Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Can someone explain this? [ Probably DDoS ] [HELP!]
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Can someone explain this? [ Probably DDoS ] [HELP!]

SherlockSherlock Member
edited July 2014 in Help

Hi,

I need help. I have a server with @VMbox ( their top plan ) and it's been down for 20 hours. I try to boot it, but it stays offline. I tried to use Serial Console, but as soon as i enter the password, the console window is closed. I use the server for hosting my websites, and currently I have directed them away from the concerned server. From last 7-8 hours I have been messaging @VMbox regarding it, but he has not provided me any help.. he hasn't even told me the reason why the server isn't booting/suspended. He just sent me the below log, no explanation of what's going on or what I can do to solve it and now it seems he is trying to avoid the issue/not willing to help. Here is the log, can anyone please explain to me what it means and how can I solve it?? Thanks in advance.

PS: Like any other newbie, I think it's DDoS, and I have told @VMbox to change my server's IP ( the plan has only 1 IP though ) to get rid of the DDoS.

Fri, 18 Jul 2014 18:54:27 -0400 VPS 2105 (xx.xx.xx.xx) has 30021 conntrack sessions
Fri, 18 Jul 2014 18:54:47 -0400 VPS 2105 (xx.xx.xx.xx) has 30082 conntrack sessions
Fri, 18 Jul 2014 18:54:57 -0400 VPS 2105 (xx.xx.xx.xx) has 30006 conntrack sessions
Fri, 18 Jul 2014 18:55:04 -0400 VPS 2105 (xx.xx.xx.xx) has 30058 conntrack sessions
Fri, 18 Jul 2014 18:55:15 -0400 VPS 2105 (xx.xx.xx.xx) has 30054 conntrack sessions
Fri, 18 Jul 2014 19:26:36 -0400 VPS 2105 (xx.xx.xx.xx) has 46433 conntrack sessions
Fri, 18 Jul 2014 19:26:52 -0400 VPS 2105 (xx.xx.xx.xx) has 61441 conntrack sessions
Fri, 18 Jul 2014 19:27:04 -0400 SUSPENDING VPS 2105 (xx.xx.xx.xx); it has 61441 conntrack sessions
Fri, 18 Jul 2014 19:27:13 -0400 VPS 2105 (xx.xx.xx.xx) has 49318 conntrack sessions

ipv4 2 tcp 6 296707 ESTABLISHED src=198.143.139.251 dst=180.169.70.230 sport=44300 dport=34872 [UNREPLIED] src=180.169.70.230 dst=198.143.139.251 sport=34872 dport=21145 mark=0 secmark=0 use=2
ipv4 2 tcp 6 391347 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=8000 dport=51391 [UNREPLIED] src=127.0.0.1 dst=198.143.139.251 sport=51391 dport=8000 mark=0 secmark=0 use=2
ipv4 2 tcp 6 389194 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=8000 dport=34934 [UNREPLIED] src=127.0.0.1 dst=198.143.139.251 sport=34934 dport=8000 mark=0 secmark=0 use=2
ipv4 2 tcp 6 391436 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=8000 dport=54424 [UNREPLIED] src=127.0.0.1 dst=198.143.139.251 sport=54424 dport=8000 mark=0 secmark=0 use=2
ipv4 2 tcp 6 389151 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=8000 dport=60789 [UNREPLIED] src=127.0.0.1 dst=198.143.139.251 sport=60789 dport=8000 mark=0 secmark=0 use=2
ipv4 2 tcp 6 311115 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=8000 dport=35868 [UNREPLIED] src=127.0.0.1 dst=198.143.139.251 sport=35868 dport=8000 mark=0 secmark=0 use=2
ipv4 2 tcp 6 320577 ESTABLISHED src=198.143.139.251 dst=198.143.139.251 sport=35028 dport=80 [UNREPLIED] src=198.143.139.251 dst=198.143.139.251 sport=80 dport=35028 mark=0 secmark=0 use=2
ipv4 2 tcp 6 266393 ESTABLISHED src=198.143.139.251 dst=198.143.139.251 sport=60071 dport=443 [UNREPLIED] src=198.143.139.251 dst=198.143.139.251 sport=443 dport=60071 mark=0 secmark=0 use=2
ipv4 2 tcp 6 391291 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=8000 dport=48471 [UNREPLIED] src=127.0.0.1 dst=198.143.139.251 sport=48471 dport=8000 mark=0 secmark=0 use=2
ipv4 2 tcp 6 390778 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=8000 dport=54076 [UNREPLIED] src=127.0.0.1 dst=198.143.139.251 sport=54076 dport=8000 mark=0 secmark=0 use=2
ipv4 2 tcp 6 390779 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=8000 dport=54132 [UNREPLIED] src=127.0.0.1 dst=198.143.139.251 sport=54132 dport=8000 mark=0 secmark=0 use=2
ipv4 2 tcp 6 390931 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=8000 dport=60591 [UNREPLIED] src=127.0.0.1 dst=198.143.139.251 sport=60591 dport=8000 mark=0 secmark=0 use=2
ipv4 2 tcp 6 268701 ESTABLISHED src=198.143.139.251 dst=198.143.139.251 sport=39277 dport=80 [UNREPLIED] src=198.143.139.251 dst=198.143.139.251 sport=80 dport=39277 mark=0 secmark=0 use=2
ipv4 2 tcp 6 408476 ESTABLISHED src=198.143.139.251 dst=198.143.139.251 sport=50990 dport=443 [UNREPLIED] src=198.143.139.251 dst=198.143.139.251 sport=443 dport=50990 mark=0 secmark=0 use=2
ipv4 2 tcp 6 217845 ESTABLISHED src=198.143.139.251 dst=198.143.139.251 sport=53391 dport=443 [UNREPLIED] src=198.143.139.251 dst=198.143.139.251 sport=443 dport=53391 mark=0 secmark=0 use=2
ipv4 2 tcp 6 391264 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=8000 dport=46984 [UNREPLIED] src=127.0.0.1 dst=198.143.139.251 sport=46984 dport=8000 mark=0 secmark=0 use=2
ipv4 2 tcp 6 321004 ESTABLISHED src=198.143.139.251 dst=198.143.139.251 sport=49381 dport=80 [UNREPLIED] src=198.143.139.251 dst=198.143.139.251 sport=80 dport=49381 mark=0 secmark=0 use=2
ipv4 2 tcp 6 409073 ESTABLISHED src=198.143.139.251 dst=198.143.139.251 sport=43547 dport=80 [UNREPLIED] src=198.143.139.251 dst=198.143.139.251 sport=80 dport=43547 mark=0 secmark=0 use=2
ipv4 2 tcp 6 391468 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=8000 dport=56153 [UNREPLIED] src=127.0.0.1 dst=198.143.139.251 sport=56153 dport=8000 mark=0 secmark=0 use=2
ipv4 2 tcp 6 400868 ESTABLISHED src=198.143.139.251 dst=198.143.139.251 sport=50077 dport=443 [UNREPLIED] src=198.143.139.251 dst=198.143.139.251 sport=443 dport=50077 mark=0 secmark=0 use=2
ipv4 2 tcp 6 251097 ESTABLISHED src=198.143.139.251 dst=198.143.139.251 sport=57569 dport=443 [UNREPLIED] src=198.143.139.251 dst=198.143.139.251 sport=443 dport=57569 mark=0 secmark=0 use=2
ipv4 2 tcp 6 389193 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=8000 dport=34878 [UNREPLIED] src=127.0.0.1 dst=198.143.139.251 sport=34878 dport=8000 mark=0 secmark=0 use=2
ipv4 2 tcp 6 305855 ESTABLISHED src=198.143.139.251 dst=198.143.139.251 sport=48745 dport=80 [UNREPLIED] src=198.143.139.251 dst=198.143.139.251 sport=80 dport=48745 mark=0 secmark=0 use=2
ipv4 2 tcp 6 430353 ESTABLISHED src=198.143.139.251 dst=198.143.139.251 sport=34229 dport=80 [UNREPLIED] src=198.143.139.251 dst=198.143.139.251 sport=80 dport=34229 mark=0 secmark=0 use=2
ipv4 2 tcp 6 421979 ESTABLISHED src=198.143.139.251 dst=198.143.139.251 sport=38909 dport=443 [UNREPLIED] src=198.143.139.251 dst=198.143.139.251 sport=443 dport=38909 mark=0 secmark=0 use=2
ipv4 2 tcp 6 399217 ESTABLISHED src=198.143.139.251 dst=198.143.139.251 sport=51719 dport=80 [UNREPLIED] src=198.143.139.251 dst=198.143.139.251 sport=80 dport=51719 mark=0 secmark=0 use=2
ipv4 2 tcp 6 390607 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=8000 dport=46117 [UNREPLIED] src=127.0.0.1 dst=198.143.139.251 sport=46117 dport=8000 mark=0 secmark=0 use=2
ipv4 2 tcp 6 300284 ESTABLISHED src=198.143.139.251 dst=198.143.139.251 sport=36975 dport=80 [UNREPLIED] src=198.143.139.251 dst=198.143.139.251 sport=80 dport=36975 mark=0 secmark=0 use=2
ipv4 2 tcp 6 391291 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=8000 dport=48473 [UNREPLIED] src=127.0.0.1 dst=198.143.139.251 sport=48473 dport=8000 mark=0 secmark=0 use=2
ipv4 2 tcp 6 391308 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=8000 dport=49383 [UNREPLIED] src=127.0.0.1 dst=198.143.139.251 sport=49383 dport=8000 mark=0 secmark=0 use=2
ipv4 2 tcp 6 391119 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=8000 dport=39813 [UNREPLIED] src=127.0.0.1 dst=198.143.139.251 sport=39813 dport=8000 mark=0 secmark=0 use=2

«1

Comments

  • TheRedFoxTheRedFox Member
    edited July 2014

    said: PS: Like any other newbie, I think it's DDoS, and I have told @VMbox to change my server's IP ( the plan has only 1 IP though ) to get rid of the DDoS.

    Your provider will nullroute you, but not give you a new IP for obvious reasons.

  • @TheRedFox said:
    Your provider will nullroute you, but not give you a new IP for obvious reasons.

    What's nullrouting? Can you please tell what the above log means? Is it a DDOS?

  • BellaBella Member

    @Sherlock said:
    What's nullrouting? Can you please tell what the above log means? Is it a DDOS?

    Null routing is when your provider takes down your IP so it does not point anywhere.

    They do that do that the ddos attack stops having any impact on the node.

  • BellaBella Member

    Here's a Google definition.

    In computer networking, a null route (blackhole route) is a network route (routing table entry) that goes nowhere. Matching packets are dropped (ignored) rather than forwarded, acting as a kind of very limited firewall. The act of using null routes is often called blackhole filtering.

  • GreenHostBoxGreenHostBox Member
    edited July 2014

    @Sherlock said:
    What's nullrouting? Can you please tell what the above log means? Is it a DDOS?

    Null routing is when your IP is routed to nothing so your IP is inaccessible. You get null routed when you you received DDoS attacks so the attack doesn't affect the network and such. You will need to wait until VMBox's datacenter lifts your null route so your IP is working again.

  • @Bella said:

    That does seem like a very good idea.. when the IP is nullrouted, is there any way for me to access virtualmin to do some backups?

  • I would suggest moving to a VPS provider that has DDoS protection (ie buyvm, ramnode etc).

  • @Sherlock No, you're done.

  • @GreenHostBox said:
    Null routing is when the IP is routed to nothing so your IP is inaccessible. You get null routed when you you received DDoS attacks so the attack doesn't affect the network and such. You will need to wait until VMBox's datacenter lifts your null route so your IP is working again.

    Okay. How about this, I tell them to null route my current IP, then access virtualmin and install necessary plug-ins/security measures to fight DDoS and then buy a new IP from VMBox for the concerned server, then hide is using cloudlflare ( without any ftp, m, MX or TXT record ) to enjoy their protection against DDoS?

    Is this a good idea?

  • BellaBella Member

    @Sherlock said:

    You can still access your vps from serial console but you can't really do anything like transfer backups since your IP is pretty much dead.

    Thanked by 1Sherlock
  • @MorningIris said:
    Sherlock No, you're done.

    Please read my above reply, will that work?

  • GreenHostBoxGreenHostBox Member
    edited July 2014

    @Sherlock said:
    Is this a good idea?

    You mean you want to them to lift the null route because if your IP is null routed, your IP is completely inaccessible. If you get a new IP, you will just get DDoSed on your new IP (if you are getting DDoSed and the attacker has your new IP). Remember that CloudFlare doesn't help if the attacker has your new IP.

  • AnthonySmithAnthonySmith Member, Patron Provider

    It might, not likely your provider will just give you another IP though, you should wait it out and use CF anyway.

    Thanked by 1Sherlock
  • @Bella said:
    You can still access your vps from serial console but you can't really do anything like transfer backups since your IP is pretty much dead.

    How about null routing with iptables : http://www.cyberciti.biz/tips/how-do-i-drop-or-block-attackers-ip-with-null-routes.html ?

    That way the main IP would remain up?

    @GreenHostBox said:
    You mean you want to them to lift the null route because if your IP is null routed, your IP is completely inaccessible. If you get a new IP, you will just get DDoSed on your new IP (if you are getting DDoSed and the attacker has your new IP). Remember that CloudFlare doesn't help if the attacker has your new IP.

    I can temporarily hide the new IP behind cloudflare ( will create only xxx.com and www.xxx.com records with cloudflare acceleration enables ), then create backups and move to a DDoS protected server.. ?

  • GreenHostBoxGreenHostBox Member
    edited July 2014

    @Sherlock said:
    I can temporarily hide the new IP behind cloudflare ( will create only xxx.com and www.xxx.com records with cloudflare acceleration enables ), then create backups and move to a DDoS protected server.. ?

    Sure, you can do that if VMBox gives you a new IP.

    Thanked by 1Sherlock
  • BellaBella Member

    @Sherlock said:

    In most cases using ip tables is not enough because all the ddos traffic fills up the shared port causing other customers to slow down and experience packet loss.

    The ddos attack may even take the whole server offline.

  • Thanks everyone! Especially @Bella and @GreenHostBox . The info shared is so helpful for me.

  • Interestingly in that dump you sent a lot of the traffic is coming to/from 127.0.0.1 (Localhost). Can you post it properly so it doesn't lose formatting.

  • @MarkTurner said:
    Interestingly in that dump you sent a lot of the traffic is coming to/from 127.0.0.1 (Localhost). Can you post it properly so it doesn't lose formatting.

    Here:

    thats all i have.. vmbox's owner isn't providing me any support or access to the server thats why I am unable to provide any more logs.. before making this thread he didnt even tell me that it is a ddos

  • Might be a different story since your VPS is suspended. VMBox live chat is online now. You might as well ask them right now.

  • Here is the full log : http://pastebin.com/iWURnCkh

  • @GreenHostBox said:
    Might be a different story since your VPS is suspended. VMBox live chat is online now. You might as well ask them right now.

    still the guy isn't replying neither to my ticket nor on the chat.. -_-

  • FrankZFrankZ Veteran

    Do you have a squid proxy set up on that vps?

  • @FrankZ said:
    Do you have a squid proxy set up on that vps?

    No, virtualmin + php-fpm + nginx

  • Assuming your IP is 198.143.139.241 then it looks like this traffic is all local to your machine not a DDOS or DOS

  • TACServersTACServers Member
    edited July 2014

    Bleh. If I had access, I'd look to see what was running on port 8000. and trying to connect to random ports, on the same host. This is an odd one, as looking at your logs shows alot of traffic from localhost and the local IP to local IP. I am not seeing anything that is coming in from outside, or your machine connecting to the outside.

    Edit: If you get access back, try running netstat -lnp and start looking for what (edit: Process) is on port 8000 checking out all those random ports. There is also substantial traffic on 443, or https.

  • @MarkTurner said:
    Assuming your IP is 198.143.139.241 then it looks like this traffic is all local to your machine not a DDOS or DOS

    Actually that isn't my IP, though it's in the same range 198.143.139.xxx i asked vmbox why is this IP mentioned in the logs and as usual he didn't reply to it

  • MarkTurnerMarkTurner Member
    edited July 2014

    I meant 198.143.139.251

    As you have serial access - can you send the output of:

    ps -auxf

    and as @cncking2000 said netstat -lnp

  • @cncking2000 said:
    Bleh. If I had access, I'd look to see what was running on port 8000. and trying to connect to random ports, on the same host. This is an odd one, as looking at your logs shows alot of traffic from localhost and the local IP to local IP. I am not seeing anything that is coming in from outside, or your machine connecting to the outside.

    Edit: If you get access back, try running netstat -lnp and start looking for what (edit: Process) is on port 8000 checking out all those random ports.

    Nginx i guess? With php-fpm...

  • TACServersTACServers Member
    edited July 2014

    Is 198.143.139.251 possibly the node IP? I can see why the provider suspended you if your machine is going after the node itself. I am getting server.cssglobal.net from this end, as being associated to that IP.

Sign In or Register to comment.