New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
How to prevent TCP network flood triggered by KVM VPS clients ?
How to to protect nodes/ detect and block KVM VPS clients that TCP flood the network ?
Maybe something like to set a PPS value 15k packets per second, run the script under a cron which checks every VPS packets per second - if it matches that value or exceed it shuts off the VPS and emails me with the date/time - vpsid - packet count. Does anyone have similar script ?
Thanked by 1rokok
Comments
Outbound or inbound floods?
From what I heard, Nodewatch protects OpenVZ nodes really good as far as outbound DDoS attacks are concerned.
He flooded the DC network.
Forgot to mention KVM node.
You could have a script to monitor packets transmitted (either via ifconfig or check the values in /sys), if it exceeds some threshold then capture the packets (e.g. you could go the easy way by parsing tcpdump output, or implement something on top of libpcap) and identify the abuser.
Great, its similar to what I said on this thread but anyone have that ?
If you go the tcpdump way it's pretty easy to do, something like this (unfortunately in PHP): https://gist.github.com/uakfdotb/ff3abac9bf663d84ca3b
You just need to fill in the settings at the top, and the function to e-mail / shutdown VM.
That's just awesome, tested and working !
Does anyone know of an easy way to search for the IP and get information on the VM that said IP is assigned to using cli? What I gather is that the script returns the IP that has the high pps, then again I'm tired and may of missed something.
The script does not tell you the VM that is assigned the IP address. We use openstack as our backend and it stores the assigned IP address of a virtual machine in the database, of which we are able to reference to. So depending on the backend you are using, you may be able to do the same.
I'm using Solus right now, basically what I'm trying to do instead of email me I want it to shutdown the VPS and then create an Abuse ticket for the associated account in whmcs. I have the whmcs portion worked out I'm just at a loss on how to convert the IP to usable information on the hypervisor.
I am not able to show the code as to how it can be done for whmcs and solus setup as we use neither of these two platforms.
But, if whmcs stores virtual machine information in the database, then find the table responsible and see if the IP addresses are stored, then you will be able to reference that way.
Else.. I found this on solusvm api documentation, you can use this to find the vserverid and the clientid using the ip address capitured, then use these as reference to find the corresponding whmcs user entry and get the user email address to send the notification to.
https://documentation.solusvm.com/display/DOCS/List+Virtual+Servers
Note: I was not able to find an API call that finds the vserver using an IP address. so you will more than likely need to list all virtual servers, and loop through them to find the right one. (Even so, I am not entirely sure if its reliable if the vserver has more than 1 IP assigned and the ip captured is not the main IP, since it appears solus api it will only give you the main ip of the vserver)
Alternatively, without using the solusvm api, look at the solusvm database and find the table respondible for storing the IPs, then find the vserver/clientid of the IP captured and use that to reference your whmcs database and get the user email that way.
I feel stupid now... It completely slipped my mind to use the Solus API... I was sitting here trying to figure out a way with virsh...
Hello,
I have set very low limit for test and I got error on line 137:
~]# /usr/bin/php /home/flood.php
[protect] initializing tx packet counter to 48918869232
[protect] got 451 packets per second! running tcpdump
[protect] tcpdump started as 26520, taking five
[protect] killing tcpdump
[protect] captured 4429 packets over 0.00000 sec
PHP Warning: Division by zero in /home/flood.php on line 137
[protect] found packets per second from
[protect] got 1015.2 packets per second! running tcpdump
[protect] tcpdump started as 27134, taking five
[protect] killing tcpdump
[protect] captured 3109 packets over 0.00000 sec
PHP Warning: Division by zero in /home/flood.php on line 137
@anthony1 post a few lines of the tcpdump output, to see why it would be 0 sec.
tcpdump
tcpdump
tcpdump: WARNING: eth0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
15:39:28.307034 IP 85.0.232.72.hypernia.com.http > 199.101.185.152.50853: Flags [.], ack 125786281, win 136, length 0
15:39:28.307596 IP 85.0.232.72.hypernia.com.http > 199.101.185.152.50854: Flags [S.E], seq 2871057942, ack 1440313646, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:39:28.308082 IP 185.49.145.70.http > 104.171.126.219.56916: Flags [P.], seq 1104051629:1104052213, ack 1102759358, win 83, length 584
15:39:28.309198 IP 199.101.185.152.50854 > 85.0.232.72.hypernia.com.http: Flags [.], ack 1, win 513, length 0
15:39:28.311292 IP host-212-72-155-53.customer.co.ge.http > 199.101.185.152.50768: Flags [P.], seq 1449476269:1449477649, ack 4275600066, win 15544, length 1380
^Z
[3]+ Stopped tcpdump
from my point of view, it's best to clear up data asap and avoid congestion instead of removing 'em
@anthony1 do some debugging, e.g. add some echo statements to see what the values of minTime, maxTime, and duration are
Edit: or maybe all the packets are being ignored because they fall outside of blockableRanges
Hello again,
Any expert user around who can actually make/test the script I need on ? This is is bugging me more and more with network packet flooders (UDP/TCP). I rather pay some $ to someone to make one 100% working script and solve the problem.
I doubt you want to spend enough for that work. We talk about easily 500EUR+ here, and that on the very low side.
I don't think so, I nearly made it my self using this thread messages, If its too complicated to shut down the machine atleast to get notification about it the packet flooder, maybe someone already have it and want to share it / sell it with a decent price.
If you are using SolusVM create a ticket about this and specifically ask for Phill quoting this thread.
Please check ticket Ticket #VVF-724730.
yay, a little kvm abuse management?
https://github.com/pavel-odintsov/fastnetmon
Phill , unfortunately since October you didn't even tried to help me More then this you have closed the ticket.
There isn't going to be a lot he can help you with short of you paying admin time for him to code a monitor for you. He likely thought you may have had an issue with the ip locks not applying properly, but he would have to code a pretty extensive monitor.
Your best bet would be to just apply a rate limit on the node side for each source IP.
Francisco