5
3
I have a debian server (kernel: 2.6.32-5-amd64).
I normally run a jetty server on it, but lately it started getting tons of connections to it. It shouldn't get all this traffic, since its a pretty unknown server.
Running:
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
Outputs hundres of IP's. I tried adding them all to iptables drop list, but new IP's keeps showing up.
I then went ahead and stopped Jetty, and all connections where gone. To make sure this was not a bug/security hole in Jetty, I fired up apache2, and all the connections started right away.
I looks like people are using it as a proxy server, using urlsnarf its showing tons of outgoing requests to Forums, ad sites, and you name it. Its doing so many request, that the CPU is jumping up and down, and eventually the server ends up crashing.
Does anyone know how they can do this? It seams like whatever server is listing on port 80, this is immediately begins.
Is this a DDOS attack? How are people using my server as proxy, only with software listing on port 80?
I have hostsdeny installed and deflate (http://deflate.medialayer.com/), but still the problem persists.
If you suspect or have any idea how to secure and fix this problem, I would be very thankful.
If I need to provide more data, let me know.
Thanks in advanced
Thanks harrymc - actually I did try reinstalling the server, with the latest Ubuntu (its a Virtual machine, so I created a new server and allocated the static IP to it). I then started Jetty server on port 80 again (only with its default server html page) - and the requests starting flooding again. I also tried removing Jetty and installing apache instead, but as soon as I start apache2 service (again only with the default "it works!" page), the requests starts hammering ind again. – Bolli – 2013-06-23T14:29:12.573
Is this VM directly connected to the Internet with a fixed IP? Are the requests from the Internet or internal? – harrymc – 2013-06-23T14:30:59.037
It's directly connected with a static/fixed IP. The requests are from all around the world, I guess from other compromised servers. As said in my other comment, Wireshark shows that all these requests are SYN requests, so Im wondering if I am getting SYN Flooded. I have applied these steps to prevent it: http://pierre.linux.edu/2010/04/how-to-secure-your-webserver-against-syn-flooding-and-dos-attack/
But still I dont understand how they can do GET requests to external servers, with my server only listing on PORT 80?
And adding these steps to avoid SYN Flooding, has not helped. Only thing that works is to manually block the IP's in iptables, but new IP's keeps showing up. I was planing on running this as a production server in near future, so I can't simply auto-block them all. Unless there is a way to separate these requests from good-minded/normal requests? – Bolli – 2013-06-23T14:39:28.720
Funny that anybody would attack your server, unless you are just collateral damage. You could in iptables block-all except specific IPs to specific ports. See also this article.
– harrymc – 2013-06-23T15:18:56.190Thanks - like I said I would like to use the server/ip for production in near future, so blocking all except specific IP's would not work for me. It is very funny that anyone would wan't to attack this server, since only 3 people knows about it. I suspect that the IP i brought has been used before or somehow ended up on a botnet list or something. I don't know, I'm just very curios how to fix this and how they are doing it. I have applied some of the iptables rules from your link - still not blocking all the requests :/ – Bolli – 2013-06-23T15:34:12.633
Syn attacks are very hard to avoid if done well, and possibly even your IP segment is hit with SYN scanning. You could try getting another IP or a cloud front-end in another IP segment. Or try to find a common factor between the SYN requests (such as port number) that will help set up a blocking rule. Some advanced commercial firewalls can protect the server against SYN attacks but are quite costly, and so are professional routers.
– harrymc – 2013-06-23T16:23:13.1601The possibilities I see are that the previous owner of this IP (1) was running a proxy service, (2) was heavily into P2P, (3) or part of a network such as TOR, (4) or was infected by a botnet and served as a messenger node, (5) or that this IP segment is over-scanned by a botnet. It is quite possible that this previous owner also asked to have his IP changed, or had it revoked for illegal activities, and that's how you got it ... – harrymc – 2013-08-06T06:09:14.260