1

I am using amazon 85 ec2 instances. Day before yesterday got emails from AMAZON for AMAZON EC2 abuse. it says about the DOS attacks on remote host.

Amazon mail content attached for your reference.

Denial of Service attacks against remote hosts on the Internet; check the information provided below by the abuse reporter.

Log Extract:

2012-02-23 00:31:38.218128 IP (tos 0x0, ttl 64, id 5911, offset 0, flags [DF], proto: UDP (17), length: 78) IP_addres.33840 > 89.36.27.40.0: UDP, length 50
2012-02-23 00:31:38.218146 IP (tos 0x0, ttl 64, id 5912, offset 0, flags [DF], proto: UDP (17), length: 78) IP_address.33840 > 89.36.27.40.0: UDP, length 50

my client informed me to block port 17 in iptables. we Blocked by using iptables command:-

sudo iptables -A OUTPUT -p udp --dport 17 -j DROP.

After the UDP port blocked in 17. still the DOS attacks continued.

finally we fetch the DOS attack log by command :

sudo tcpdump -nnvv -i any 'udp[tcp-syn]  & (tcp-syn)' != 0 and not port 22

I need to clarify whether from AMAZON log values "proto: UDP (17)" means UDP port 17. If yes means once we blocked the outbound port. How the attack continues?

Otherwise, We need to make additional measures or test.

Kindly anyone provide solution to stop this DOS attacks

EEAA
  • 108,414
  • 18
  • 172
  • 242
Mohan Shanmugam
  • 121
  • 1
  • 3

1 Answers1

2

How the attack continues?

You didn't fix the source issue. You should thoroughly review your logs to see how someone else is causing your server to generate this traffic. Try using tcpdump to see if there are other connections into or outbound from your instance that are unusual. You may have a service open to the public (unintentionally) that is being abused to cause this. Check what ports are open into your instance to find out what is exposed to the internet.

Nathan V
  • 711
  • 5
  • 16