Results 1 to 7 of 7
  1. #1
    Join Date
    Mar 2003
    Posts
    345

    nocster UDP flood ?

    Is there any nocster customer here ?

    Do you receive unnecessary UDP traffic coming into your eth0 ?

    I run a network sniffer, and found this kind of traffic :

    _ UDP (46 bytes) from 64.191.105.19:1029 to 224.2.243.20:36546 on eth0 _
    _ UDP (46 bytes) from 64.191.105.19:1029 to 224.2.243.20:36546 on eth0 _
    _ UDP (46 bytes) from 64.191.105.19:1029 to 224.2.243.20:36546 on eth0 _
    _ UDP (46 bytes) from 64.191.105.19:1029 to 224.2.243.20:36546 on eth0 _

    every second !

    I noticed this first from mrtg, about 2 MBytes incoming traffic every 5 minutes.

    Just wondering if you also got this.

    I asked in this forum because I got no answer in their forum (maybe only me got this?, but why?).

    Thanks for any info.

  2. #2
    Join Date
    Jul 2003
    Location
    Nothing but, net
    Posts
    2,062
    Looks like you may be the victim of a DoS attack.

  3. #3
    Join Date
    Mar 2003
    Posts
    345
    Hmm ... strange, I have not published this server yet Because its still under development ... and I got DoS attack ?

    Anyone can trace IP 64.191.105.19 ?

    But still they attacking a multicast address

  4. #4
    Join Date
    Jun 2002
    Posts
    362
    they are probably spoofind the address, so tracing it wont do you much good. Can you login to SSH, if you can do it, lag will be bad but you can manually block the ips attacking ytou with iptables

  5. #5
    Join Date
    Mar 2003
    Posts
    345
    I figured out that this IP : 64.191.105.19 belongs to nocster (HOSTNOC).

    One of thier support said that "this is normal Windows broadcast". There is other IP also broadcasting to port 137 and 138 EVERY SECOND !

    Is this statement true ? that this is normal ... ?

    If I check using "ifconfig eth0", and watch the RX count (incoming traffic), I found its increased a lot (about 2 MBytes per 5 minutes).

    Heymish suggested that I blocked this IP ... If I block this IP, will my eth0 still receiving their broadcast?

    I dont get this, why in the first place this servers broadcast every second!

    If this is NOT affecting my server network load, why mrtg catch it as incoming traffic (via snmp) ?

    Grrr ...

  6. #6
    Join Date
    May 2004
    Location
    chicago
    Posts
    173
    How to find out which ip is sending packets via please describe.

    thanks
    CEO - Alakmalak Technologies www.Alakmalak.com
    Web Application Development : Website Development Web Designing
    Support Toll Free +1-800-789-9620 Skype : rushik Operating Since 2003 || Team size of 35+ Web development center at INDIA

  7. #7
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    this is a very old post. thanks for digging it up
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •