Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Advertise on LowEndTalk.com
How to find real IP/domU with ip_conntrack?
New on LowEndTalk? Please read our 'Community Rules' by clicking on it in the right menu!

How to find real IP/domU with ip_conntrack?

Hello

I'v a Xen VPS node server with high ip_conntrack, I need find out which client cause this. below is the ip_conntrack 1% result. It easy to find there is a client use his vps attack 49.124.141.5, but how to find the real ip/domU behind? Thanks for any advice!

cat /proc/net/ip_conntrack;

tcp 6 431428 ESTABLISHED src=221.105.137.74 dst=49.124.141.5 sport=13415 dport=80 packets=1 bytes=40 [UNREPLIED] src=49.124.141.5 dst=221.105.137.74 sport=80 dport=13415 packets=0 bytes=0 mark=0 secmark=0 use=1
tcp 6 431428 ESTABLISHED src=36.40.254.29 dst=49.124.141.5 sport=20623 dport=80 packets=1 bytes=40 [UNREPLIED] src=49.124.141.5 dst=36.40.254.29 sport=80 dport=20623 packets=0 bytes=0 mark=0 secmark=0 use=1
tcp 6 431429 ESTABLISHED src=143.35.24.47 dst=49.124.141.5 sport=7582 dport=80 packets=1 bytes=40 [UNREPLIED] src=49.124.141.5 dst=143.35.24.47 sport=80 dport=7582 packets=0 bytes=0 mark=0 secmark=0 use=1
tcp 6 431429 ESTABLISHED src=75.196.150.5 dst=49.124.141.5 sport=42994 dport=80 packets=1 bytes=40 [UNREPLIED] src=49.124.141.5 dst=75.196.150.5 sport=80 dport=42994 packets=0 bytes=0 mark=0 secmark=0 use=1
tcp 6 431429 ESTABLISHED src=125.174.195.93 dst=49.124.141.5 sport=23926 dport=80 packets=1 bytes=40 [UNREPLIED] src=49.124.141.5 dst=125.174.195.93 sport=80 dport=23926 packets=0 bytes=0 mark=0 secmark=0 use=1
tcp 6 431429 ESTABLISHED src=106.160.55.94 dst=49.124.141.5 sport=53334 dport=80 packets=1 bytes=40 [UNREPLIED] src=49.124.141.5 dst=106.160.55.94 sport=80 dport=53334 packets=0 bytes=0 mark=0 secmark=0 use=1
tcp 6 431429 ESTABLISHED src=158.42.72.60 dst=49.124.141.5 sport=30871 dport=80 packets=1 bytes=40 [UNREPLIED] src=49.124.141.5 dst=158.42.72.60 sport=80 dport=30871 packets=0 bytes=0 mark=0 secmark=0 use=1
tcp 6 431429 ESTABLISHED src=28.33.100.22 dst=49.124.141.5 sport=42076 dport=80 packets=1 bytes=40 [UNREPLIED] src=49.124.141.5 dst=28.33.100.22 sport=80 dport=42076 packets=0 bytes=0 mark=0 secmark=0 use=1
tcp 6 431428 ESTABLISHED src=190.110.92.3 dst=49.124.141.5 sport=38085 dport=80 packets=1 bytes=40 [UNREPLIED] src=49.124.141.5 dst=190.110.92.3 sport=80 dport=38085 packets=0 bytes=0 mark=0 secmark=0 use=1
tcp 6 431428 ESTABLISHED src=115.61.187.115 dst=49.124.141.5 sport=10521 dport=80 packets=1 bytes=40 [UNREPLIED] src=49.124.141.5 dst=115.61.187.115 sport=80 dport=10521 packets=0 bytes=0 mark=0 secmark=0 use=1
tcp 6 431429 ESTABLISHED src=131.150.242.58 dst=49.124.141.5 sport=13791 dport=80 packets=1 bytes=40 [UNREPLIED] src=49.124.141.5 dst=131.150.242.58 sport=80 dport=13791 packets=0 bytes=0 mark=0 secmark=0 use=1
tcp 6 431428 ESTABLISHED src=134.1.212.102 dst=49.124.141.5 sport=26224 dport=80 packets=1 bytes=40 [UNREPLIED] src=49.124.141.5 dst=134.1.212.102 sport=80 dport=26224 packets=0 bytes=0 mark=0 secmark=0 use=1
tcp 6 431429 ESTABLISHED src=174.163.179.73 dst=49.124.141.5 sport=1803 dport=80 packets=1 bytes=40 [UNREPLIED] src=49.124.141.5 dst=174.163.179.73 sport=80 dport=1803 packets=0 bytes=0 mark=0 secmark=0 use=1
tcp 6 431429 ESTABLISHED src=125.138.165.114 dst=49.124.141.5 sport=32631 dport=80 packets=1 bytes=40 [UNREPLIED] src=49.124.141.5 dst=125.138.165.114 sport=80 dport=32631 packets=0 bytes=0 mark=0 secmark=0 use=1
tcp 6 431429 ESTABLISHED src=158.56.243.60 dst=49.124.141.5 sport=56856 dport=80 packets=1 bytes=40 [UNREPLIED] src=49.124.141.5 dst=158.56.243.60 sport=80 dport=56856 packets=0 bytes=0 mark=0 secmark=0 use=1
tcp 6 431429 ESTABLISHED src=73.95.74.30 dst=49.124.141.5 sport=16440 dport=80 packets=1 bytes=40 [UNREPLIED] src=49.124.141.5 dst=73.95.74.30 sport=80 dport=16440 packets=0 bytes=0 mark=0 secmark=0 use=1
=============
40+ different locations VPS Hosting Comparision VPS price start from $1/month. Hosting Providers are welcome to add your VPS plan, it's FREE.

Comments

  • Use iptraf instead to give yourself a clue first.

    I am no longer active here, find me at https://talk.lowendspirit.com (Just like LET without the scams)

  • drserverdrserver Member, Host Rep

    block source port for every ip for a few seconds, if attack is constant you will get your abuser silienced... then you will find out which ip is your attacker

    Unmetered servers starting from $12.00 USD p/m. Xeon® E-2134 for $50.00 p/m ||| Xeon® Silver 4110 for $80.00 p/m
    Live server stock ||| Feel free to contact me for custom deal.

  • @drserver he is likely running on a SW bridge if using Xen.

    I am no longer active here, find me at https://talk.lowendspirit.com (Just like LET without the scams)

  • drserverdrserver Member, Host Rep

    @AnthonySmith
    Yes you are right...

    Unmetered servers starting from $12.00 USD p/m. Xeon® E-2134 for $50.00 p/m ||| Xeon® Silver 4110 for $80.00 p/m
    Live server stock ||| Feel free to contact me for custom deal.

  • @AnthonySmith said:
    Use iptraf instead to give yourself a clue first.

    Thanks, I'v tried iptraf and iftop but no luck, can't find anything about this issue

    =============
    40+ different locations VPS Hosting Comparision VPS price start from $1/month. Hosting Providers are welcome to add your VPS plan, it's FREE.
  • AnthonySmithAnthonySmith Top Provider
    edited November 2013

    Well if you're conntrack is full it is usually because of someone doing p2p or flooding or brute forcing or port scanning.

    This should be fairly easy to spot with iptraf if not then perhaps you have your max conntracks set too low or your not using dynamic window sizes on packets which is causing way more packets than is needed.

    Last resort would be to have a quick look at the console output from each vps and see if any of these are showing a conntrack full stream of messages.

    I am no longer active here, find me at https://talk.lowendspirit.com (Just like LET without the scams)

  • So this is outgoing traffic with spoofed IP addresses, right? First of all you could look for source MAC address with tcpdump and then look into ARP table for real IP.
    You should block spoofing with iptables/ebtables!

  • WilliamWilliam Member, Provider

    Yes, ebtables are important if you have bridged networking.

Sign In or Register to comment.