An IP address (162.251.165.166) under your control appears to have attacked one

1. An IP address (162.251.165.166) under your control appears to have attacked one of our customers as part of a coordinated DDoS botnet. We manually reviewed the captures from this attack and do not believe that your IP address was spoofed, based on the limited number of distinct hosts attacking us, the identicality of many attacking IP addresses to ones we've seen in the past, and the non-random distribution of IP addresses.
2.  
3. It is possible that this host is one of the following, from the responses that others have sent us:
4.  
5. - A compromised webhost, such as one running a vulnerable version of Drupal (for instance, using the vulnerability discussed at https://groups.drupal.org/security/faq-2018-002), WordPress, phpMyAdmin, or zPanel
6. - A compromised DVR, such as a "Hikvision" brand device (ref: http://www.coresecurity.com/advisories/hikvision-ip-cameras-multiple-vulnerabilities)
7. - A compromised IPMI device, such as one made by Supermicro (possibly because it uses the default U/P of ADMIN/ADMIN or because its password was found through an exploit described at http://arstechnica.com/security/2014/06/at-least-32000-servers-broadcast-admin-passwords-in-the-clear-advisory-warns/)
8. - A compromised router, such as one made by China Telecom which still allows a default admin username and password; one by Netis, with its built-in internet-accessible backdoor (http://blog.trendmicro.com/trendlabs-security-intelligence/netis-routers-leave-wide-open-backdoor/); or one running an old AirOS version with its exposed administrative interface
9. - A compromised Xerox-branded device
10. - Some other compromised standalone device
11. - A compromised client, such as one running a vulnerable web browser susceptible to a Java exploit
12. - A server with an insecure password that was brute-forced, such as through SSH or RDP
13.  
14. From your side, you would be able to observe this attack as a burst of traffic that likely saturated the network adapter of the source device for approximately one to five minutes.
15.  
16. This is example traffic from the IP address, as interpreted by the "tcpdump" utility and captured by our router during the attack. Source and destination IP addresses, protocols, and ports are included.
17.  
18. Date/timestamps (at the very left) are UTC.
19.  
20. 2018-12-19 06:27:58.489821 IP (tos 0x0, ttl 114, id 16289, offset 0, flags [none], proto UDP (17), length 1028)
21. 162.251.165.166.50099 > 95.172.92.x.111: UDP, length 1000
22. 0x0000: 4500 0404 3fa1 0000 7211 00a2 a2fb a5a6 E...?...r.......
23. 0x0010: 5fac 5c58 c3b3 006f 03f0 2df8 8c5c e3e2 _.\X...o..-..\..
24. 0x0020: 1cd4 baf9 78f1 08f2 d78c c665 f2fc 6c69 ....x......e..li
25. 0x0030: 001a f197 ba3e cd06 573e f94e 9075 ed88 .....>..W>.N.u..
26. 0x0040: 9cb9 a04c 3462 8ab1 8f49 a450 65c5 6640 ...L4b...I.Pe.f@
27. 0x0050: f0af ..
28. 2018-12-19 06:27:58.498632 IP (tos 0x0, ttl 114, id 16365, offset 0, flags [none], proto UDP (17), length 1028)
29. 162.251.165.166.50099 > 95.172.92.x.111: UDP, length 1000
30. 0x0000: 4500 0404 3fed 0000 7211 0056 a2fb a5a6 E...?...r..V....
31. 0x0010: 5fac 5c58 c3b3 006f 03f0 2df8 8c5c e3e2 _.\X...o..-..\..
32. 0x0020: 1cd4 baf9 78f1 08f2 d78c c665 f2fc 6c69 ....x......e..li
33. 0x0030: 001a f197 ba3e cd06 573e f94e 9075 ed88 .....>..W>.N.u..
34. 0x0040: 9cb9 a04c 3462 8ab1 8f49 a450 65c5 6640 ...L4b...I.Pe.f@
35. 0x0050: f0af ..
36. 2018-12-19 06:27:58.501543 IP (tos 0x0, ttl 114, id 16418, offset 0, flags [none], proto UDP (17), length 1028)
37. 162.251.165.166.50099 > 95.172.92.x.111: UDP, length 1000
38. 0x0000: 4500 0404 4022 0000 7211 0021 a2fb a5a6 E...@"..r..!....
39. 0x0010: 5fac 5c58 c3b3 006f 03f0 2df8 8c5c e3e2 _.\X...o..-..\..
40. 0x0020: 1cd4 baf9 78f1 08f2 d78c c665 f2fc 6c69 ....x......e..li
41. 0x0030: 001a f197 ba3e cd06 573e f94e 9075 ed88 .....>..W>.N.u..
42. 0x0040: 9cb9 a04c 3462 8ab1 8f49 a450 65c5 6640 ...L4b...I.Pe.f@
43. 0x0050: f0af ..
44. 2018-12-19 06:27:58.515680 IP (tos 0x0, ttl 114, id 16491, offset 0, flags [none], proto UDP (17), length 1028)
45. 162.251.165.166.50099 > 95.172.92.x.111: UDP, length 1000
46. 0x0000: 4500 0404 406b 0000 7211 ffd7 a2fb a5a6 E...@k..r.......
47. 0x0010: 5fac 5c58 c3b3 006f 03f0 2df8 8c5c e3e2 _.\X...o..-..\..
48. 0x0020: 1cd4 baf9 78f1 08f2 d78c c665 f2fc 6c69 ....x......e..li
49. 0x0030: 001a f197 ba3e cd06 573e f94e 9075 ed88 .....>..W>.N.u..
50. 0x0040: 9cb9 a04c 3462 8ab1 8f49 a450 65c5 6640 ...L4b...I.Pe.f@
51. 0x0050: f0af ..
52. 2018-12-19 06:27:58.532679 IP (tos 0x0, ttl 114, id 16566, offset 0, flags [none], proto UDP (17), length 1028)
53. 162.251.165.166.50099 > 95.172.92.x.111: UDP, length 1000
54. 0x0000: 4500 0404 40b6 0000 7211 ff8c a2fb a5a6 E...@...r.......
55. 0x0010: 5fac 5c58 c3b3 006f 03f0 2df8 8c5c e3e2 _.\X...o..-..\..
56. 0x0020: 1cd4 baf9 78f1 08f2 d78c c665 f2fc 6c69 ....x......e..li
57. 0x0030: 001a f197 ba3e cd06 573e f94e 9075 ed88 .....>..W>.N.u..
58. 0x0040: 9cb9 a04c 3462 8ab1 8f49 a450 65c5 6640 ...L4b...I.Pe.f@
59. 0x0050: f0af ..
60.  
61. (The final octet of our customer's IP address is masked in the above output because some automatic parsers become confused when multiple IP addresses are included. The value of that octet is "88".)
62.  
63. Based on the size, number of samples, and timestamps of arrived packets from your host in our capture, we estimate that your host was sending at least 123 Mbps of attack traffic at the peak of this coordinated attack. The peak of the attack may have lasted only a few seconds.
64.  
65. -John
66. President
67. NFOservers.com
68.  
69. (We're sending out so many of these notices, and seeing so many auto-responses, that we can't go through this email inbox effectively. If you have follow-up questions, please contact us at noc@nfoe.net.)