New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Hi, dear @kv1108
First of all how dramatically you represent the issue, in the ticket it was specified that this was an DoS attempt, not DDoS, you better know the difference
Your VPS is not a installed with Windows
there were 10-12 req/seconds whith higher peaks, no windows 10 will determine whether the computer is connected to the Internet. in such a manner
a small snippet
Windows 10 or later versions:
NCSI sends a DNS request to resolve the address of the www.msftconnecttest.com FQDN.
If NCSI receives a valid response from a DNS server, NCSI sends a plain HTTP GET request to http://www.msftconnecttest.com/connecttest.txt.
nslookup for the www.msftconnecttest.com on your VPS return completly different addresses but no 176.xxx.x.xxx and it will never will return this address
https://i.imgur.com/o9ZBIFt.png
Also the monthly service was suspended, it wasn't VPS Nano. Also you are "old" customer. You didn't used any BF Promotion.
Kind Regards,
Ava.Hosting
He said he uses it as a VPN. What makes you think that there aren't any Windows machines connected to this VPN?
You concluded that this is a dos attack based on 10-12 requests in a second.
Microsoft.com really sent a DoS abuse report for 10 req per second to that URL?
tid=459106
I guess you are looking at my ticket, not kv1108s'.
I can't decide what is worse: Microsoft sending abuse reports for this, or you suspending multiple customers based on such reports.
www.msftconnecttest.com is GeoDNSed so resolved IP addresses will be defferent by region.
BTW
Let me guess, the cost of the problem is ten dollars - thankfully it wasn't thousands. Put them on your own blacklist. Thanks for sharing. I have a Nano and will not renew for sure.
BTW
(so probably the client just thinks it is now in the
ava.hostingdomain and automatically appends that to DNS queries, and then the web server there responds with a redirect and the client just follows that redirect a few times)Wildcard DNS records rocks!
I just cannot believe Microsoft actually sent out an abuse report.
What about my institute that has like thousands of windows pcs?
@ILLKX @kv1108
TL;DR: We have been reactivated the services.
Hi,
@TheOnlyDK
"He said he uses it as a VPN. What makes you think that there aren't any Windows machines connected to this VPN?""
-You're right, well, even though this isn't a normal request rate, which may suggest that the requests are artificial
"You concluded that this is a dos attack based on 10-12 requests in a second.""
It was said DoS attempt, there are cases than a few request per second on application vulnerability is enough to overload a server, in this case we can assume that is searching for such one, evenmore the resolver will not return 176.123.0.130 for the www.msftconnecttest.com, until the customer don't have a plausible explanation of such actions we reserve the right to suspend it.
for @ILLKX
"Do you mind to share the abuse report from Microsoft?"
-It was a misunderstanding, the reply was intended to other ticket.
"I don't think a DoS attempt would be less than 20 requests a second for just a static file."
explained above about this
"I'm using 1.1.1.1 DNS. Do you mean that my VPS sent thousands of "GET /connecttest.txt" requests to your mail host (176.xxx.xxx.xxx) instead of Microsoft or Akamai CDN edge server?"
-As we have shown earlier, on your VPS is set on google DNS, nonetheless, on your local machine it can be Cloudflare and any other, doesn't matter, if you explicitly will set in hosts file the name for www.msftconnecttest.com to 176.123.0.130
"If so, is it possible that you are hijacking all your customers' UDP53 DNS request and wrongly configured your DNS server that it returned your mail host IP (176.xxx.xxx.xxx)? After all, you have some kind of DPI firewall, which makes it possible to hijack UDP53 traffic and you are logging your customers' plain HTTP requests."
We have to assure all you that the issue is not in bandwidth, and after all, despite the unusual requests to from these two hosts, we will reactivate it, and will monitor the situation further.
If /etc/resolv.conf is follows:
doing
host www.msftconnecttest.comwould resolve www.msftconnecttest.com.ava.hosting and could get 176.123.0.130 because wildcard A record.Now wildcard A record seems to be fixed.
until i see valid proof (like email headers) of the dos/ddos report -- I am inclined to think this report about the connect test being hammered is bull.
If the customer installed from template and the template contains a resolvconf like this, it's entirely the provider's fault, for having such a template along with the wildcard DNS.
Provider should unsuspend the server and grant SLA credits equivalent to a downtime.
If the customer installed from ISO and accepted this search domain (discovered through RDNS) during installation, it's the customer's mistake, not an intentional abuse.
Customer should be spanked but then given an opportunity to correct this mistake by deleting the search domain.
@AvaHosting can we please view the microsoft report that was sent because of one of the accounts suspended?
Customer has ava.hosting in resolv.conf, ava.hosting has wildcard dns for this domain.
Customer installed VPN and their computers tries to ping Microsoft, but couldn't get to Microsoft due to incompetence of the network person from the hosting provider.
Hosting provider sees lots of requests for "http://www.msftconnecttest.com/connecttest.txt" but due to their incompetence all of these requests hit their own server instead. They assume it's a DoS attack and suspend their customer.
Host claims Microsoft sent the abuse report but so far has not provided proof, suggesting to me they have made up the fact about this abuse report and trying to blame their customers.
Host realizes their mistake, addresses the mistake, but not admitting mistake.
/s
This is embarrassing.
So the wildcard DNS is indeed gone now
Step 1:
Heeeeey, Microsoft send us abuse report because you spamming the network check for Windows.
Step 2:
Oh btw. you never reached Microsoft servers, you spamming our mail host.
Profit:
????
Plot twist, OP and ava.hosting are the same person. LET was used as free tech support.
/jk
LMAO
reguards
and entertaining!
totally embarrassing LOL
hello sir this is kind of emberrassing but what are we expecting of lowendproviders anyway, competence?
Dm me to get 99.9% sale off lol
Anyway thank guys, I have 350 days left, may be drama continue
Why?
The ticket said reactivation was not negotiable.
But I think my favourite part of this drama is Microsoft sending abuse reports about abuse not directed at their IPs..