I am noticing a bunch of UDP traffic hitting a server on a shared IP. Is there anyway to tell which site they may be trying to it?
Asked
Active
Viewed 159 times
-1
-
possible duplicate of [My server's been hacked EMERGENCY](http://serverfault.com/questions/218005/my-servers-been-hacked-emergency) – Lucas Kauffman Sep 17 '12 at 20:26
-
1@LucasKauffman How about let's wait until he _is_ hacked first. :) – Michael Hampton Sep 17 '12 at 20:30
-
You won't know until you try. Look at the UDP traffic and see what you can figure out. What port is it to? – David Schwartz Sep 17 '12 at 21:02
-
The ports are random ones that don't have services – Jake Mach Sep 17 '12 at 21:06
-
What makes you think the attempts are against a site? All indications are that the target is the server itself. – John Gardeniers Sep 17 '12 at 21:54
-
its hitting a shared ip that a bunch of sites are on so its targeting a site. – Jake Mach Sep 17 '12 at 22:54
-
@Jake, that doesn't mean the target is one of the sites. Remember, the server itself is also at the same IP address. The very fact that random ports are being hit indicates that the server itself is being probed. – John Gardeniers Sep 17 '12 at 23:41
2 Answers
4
Not unless the body of the packet contains this information. Sniff it using tcpdump or wireshark, and look.
Once you resolve a DNS name into an IP, it's not possible to reverse it back (DNS -> IP is many-to-one).
Jay
- 6,439
- 24
- 34
-
Is there a better flag option then other flag options to use to sniff the packets? – Jake Mach Sep 17 '12 at 21:07
-
-
I just need to know how to figure out what domain being hosted is being targeted by the attack. – Jake Mach Sep 17 '12 at 22:55
1
The challenge here is that UDP traffic is trivial to forge.
Your ISP might be able to help you filter out the traffic if it is significant, but without the cooperation of all ISPs, there is no way to trace UDP traffic with a high level of certainty.
If the person sending the packets have provided false/invalid source ip/port information, there really is nothing you can do to trace them.