Results 1 to 6 of 6
  1. #1
    Join Date
    Jan 2011
    Location
    Everywhere
    Posts
    772

    detection of outgoing floods on VPS nodes?

    I work at a VPS provider and we get a few abusers on daily basis, but there is no way to tell they are an abuser by seeing the order of course. Once they start an outgoing flood, it affects other clients on the same node too.

    So I wanted to ask the users here, is there any automated way of detection if a person is running these type of scripts, or doing outgoing DoS/DDoS attacks? If it is detected, we can just get an email of it and a cron of the script can run every few minutes or so. We normally check these nodes manually often and are able to filter out these type of users, but that still takes a few hours per day worth of staff time, so that won't work in the long term.

    I believe most of you have seen the system OVH uses, on a port scan or attack, you get an email - so something like that.

    Please suggest what can be possible to filter out these users automatically, thanks!
    Last edited by HostHatch_AR; 03-10-2012 at 03:30 PM.

  2. #2
    Join Date
    Oct 2007
    Location
    Central Indiana
    Posts
    76
    What kind of flood? You can detect certain kinds of attacks by monitoring the number of established connections via netstat -an.

    A possible solution would be a script to monitor for a single IP address with more than a certain threshold of ESTABLISHED connections. When detected, a rule could be added to the firewall to automatically block the IP until an admin could investigate further.
    Last edited by hostingxchange; 03-10-2012 at 03:57 PM.
    HostingXchange | 100% USA-Based Tech Support
    Shared | Reseller | VPS | Consulting | .NET Development

    Top dollar paid for hosting companies. Please contact us...

  3. #3
    Join Date
    Jan 2011
    Location
    Everywhere
    Posts
    772
    Usually its an outgoing UDP flood. Yes, well as I said, we can do it manually, but that doesn't work in the long term.

    A script like that might not work, as it can be legit connections too and it can affect legit users.

  4. #4
    Join Date
    Oct 2007
    Location
    Central Indiana
    Posts
    76
    Not very often will you see a huge number of established connections to a single IP address unless something is wrong. Take a look for yourself. The vast majority of what you find will be TIME_WAIT, a smaller percentage will be ESTABLISHED and the rest will be a mixture of all the rest. A flood typically takes thousands of connection requests. If all of a sudden you go from an average of a few hundred to a few thousand established connections, then it's a pretty safe bet you have a flood going on.
    HostingXchange | 100% USA-Based Tech Support
    Shared | Reseller | VPS | Consulting | .NET Development

    Top dollar paid for hosting companies. Please contact us...

  5. #5
    Join Date
    Feb 2012
    Location
    Europe
    Posts
    453
    Something like this will log it:
    Code:
    iptables -A OUTPUT -p udp -m limit --limit 1000/s -j LOG --log-prefix "UDPFLOOD: "
    miscis.com - Providing domains and premium hosting solutions at an affordable price
    cPanel+Softaculous | 99.9% Uptime SLA | CloudLinux | Daily Backups
    █ Accepting PayPal, Credit/Debit Cards, Liberty Reserve
    Currently in Netherlands, EU & Arizona, USA

  6. #6
    Join Date
    Nov 2011
    Location
    AUSTRALIA
    Posts
    39
    Hi,
    Set a limit in IPtables on the hostnode. That might be the only way to block outgoing UDP floods and limit it.

    Or, you can get a hardware firewall or some sort and use it to filter connections.

    If you want to manually check and can be more accurate, you might want to install iptraf and monitor connections but it is slow.

Similar Threads

  1. Replies: 0
    Last Post: 02-19-2012, 04:13 AM
  2. Replies: 0
    Last Post: 01-18-2012, 06:16 PM
  3. Replies: 0
    Last Post: 07-07-2011, 03:54 PM
  4. Rootkit detection on a Windows VPS???
    By SG Slinger in forum VPS Hosting
    Replies: 10
    Last Post: 05-07-2007, 11:52 AM
  5. @@FREE LOOPHOLE DETECTION@@ Hiya Corp Loophole Detection!!
    By FredTT in forum Other Offers & Requests
    Replies: 2
    Last Post: 11-23-2003, 11:11 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •