Results 1 to 10 of 10
  1. #1
    Join Date
    Feb 2006
    Posts
    72

    Strange attack, many costs, please help!

    Hello,

    My tech support said that attack is inbound. Well... I turned off machine and attack still made high traffic to server and because of attack I had big overusage of bandwidth which costs 1 EURO / 1 GB DC do not offer hardware firewall so they cant block this attack in hardware firewall. So if attack will make high traffic should I pay for this overusage? I cant stop grow bandwidth, Im not GOD! Please tell me what do you think about this money per overusage! Sorry for my english but Im so confused thank you in advance!

  2. #2
    Join Date
    Mar 2006
    Location
    New York USA
    Posts
    402
    Have you any idea what kind of attack it is? There is also software based firewalls that can be put into place to help you fend off against some of the most common attacks. If you are not sure what kind of attacks these are. you can install an IDS such as Snort. Snort works great to detect common attempts to gain access or other bad things. The community is great, as many write custom filters for most all attacks.

  3. #3
    Join Date
    Dec 2005
    Location
    Internet
    Posts
    1,337
    I turned off machine and attack still made high traffic to server
    Can you please explain the above sentence?

  4. #4
    Join Date
    Feb 2006
    Posts
    72
    sorry...

    Box has been shutdown and pings didnt reply and box was making 4mpbs traffic durning when machine is OFF

  5. #5
    Join Date
    Apr 2004
    Location
    Australia
    Posts
    419
    By the last post it'd lead me to think that the box didn't actually shut down and hung on the shutdown sequence (probably waiting for a user to quit). I doubt wake-on-lan would be activated on a server board... It isn't great that the DC doesn't have a firewall (at least one on the router) that can help you block the attack, but they have the right to say that you have to pay for the usage.

    I'd suggest keeping the box offline and getting the DC technicians to take a look at why there is so much traffic going into the box (possible backdoor, exim spammer etc etc).

  6. #6
    Join Date
    Nov 2003
    Location
    Auckland, New Zealand
    Posts
    584
    Who shutdown the box ? Did you use Halt ? Because if the DC turned the box off for you, they the traffic should not be coming from your server. Get them to null route the IP address, so that they can not count traffic against you. Also sometimes the monitoring is wrong at the port level because of misconfigured vlans. Make sure to check the mrtg on your system against that is at the router level to make sure that you are actually using the same ammount of traffic.
    BLUETRIDENT.NET - Reliable Shared, Reseller and Dedicated Hosting Solutions Provider
    Managed Hosting with Personal Service
    Highspeed Content Servers, Lighttpd, Ruby on Rails, Cluster Servers & Rich Web Application Hosting

  7. #7
    Join Date
    Feb 2006
    Posts
    72
    thanks for the replies


    ImZan - I shutdown box to stop traffic but pings stopped and traffic never stopped.


    From 6 days UTP traffic is 30GB/daily, without attack that was always 100MB daily.... so if I know its UTP traffc is that helpful or not?

    Thank you,
    Rafal

  8. #8
    Join Date
    Nov 2003
    Location
    Auckland, New Zealand
    Posts
    584
    By the nature of UDP traffic there doesn't need to be a handshake like the TCP one. Your datacenter should not be counting traffic against your system if your hardware is off. If it's directed at a specific IP address, your datacenter can get this IP address null routed at their edge routers, however, a lot of DCs will get their upstream providers to do the null routing to never even hit the DC. Getting a new IP range is much sensible.

    If the box is up, bring it back up, install mrtg on the system. See if the traffic pattern is the same one provided by the provider - to rule out misconfiguration on their end. If all things fail - move to one of the datacenters that will not charge you for DoS protection.
    BLUETRIDENT.NET - Reliable Shared, Reseller and Dedicated Hosting Solutions Provider
    Managed Hosting with Personal Service
    Highspeed Content Servers, Lighttpd, Ruby on Rails, Cluster Servers & Rich Web Application Hosting

  9. #9
    Join Date
    Feb 2006
    Posts
    72
    UDP * (not UTP)

  10. #10
    Join Date
    Nov 2003
    Location
    Auckland, New Zealand
    Posts
    584
    BTW - did you make sure to check if it's not a DNS DoS magnification type of an attack ?
    BLUETRIDENT.NET - Reliable Shared, Reseller and Dedicated Hosting Solutions Provider
    Managed Hosting with Personal Service
    Highspeed Content Servers, Lighttpd, Ruby on Rails, Cluster Servers & Rich Web Application Hosting

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •