Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Advertise on LowEndTalk.com
What the hell is this? DDoS?
New on LowEndTalk? Please Register and read our Community Rules.

What the hell is this? DDoS?

BuyAdsBuyAds Member

Hello guys.

The SYS system wont detect it as ddos.

Am lousing 20GB Bandwidth every 10 min.

I have checked netstat there are no ips connected.

What could it be?

Buy Site Ads - Advertising Platform

Comments

  • That's called a DeeDoos

  • Just shut down your server.

    https://martip07.me/ - Freelance Sysadmin.

  • IshaqIshaq Member, Provider

    A DoS is not always big that it causes VAC to interfere, sometimes it is small and consumes a lot of bandwidth legitimately in an attempt to get you suspended for exceeding your bandwidth limit.

    Thanked by 1KwiceroLTD
    [BudgetNode] DDoS Protected. 7 Locations (US/EU). Check out our latest offer!
  • UrDNUrDN Member
    edited May 2015

    @BuyAds said:
    I have checked netstat there are no ips connected.

    If it's a udp flood it's normal that you see nothing with netstat. Use tcpdump or tshark to analyze the traffic.

    www.urdn.com.ua - ISP in Ukraine.

  • ProfforgProfforg Member
    edited May 2015

    # hiresysadmin

    Freelance System Administrator, available for hire. Primary tasks i do concentrated on: PHP, MySQL, Postgres, Nginx, DDoS-protection, application security, high-performance solutions, high-availability / clustering.

  • apt-get install vnstat?
    or
    apt-get install bwm-ng?

  • BuyAdsBuyAds Member

    Thank to Francesco form BuyVM I know now that am under "NTP amplification attack".

    I dont have access to DDoS firewall (am on SYS) so I have to wait for it to end :(.

    Someone got an idea how can be stopped?

    Buy Site Ads - Advertising Platform

  • perennateperennate Member, Provider
    edited May 2015

    BuyAds said: Someone got an idea how can be stopped?

    Since it's not large enough to activate the DDoS filtering, you could simply block incoming NTP traffic

    iptables -I INPUT -p udp --source-port 123 -j DROP

    I don't think you have a strict bandwidth limit?

    Thanked by 2BuyAds linuxthefish
  • True just drop it.

    https://martip07.me/ - Freelance Sysadmin.

  • BuyAdsBuyAds Member

    @perennate said:
    I don't think you have a strict bandwidth limit?

    Thank you! No, there is no bandwidth limit but am afraid if this goes for days and one day they will suspend me.

    Buy Site Ads - Advertising Platform

  • What about just open the tcp/udp that you need and close all that you dont

    https://martip07.me/ - Freelance Sysadmin.

  • perennateperennate Member, Provider

    BuyAds said: Thank you! No, there is no bandwidth limit but am afraid if this goes for days and one day they will suspend me.

    The command I provided only blocks it from hitting your applications, so that it doesn't affect your services as long as iptables can keep up with it (which it should if it's less than 1gbps and not activating firewall). I don't think they'd suspend you for getting an attack though.

  • BuyAdsBuyAds Member

    Should I just exicute that command only one time without to add or change something?

    Buy Site Ads - Advertising Platform

  • Also try to get a couple of vps and work with a load balancer that works only with private ips for backend

    https://martip07.me/ - Freelance Sysadmin.

  • perennateperennate Member, Provider

    martip07 said: Also try to get a couple of vps and work with a load balancer that works only with private ips for backend

    Hm, what does that have to do with anything?

    BuyAds said: Should I just exicute that command only one time without to add or change something?

    You need that to run every time the interface is reloaded. If you're on Ubuntu/Debian, see https://help.ubuntu.com/community/IptablesHowTo#Configuration_on_startup

    Thanked by 1martip07
  • lazytlazyt Member

    Can't be DeeDoss she was a cute blonde. Dee Doss--n

    Have I mentioned how much I hate auto correct recently?

  • Simple if the loadbalancer got screwed you just have to redirect your domain to one of the backend ips.

    So at the time your balancer is okay just redirect the IP one more time.

    That is an option in my opinion :P

    https://martip07.me/ - Freelance Sysadmin.

  • BuyAdsBuyAds Member

    @perennate should I change the INPUT to eth0 or should I type the command as it is?

    p.s Am on centos

    Thank you.

    Buy Site Ads - Advertising Platform

  • perennateperennate Member, Provider

    The INPUT is a built-in chain in the iptables firewall. It will be used for packets destined for the server. So keep it as is.

    On CentOS I think you just need service iptables save

  • BuyAdsBuyAds Member

    perennate said: CentOS I think you just need service iptables save

    How can I do it? :)

    Buy Site Ads - Advertising Platform

  • Install csf on centos it will be more easy to manage the firewall

    https://martip07.me/ - Freelance Sysadmin.

  • BuyAdsBuyAds Member

    csf is installed but there is no effect from it :(

    Thanked by 1martip07

    Buy Site Ads - Advertising Platform

  • @BuyAds said:
    csf is installed but there is no effect from it :(

    TESTING = "1"

    • Change the 1 for 0

    https://martip07.me/ - Freelance Sysadmin.

  • just check it one more time, just in case you forgot to change it.

    https://martip07.me/ - Freelance Sysadmin.

  • BuyAdsBuyAds Member
    edited May 2015

    Sure its 0. Also Syn flooding enabled.

    Buy Site Ads - Advertising Platform

  • Is yout tcp/udp in/out config configured with all that you need?

    https://martip07.me/ - Freelance Sysadmin.

  • Can't you just drop UDP via OVH?

  • BuyAdsBuyAds Member

    Am at SoYouStart. NO access to firewall

    Buy Site Ads - Advertising Platform

  • What about changing IP and hiding new IP behind Cloudflare?

  • BuyAdsBuyAds Member

    No chance to do it. Am hosting over 200 sites with private nameservers.

    Buy Site Ads - Advertising Platform

  • @MarkTurner said:
    What about changing IP and hiding new IP behind Cloudflare?

    Actualy cloudflare seems to be a good idea for a moment, but free plans doesnt offer real ddos protection. or similar.

    https://martip07.me/ - Freelance Sysadmin.

  • tomsfarmtomsfarm Member
    edited May 2015

    @Ishaq said:
    A DoS is not always big that it causes VAC to interfere, sometimes it is small and consumes a lot of bandwidth legitimately in an attempt to get you suspended for exceeding your bandwidth limit.

    Just a flood that is leaking through VAC.

    Thanked by 1martip07

    ClamHost - Affordable Anti-DDoS Hosting Solutions

Sign In or Register to comment.