All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
UDP DDoS Attack (DNS Amplified Attack/DDoS/Flood) FROM: [1au] ANY? anonsc.com
I did tcpdump -n udp dst port 53|grep ANY and got this the output posted bellow. So how to block it? Cant i just remove udp whole port, i dont need it. Also after the output there was 0 packets dropped by kernel?? Why if i have iptables to DROP all INPUT, OUTPUT on port 53.
18:06:18.690606 IP 72.214.44.133.42835 > SERVER_IP.x: 55911+ [1au] ANY? anonsc.com. (39)
18:06:18.691276 IP 72.214.44.133.31897 > SERVER_IP.x: 39943+ [1au] ANY? anonsc.com. (39)
18:06:18.691515 IP 72.214.44.133.5579 > SERVER_IP.x: 61945+ [1au] ANY? anonsc.com. (39)
18:06:18.692641 IP 177.82.153.96.49224 > SERVER_IP.x: 43269+ [1au] ANY? anonsc.com. (39)
18:06:18.694478 IP 72.214.44.133.46402 > SERVER_IP.x: 61141+ [1au] ANY? anonsc.com. (39)
18:06:18.697512 IP 177.82.153.96.42112 > SERVER_IP.x: 4708+ [1au] ANY? anonsc.com. (39)
18:06:18.701628 IP 177.82.153.96.64879 > SERVER_IP.x: 46083+ [1au] ANY? anonsc.com. (39)
18:06:18.707965 IP 85.25.152.40.39341 > SERVER_IP.x: 47749+ [1au] ANY? anonsc.com. (39)
18:06:18.841989 IP 72.214.44.133.15339 > SERVER_IP.x: 31561+ [1au] ANY? anonsc.com. (39)
18:06:18.842155 IP 85.25.152.40.24158 > SERVER_IP.x: 35510+ [1au] ANY? anonsc.com. (39)
18:06:18.842958 IP 85.25.152.40.18853 > SERVER_IP.x: 32101+ [1au] ANY? anonsc.com. (39)
18:06:18.843103 IP 85.25.152.40.29636 > SERVER_IP.x: 52758+ [1au] ANY? anonsc.com. (39)
18:06:18.843557 IP 72.214.44.133.16945 > SERVER_IP.x: 49535+ [1au] ANY? anonsc.com. (39)
18:06:18.844214 IP 72.214.44.133.45671 > SERVER_IP.x: 24565+ [1au] ANY? anonsc.com. (39)
18:06:19.111701 IP 72.214.44.133.12671 > SERVER_IP.x: 20966+ [1au] ANY? anonsc.com. (39)
18:06:19.112243 IP 72.214.44.133.6216 > SERVER_IP.x: 31259+ [1au] ANY? anonsc.com. (39)
18:06:19.114841 IP 72.214.44.133.45188 > SERVER_IP.x: 17390+ [1au] ANY? anonsc.com. (39)
18:06:19.202080 IP 177.82.153.96.52064 > SERVER_IP.x: 35037+ [1au] ANY? anonsc.com. (39)
18:06:19.202325 IP 177.82.153.96.10332 > SERVER_IP.x: 39291+ [1au] ANY? anonsc.com. (39)
18:06:19.203291 IP 72.214.44.133.40531 > SERVER_IP.x: 6745+ [1au] ANY? anonsc.com. (39)
18:06:19.211408 IP 85.25.152.40.17929 > SERVER_IP.x: 61456+ [1au] ANY? anonsc.com. (39)
Comments
It may be more then what you want but I suggest config server firewall.
Apf ? Csf ? (D)dos deflate, wont help, i also removed named (bind) so no port listening on port 53, its closed by iptables.
Also whe i do iftop -f udp i see this
TX: cum: 0B peak: 0b rates: 0b 0b 0b
Does it means its not comes to my server so iptables block it ? Because i still see incomings udp packets as RX...
TX is outgoing. You can't block UDP DDoS attacks as they're meant to overload the infrastructure, not the software.
UDP can be tricky...
Do you need UDP? Ask you provider to ACL it for you if it is not needed.
So no matter if i reinstall system, i cant do much ? Why the hell system cant just close port i mean really close it not just block it ...
so my iptables dont block incoming udp traffic o.o ??? fked udp protocol
tcpdump captures all ethernet packets before iptables works on L3.
Pretty much everyone that I have worked with didn't have a problem with ACLing UDP. It should be something that every host can do.
Nope, i disabled all, removed all named (bind) stuff.
No port 53 when i see listening ports and also blocked via iptables.
But still incomping packets.
To be sure i am going reinstall clean vps os and check if i still receive those packets, if yes then i just revert to backup, one can not be sure if i am not exploited by some script kiddie.
Ok for future anyone who will have this type of problem be aware!
Its ddos to be sure, but you ddosing your own vps with some exploit to send traffic to other ips with those udp packets!
I reinstalled clean OS and now no UDP packets incoming/outgoing!
I removed it, it wont helped. Only way is to get new os. Somehow its send those packets, but now now after reinstall not.
After reinstall its here again, so i can confirm its udp ddos.