 504c 2b22  E...B.@.3...PL+"
	0x0010:  d834 940a bb1c 0035 0580 73b9 0c2b 7afc  .4.....5..s..+z.
	0x0020:  20f8 ab05 5c48 3096 75dc b1ce e4ac bee3  ....\H0.u.......
	0x0030:  4b22 8eb9 8eef e8ad 32dc faed e594 35fb  K"......2.....5.
	0x0040:  b26d 6133 cf60 1fd9 922c 3fe2 8c1e fab5  .ma3.`...,?.....
	0x0050:  7cf9                                     |.
2023-07-22 17:18:20.081576 IP (tos 0x0, ttl 51, id 52954, offset 0, flags [DF], proto UDP (17), length 1428)
    80.76.43.34.47900 > 216.52.148.x.53: 17650 updateDA NotAuth|$ [34584q],[|domain]
	0x0000:  4500 0594 ceda 4000 3311 8bd1 504c 2b22  E.....@.3...PL+"
	0x0010:  d834 940a bb1c 0035 0580 a45c 44f2 daa9  .4.....5...\D...
	0x0020:  8718 6d71 ee87 c247 cde2 3dc9 7c61 0bb7  ..mq...G..=.|a..
	0x0030:  3afe bbae f4e1 15fd 115f 18db 8fc5 f437  :........_.....7
	0x0040:  65a7 cf46 09f4 8714 5fc1 7e0d c2a5 379c  e..F...._.~...7.
	0x0050:  aecd                                     ..
2023-07-22 17:18:20.085481 IP (tos 0x0, ttl 51, id 53924, offset 0, flags [DF], proto UDP (17), length 1428)
    80.76.43.34.47900 > 216.52.148.x.53: 48246 zoneInit% [b2&3=0x747f] [41350a] [32163q] [30176n] [25748au][|domain]
	0x0000:  4500 0594 d2a4 4000 3311 8807 504c 2b22  E.....@.3...PL+"
	0x0010:  d834 940a bb1c 0035 0580 19cc bc76 747f  .4.....5.....vt.
	0x0020:  7da3 a186 75e0 6494 3932 c2fb 6b7a df27  }...u.d.92..kz.'
	0x0030:  a68f eeac 06b5 3a1f 221f 83f5 db2f 5329  ......:."..../S)
	0x0040:  e806 18f1 480f 403b 0d7d d7d6 fbbd 4a66  ....H.@;.}....Jf
	0x0050:  9cd8                                     ..
2023-07-22 17:18:20.111483 IP (tos 0x0, ttl 51, id 60321, offset 0, flags [DF], proto UDP (17), length 1428)
    80.76.43.34.47900 > 216.52.148.x.53: 50434 op7 YXDomain-|$ [31653q][|domain]
	0x0000:  4500 0594 eba1 4000 3311 6f0a 504c 2b22  E.....@.3.o.PL+"
	0x0010:  d834 940a bb1c 0035 0580 4113 c502 ba36  .4.....5..A....6
	0x0020:  7ba5 5c5b e195 bc28 b303 c6ba 0492 8c5c  {.\[...(.......\
	0x0030:  9393 45e2 a701 9a2e 5c44 cba4 73fe ef9c  ..E.....\D..s...
	0x0040:  763f f852 b79b 91ac ddc3 8652 98b3 79b1  v?.R.......R..y.
	0x0050:  4e29                                     N)
2023-07-22 17:18:20.223120 IP (tos 0x0, ttl 51, id 21411, offset 0, flags [DF], proto UDP (17), length 1428)
    80.76.43.34.47900 > 216.52.148.x.53: 45915% [b2&3=0x214] [57795a] [7982q] [44500n] [19503au][|domain]
	0x0000:  4500 0594 53a3 4000 3311 0709 504c 2b22  E...S.@.3...PL+"
	0x0010:  d834 940a bb1c 0035 0580 a9f4 b35b 0214  .4.....5.....[..
	0x0020:  1f2e e1c3 add4 4c2f 95be 847a b5ad 5d7c  ......L/...z..]|
	0x0030:  f7e5 06b6 26a6 a6ff 51df 89a0 f0fe 2831  ....&...Q.....(1
	0x0040:  7f8c 80b0 df9b dd7a 82b0 4094 8403 e9e2  .......z..@.....
	0x0050:  d288                                     ..

(The final octet of our customer's IP address is masked in the above output because some automatic parsers become confused when multiple IP addresses are included. The value of that octet is "10".)

Based on the size, number of samples, and timestamps of received packets from your host in our capture, we estimate that your host was sending 57.1 Mbps of attack traffic at the peak of this coordinated attack. The peak of the attack may have lasted only a few seconds. (Most traffic graphing systems show numbers that are averaged over 30s or 5m, and it may appear to have been less in such a system; but, our estimate is generally accurate as a minimum bound.)

-John
President
NFOservers.com

(We're sending out so many of these notices, and seeing so many auto-responses, that we can't go through this email inbox effectively. If you have follow-up questions, please contact us at noc@nfoe.net.)