Results 1 to 6 of 6
-
03-10-2012, 03:26 PM #1Web Hosting Master
- Join Date
- Jan 2011
- Location
- Everywhere
- Posts
- 772
detection of outgoing floods on VPS nodes?
I work at a VPS provider and we get a few abusers on daily basis, but there is no way to tell they are an abuser by seeing the order of course. Once they start an outgoing flood, it affects other clients on the same node too.
So I wanted to ask the users here, is there any automated way of detection if a person is running these type of scripts, or doing outgoing DoS/DDoS attacks? If it is detected, we can just get an email of it and a cron of the script can run every few minutes or so. We normally check these nodes manually often and are able to filter out these type of users, but that still takes a few hours per day worth of staff time, so that won't work in the long term.
I believe most of you have seen the system OVH uses, on a port scan or attack, you get an email - so something like that.
Please suggest what can be possible to filter out these users automatically, thanks!Last edited by HostHatch_AR; 03-10-2012 at 03:30 PM.
-
03-10-2012, 03:52 PM #2Junior Guru Wannabe
- Join Date
- Oct 2007
- Location
- Central Indiana
- Posts
- 76
What kind of flood? You can detect certain kinds of attacks by monitoring the number of established connections via netstat -an.
A possible solution would be a script to monitor for a single IP address with more than a certain threshold of ESTABLISHED connections. When detected, a rule could be added to the firewall to automatically block the IP until an admin could investigate further.Last edited by hostingxchange; 03-10-2012 at 03:57 PM.
HostingXchange | 100% USA-Based Tech Support
Shared | Reseller | VPS | Consulting | .NET Development
Top dollar paid for hosting companies. Please contact us...
-
03-10-2012, 04:03 PM #3Web Hosting Master
- Join Date
- Jan 2011
- Location
- Everywhere
- Posts
- 772
Usually its an outgoing UDP flood. Yes, well as I said, we can do it manually, but that doesn't work in the long term.
A script like that might not work, as it can be legit connections too and it can affect legit users.
-
03-10-2012, 04:10 PM #4Junior Guru Wannabe
- Join Date
- Oct 2007
- Location
- Central Indiana
- Posts
- 76
Not very often will you see a huge number of established connections to a single IP address unless something is wrong. Take a look for yourself. The vast majority of what you find will be TIME_WAIT, a smaller percentage will be ESTABLISHED and the rest will be a mixture of all the rest. A flood typically takes thousands of connection requests. If all of a sudden you go from an average of a few hundred to a few thousand established connections, then it's a pretty safe bet you have a flood going on.
HostingXchange | 100% USA-Based Tech Support
Shared | Reseller | VPS | Consulting | .NET Development
Top dollar paid for hosting companies. Please contact us...
-
03-10-2012, 04:14 PM #5Web Hosting Evangelist
- Join Date
- Feb 2012
- Location
- Europe
- Posts
- 453
Something like this will log it:
Code:iptables -A OUTPUT -p udp -m limit --limit 1000/s -j LOG --log-prefix "UDPFLOOD: "
██ miscis.com - Providing domains and premium hosting solutions at an affordable price
██ cPanel+Softaculous | 99.9% Uptime SLA | CloudLinux | Daily Backups
██ Accepting PayPal, Credit/Debit Cards, Liberty Reserve
██ Currently in Netherlands, EU & Arizona, USA
-
03-11-2012, 03:00 AM #6Junior Guru Wannabe
- Join Date
- Nov 2011
- Location
- AUSTRALIA
- Posts
- 39
Hi,
Set a limit in IPtables on the hostnode. That might be the only way to block outgoing UDP floods and limit it.
Or, you can get a hardware firewall or some sort and use it to filter connections.
If you want to manually check and can be more accurate, you might want to install iptraf and monitor connections but it is slow.
Similar Threads
-
SSD Nodes | HIGH PERFORMANCE NODES | FREE COMODO SSL! | Native IPv6 | $8.99 USD/mo
By Matt Connor in forum VPS Hosting OffersReplies: 0Last Post: 02-19-2012, 04:13 AM -
SSD Nodes | SoftLayer & IPv6 | 99.9% SLA | Private Computing Nodes at $6.99 USD/mo
By Matt Connor in forum VPS Hosting OffersReplies: 0Last Post: 01-18-2012, 06:16 PM -
SSD Nodes - High Performance Enterprise Nodes [SoftLayer] starting @ $19.49
By Matt Connor in forum VPS Hosting OffersReplies: 0Last Post: 07-07-2011, 03:54 PM -
Rootkit detection on a Windows VPS???
By SG Slinger in forum VPS HostingReplies: 10Last Post: 05-07-2007, 11:52 AM -
@@FREE LOOPHOLE DETECTION@@ Hiya Corp Loophole Detection!!
By FredTT in forum Other Offers & RequestsReplies: 2Last Post: 11-23-2003, 11:11 AM