0

Am having some form of brute force attack being done to my server and I have a screenshot of what's happening below. Remote Address 121.14.154.206 is somehow abusing all of my ports and burning through my bandwidth at an incredible rate.

Does anyone know how to directly combat this problem even if I were to not know the IP address as I do now?

I tried blocking the address via iptables like:

iptables -A OUTPUT -s 121.14.154.206 -j DROP

but the it still continues. Maybe I'm missing something but I'm pretty desperate because I can't afford to pay the bandwidth overage charges at this rate.

Server Attack

Bandwidth Burnage

EDIT Blocked all output destination port 53 traffic iptables -I INPUT 0 --dport 53 -j DROP as I use cloudflare and don't need to resolve my own DNS. I'm seeing some weird things in iptraf still

Multiple Attackers

The amount of traffic has drastically reduced but I'm still getting a solid amount and there's source/destination IP addresses still coming in that are not my ip address. I'm completely baffled as to why they're even showing up because none of them are 173.234.60.106

Reduced Traffic

Maruf
  • 159
  • 9
  • You are being used to denial-of-service someone. https://www.us-cert.gov/ncas/alerts/TA13-088A – ceejayoz Jun 30 '14 at 20:19
  • See "What can I do?" at http://openresolverproject.org/ – ceejayoz Jun 30 '14 at 20:20
  • 3
    Your server is the _attacker_, not the victim here. This indicates that you have been pretty thoroughly compromised. Time to nuke it from orbit. – Michael Hampton Jun 30 '14 at 20:37
  • @MichaelHampton A DNS amplification attack requires no compromise, just an open resolver. – ceejayoz Jun 30 '14 at 20:37
  • @ceejayoz True, but there doesn't seem to _be_ a resolver on his IP address (or if there is, it's since been firewalled or disabled). – Michael Hampton Jun 30 '14 at 20:39
  • I've done iptables -I OUTPUT --dport 53 -j DROP but I'm still getting some other attacks on other ports. Do I need to download a program or something or do I resolve this with iptables? – Maruf Jun 30 '14 at 20:48
  • 3
    @MariusMiliunas You need to stop running an open DNS resolver. – ceejayoz Jun 30 '14 at 20:52

0 Answers0