Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


How to find real IP/domU with ip_conntrack?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

How to find real IP/domU with ip_conntrack?

Hello

I'v a Xen VPS node server with high ip_conntrack, I need find out which client cause this. below is the ip_conntrack 1% result. It easy to find there is a client use his vps attack 49.124.141.5, but how to find the real ip/domU behind? Thanks for any advice!

cat /proc/net/ip_conntrack;

tcp 6 431428 ESTABLISHED src=221.105.137.74 dst=49.124.141.5 sport=13415 dport=80 packets=1 bytes=40 [UNREPLIED] src=49.124.141.5 dst=221.105.137.74 sport=80 dport=13415 packets=0 bytes=0 mark=0 secmark=0 use=1
tcp 6 431428 ESTABLISHED src=36.40.254.29 dst=49.124.141.5 sport=20623 dport=80 packets=1 bytes=40 [UNREPLIED] src=49.124.141.5 dst=36.40.254.29 sport=80 dport=20623 packets=0 bytes=0 mark=0 secmark=0 use=1
tcp 6 431429 ESTABLISHED src=143.35.24.47 dst=49.124.141.5 sport=7582 dport=80 packets=1 bytes=40 [UNREPLIED] src=49.124.141.5 dst=143.35.24.47 sport=80 dport=7582 packets=0 bytes=0 mark=0 secmark=0 use=1
tcp 6 431429 ESTABLISHED src=75.196.150.5 dst=49.124.141.5 sport=42994 dport=80 packets=1 bytes=40 [UNREPLIED] src=49.124.141.5 dst=75.196.150.5 sport=80 dport=42994 packets=0 bytes=0 mark=0 secmark=0 use=1
tcp 6 431429 ESTABLISHED src=125.174.195.93 dst=49.124.141.5 sport=23926 dport=80 packets=1 bytes=40 [UNREPLIED] src=49.124.141.5 dst=125.174.195.93 sport=80 dport=23926 packets=0 bytes=0 mark=0 secmark=0 use=1
tcp 6 431429 ESTABLISHED src=106.160.55.94 dst=49.124.141.5 sport=53334 dport=80 packets=1 bytes=40 [UNREPLIED] src=49.124.141.5 dst=106.160.55.94 sport=80 dport=53334 packets=0 bytes=0 mark=0 secmark=0 use=1
tcp 6 431429 ESTABLISHED src=158.42.72.60 dst=49.124.141.5 sport=30871 dport=80 packets=1 bytes=40 [UNREPLIED] src=49.124.141.5 dst=158.42.72.60 sport=80 dport=30871 packets=0 bytes=0 mark=0 secmark=0 use=1
tcp 6 431429 ESTABLISHED src=28.33.100.22 dst=49.124.141.5 sport=42076 dport=80 packets=1 bytes=40 [UNREPLIED] src=49.124.141.5 dst=28.33.100.22 sport=80 dport=42076 packets=0 bytes=0 mark=0 secmark=0 use=1
tcp 6 431428 ESTABLISHED src=190.110.92.3 dst=49.124.141.5 sport=38085 dport=80 packets=1 bytes=40 [UNREPLIED] src=49.124.141.5 dst=190.110.92.3 sport=80 dport=38085 packets=0 bytes=0 mark=0 secmark=0 use=1
tcp 6 431428 ESTABLISHED src=115.61.187.115 dst=49.124.141.5 sport=10521 dport=80 packets=1 bytes=40 [UNREPLIED] src=49.124.141.5 dst=115.61.187.115 sport=80 dport=10521 packets=0 bytes=0 mark=0 secmark=0 use=1
tcp 6 431429 ESTABLISHED src=131.150.242.58 dst=49.124.141.5 sport=13791 dport=80 packets=1 bytes=40 [UNREPLIED] src=49.124.141.5 dst=131.150.242.58 sport=80 dport=13791 packets=0 bytes=0 mark=0 secmark=0 use=1
tcp 6 431428 ESTABLISHED src=134.1.212.102 dst=49.124.141.5 sport=26224 dport=80 packets=1 bytes=40 [UNREPLIED] src=49.124.141.5 dst=134.1.212.102 sport=80 dport=26224 packets=0 bytes=0 mark=0 secmark=0 use=1
tcp 6 431429 ESTABLISHED src=174.163.179.73 dst=49.124.141.5 sport=1803 dport=80 packets=1 bytes=40 [UNREPLIED] src=49.124.141.5 dst=174.163.179.73 sport=80 dport=1803 packets=0 bytes=0 mark=0 secmark=0 use=1
tcp 6 431429 ESTABLISHED src=125.138.165.114 dst=49.124.141.5 sport=32631 dport=80 packets=1 bytes=40 [UNREPLIED] src=49.124.141.5 dst=125.138.165.114 sport=80 dport=32631 packets=0 bytes=0 mark=0 secmark=0 use=1
tcp 6 431429 ESTABLISHED src=158.56.243.60 dst=49.124.141.5 sport=56856 dport=80 packets=1 bytes=40 [UNREPLIED] src=49.124.141.5 dst=158.56.243.60 sport=80 dport=56856 packets=0 bytes=0 mark=0 secmark=0 use=1
tcp 6 431429 ESTABLISHED src=73.95.74.30 dst=49.124.141.5 sport=16440 dport=80 packets=1 bytes=40 [UNREPLIED] src=49.124.141.5 dst=73.95.74.30 sport=80 dport=16440 packets=0 bytes=0 mark=0 secmark=0 use=1

Comments

  • AnthonySmithAnthonySmith Member, Patron Provider

    Use iptraf instead to give yourself a clue first.

  • drserverdrserver Member, Host Rep

    block source port for every ip for a few seconds, if attack is constant you will get your abuser silienced... then you will find out which ip is your attacker

  • AnthonySmithAnthonySmith Member, Patron Provider

    @drserver he is likely running on a SW bridge if using Xen.

  • drserverdrserver Member, Host Rep

    @AnthonySmith
    Yes you are right...

  • @AnthonySmith said:
    Use iptraf instead to give yourself a clue first.

    Thanks, I'v tried iptraf and iftop but no luck, can't find anything about this issue

  • AnthonySmithAnthonySmith Member, Patron Provider
    edited November 2013

    Well if you're conntrack is full it is usually because of someone doing p2p or flooding or brute forcing or port scanning.

    This should be fairly easy to spot with iptraf if not then perhaps you have your max conntracks set too low or your not using dynamic window sizes on packets which is causing way more packets than is needed.

    Last resort would be to have a quick look at the console output from each vps and see if any of these are showing a conntrack full stream of messages.

  • So this is outgoing traffic with spoofed IP addresses, right? First of all you could look for source MAC address with tcpdump and then look into ARP table for real IP.
    You should block spoofing with iptables/ebtables!

  • Yes, ebtables are important if you have bridged networking.

Sign In or Register to comment.