mizban97
March 8th, 2017, 12:50
سلام خدمت دوستان روز بخیر.
امروز برای یکی از سرور های هتزنر ابیوز زیر اومد و آیپی روتر مسدود کردند.
فکر کنم مربوط میشه dns ddos چطور میشه تو میکروتیک جلوش گرفت؟
آیا باید پورت 53 کاملا بسته بشه یا راه دیگری دارد؟
ممنون میشم راهنمایی کنید.
با تشکر
We have received information regarding spam and/or abuse from reports@reports.cert-bund.de.
Please would you take all necessary measures to avoid this in the future.
We also request that you send a short response within 24 hours to us and to the person who filed the complaint. This response should contain information about how this could have happened and what you intend to do about it.
Information:
Dear Sir or Madam,
CERT-Bund received complaints concerning systems hosted on your
network which *actively* participated in DDoS attacks against
third parties.
The DDoS reflection attacks were performed by abusing UDP-based
services openly accessible from the Internet (DNS open-resolvers,
NTP servers with the 'monlist' feature enabled, openly accessible
SNMP servers, etc.).
Please find below a list of systems on your network which actively
participated in the DDoS attacks. The timestamp (timezone UTC)
indicates when the first attack packet was sent by the respective
system. Additionally, each records includes the source port and
type of service abused.
Many of the services abused for the attacks have already been
reported to you by CERT-Bund on a regular basis for a longer time
and we kept asking you to close the services to prevent them
from being abused for DDoS attacks.
We would now like to ask you to check this issue and *immediately*
take appropriate action to prevent further abuse of the services
for DDoS attacks against third parties.
Additional information on this notification and advice on how to
secure the open services (HOWTOs) available at:
<https://reports.cert-bund.de/en/>
This message is digitally signed using PGP. Information on the
signature key is available at the aforementioned URL.
Please note:
This is an automatically generated message.
Replying to the sender address is not possible.
In case of questions, please contact
keeping the ticket number of this message in the subject line.
!! Please make sure to read our HOWTOs and FAQ available at
!! <https://reports.cert-bund.de/en/> first.
Kind regards
Team CERT-Bund
Bundesamt für Sicherheit in der Informationstechnik (BSI)
Federal Office for Information Security
Referat CK22 - CERT-Bund
Godesberger Allee 185-189, D-53175 Bonn, Germany
================================================== ====================
Affected systems on your network:
Format: ASN | IP address | Timestamp (UTC) | Source port | Service
24940 | IP | 2017-03-03 03:03:01 | 53 | dns
24940 | IP | 2017-03-03 02:46:03 | 53 | dns
24940 | IP | 2017-03-03 02:46:03 | 53 | dns
24940 | IP | 2017-03-03 02:30:01 | 53 | dns
امروز برای یکی از سرور های هتزنر ابیوز زیر اومد و آیپی روتر مسدود کردند.
فکر کنم مربوط میشه dns ddos چطور میشه تو میکروتیک جلوش گرفت؟
آیا باید پورت 53 کاملا بسته بشه یا راه دیگری دارد؟
ممنون میشم راهنمایی کنید.
با تشکر
We have received information regarding spam and/or abuse from reports@reports.cert-bund.de.
Please would you take all necessary measures to avoid this in the future.
We also request that you send a short response within 24 hours to us and to the person who filed the complaint. This response should contain information about how this could have happened and what you intend to do about it.
Information:
Dear Sir or Madam,
CERT-Bund received complaints concerning systems hosted on your
network which *actively* participated in DDoS attacks against
third parties.
The DDoS reflection attacks were performed by abusing UDP-based
services openly accessible from the Internet (DNS open-resolvers,
NTP servers with the 'monlist' feature enabled, openly accessible
SNMP servers, etc.).
Please find below a list of systems on your network which actively
participated in the DDoS attacks. The timestamp (timezone UTC)
indicates when the first attack packet was sent by the respective
system. Additionally, each records includes the source port and
type of service abused.
Many of the services abused for the attacks have already been
reported to you by CERT-Bund on a regular basis for a longer time
and we kept asking you to close the services to prevent them
from being abused for DDoS attacks.
We would now like to ask you to check this issue and *immediately*
take appropriate action to prevent further abuse of the services
for DDoS attacks against third parties.
Additional information on this notification and advice on how to
secure the open services (HOWTOs) available at:
<https://reports.cert-bund.de/en/>
This message is digitally signed using PGP. Information on the
signature key is available at the aforementioned URL.
Please note:
This is an automatically generated message.
Replying to the sender address is not possible.
In case of questions, please contact
keeping the ticket number of this message in the subject line.
!! Please make sure to read our HOWTOs and FAQ available at
!! <https://reports.cert-bund.de/en/> first.
Kind regards
Team CERT-Bund
Bundesamt für Sicherheit in der Informationstechnik (BSI)
Federal Office for Information Security
Referat CK22 - CERT-Bund
Godesberger Allee 185-189, D-53175 Bonn, Germany
================================================== ====================
Affected systems on your network:
Format: ASN | IP address | Timestamp (UTC) | Source port | Service
24940 | IP | 2017-03-03 03:03:01 | 53 | dns
24940 | IP | 2017-03-03 02:46:03 | 53 | dns
24940 | IP | 2017-03-03 02:46:03 | 53 | dns
24940 | IP | 2017-03-03 02:30:01 | 53 | dns