2
1
OK, so here's some info: Fedora23 running in VirtualBox on a Windows 7 Host.
Public-facing router has no DMZ, but port forwarding from 2325 (external) to 1194 (internal) and the internal static IP.
Running iftop
, I'm getting a huge amount of incoming/outgoing traffic (50-70 mbps):
revolve-mainframe => 104.23.119.177 54.6Mb 35.4Mb 8.84Mb
<= 0b 0b 0b
revolve-mainframe => v.pr.h.cpvps.us 0b 643b 210b
This bogs down our office's internet, needless to say.
Running the following commands to block the IPs fixes the issue:
[root@revolve-mainframe sysconfig]# sudo route add -host 104.23.118.177 reject
[root@revolve-mainframe sysconfig]# sudo route add -host 104.23.119.177 reject
[root@revolve-mainframe sysconfig]# netstat -r
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
default gateway 0.0.0.0 UG 0 0 0 enp0s8
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
104.23.118.177 - 255.255.255.255 !H - - - -
104.23.119.177 - 255.255.255.255 !H - - - -
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 enp0s8
192.168.56.0 0.0.0.0 255.255.255.0 U 0 0 0 enp0s3
Now the question is, is this a result of a DDoS attack? If I unblock those two IPs, I get a flood of incoming packets from all kinds of different IP addresses.
But it is only two specific IP addresses that I have to block to stop the flood.
Or is it that my server has been compromised and being used as a DDoS source?
Or...?
4You are not being DDOSed. There are not enough connections being made. You cannot be DDOSed from a single ip address. – Ramhound – 2016-07-19T23:58:41.987
2That's correct @Ramhound, but you can be DoSed (without the second D) from a single IP address if the attack bandwidth exceeds the bandwidth available to your uplink.In OP's case however, the server is not receiving an attack. It is actively generating traffic towards the IP addresses indicated in iftop. ry to find out which process causes the traffic on your machine. Maybe it's just a faulty or a long forgotten cronjob. – markusju – 2016-07-20T08:35:29.417
1Right but the author thinks he is being DDOSed not DOSed. I know the difference, didn't make mention or explain the difference, on purpose – Ramhound – 2016-07-20T11:10:28.543
OK I discovered a bit more information, data is indeed being sent to and from a multitude of IP addresses. As soon as I block a pair of IPs, another set pop up in the iftop list.
Furthermore, if I look at the Windows network activity (I've a Windows 7 host with a Fedora 23 Guest in a VirtualBox VM using a bridged adapter for accessing the internet), I've sent WAY more than received. Appx 632 GB have been sent over the past day, while only 300 MB has been received.
So now, it seems my server may have been compromised and is in fact being used as a DoS source. – heisian – 2016-07-21T05:04:29.007
I've disabled the network service via systemctl on the Fedora VM for now. I think what I will do to be sure is to just re-build the stack in the cloud.. EC2. That way, fresh install, and ability to get fresh IPs on a whim. – heisian – 2016-07-21T05:07:37.023