Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Quick Links


Categories

In this Discussion

wget emulating a DOS attack?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

wget emulating a DOS attack?

zhuanyizhuanyi Member
in Help

I was trying to download a 30GB archive from one of my VPS to another when my VPS was suspended. When I emailed my VPS provider they came back with a log saying that I was auto-suspended for sending over 40k PPS.

I was using plain wget and was told the only way to get by it is to rate-limit the downloading speed to 100mbit, even though the provider advertised for 1Gbit port.

My question is:

  1. Is it possible to get by this without rate-limit the download?

  2. Why would downloading a file causing a PPS flood? This has never happened to me before with other providers.

The log is shown below:

Mon, 10 Mar 2014 13:59:07 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 52420 pps during 15 second interval
Mon, 10 Mar 2014 13:59:24 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 53876 pps during 5 second interval
Mon, 10 Mar 2014 13:59:24 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 70201 pps during 15 second interval
Mon, 10 Mar 2014 13:59:41 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 44315 pps during 5 second interval
Mon, 10 Mar 2014 13:59:41 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 82086 pps during 15 second interval
Mon, 10 Mar 2014 13:59:58 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 39528 pps during 15 second interval
Mon, 10 Mar 2014 14:00:17 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 55489 pps during 5 second interval
Mon, 10 Mar 2014 14:00:17 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 40065 pps during 15 second interval
Mon, 10 Mar 2014 14:01:16 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 34419 pps during 60 second interval
Mon, 10 Mar 2014 14:01:29 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 37290 pps during 60 second interval
Mon, 10 Mar 2014 14:01:41 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 39786 pps during 5 second interval
Mon, 10 Mar 2014 14:01:41 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 40561 pps during 60 second interval
Mon, 10 Mar 2014 14:02:00 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 41240 pps during 60 second interval
Mon, 10 Mar 2014 14:02:21 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 56017 pps during 5 second interval
Mon, 10 Mar 2014 14:02:21 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 37538 pps during 15 second interval
Mon, 10 Mar 2014 14:02:21 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 33570 pps during 60 second interval
Mon, 10 Mar 2014 14:02:35 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 65578 pps during 5 second interval
Mon, 10 Mar 2014 14:02:35 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 46135 pps during 15 second interval
Mon, 10 Mar 2014 14:02:35 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 34545 pps during 60 second interval
Mon, 10 Mar 2014 14:02:48 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 45954 pps during 5 second interval
Mon, 10 Mar 2014 14:02:48 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 55850 pps during 15 second interval
Mon, 10 Mar 2014 14:02:48 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 34681 pps during 60 second interval
Mon, 10 Mar 2014 14:03:02 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 42783 pps during 5 second interval
Mon, 10 Mar 2014 14:03:02 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 51438 pps during 15 second interval
Mon, 10 Mar 2014 14:03:02 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 36547 pps during 60 second interval
Mon, 10 Mar 2014 14:03:15 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 46587 pps during 5 second interval
Mon, 10 Mar 2014 14:03:15 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 45108 pps during 15 second interval
Mon, 10 Mar 2014 14:03:15 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 35805 pps during 60 second interval
Mon, 10 Mar 2014 14:03:27 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 38369 pps during 15 second interval
Mon, 10 Mar 2014 14:03:27 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 35964 pps during 60 second interval
Mon, 10 Mar 2014 14:03:42 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 40739 pps during 5 second interval
Mon, 10 Mar 2014 14:03:42 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 37687 pps during 15 second interval
Mon, 10 Mar 2014 14:03:42 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 38862 pps during 60 second interval
Mon, 10 Mar 2014 14:04:01 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 38242 pps during 60 second interval
Mon, 10 Mar 2014 14:04:18 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 65334 pps during 5 second interval
Mon, 10 Mar 2014 14:04:18 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 44378 pps during 15 second interval
Mon, 10 Mar 2014 14:04:18 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 42238 pps during 60 second interval
Mon, 10 Mar 2014 14:04:33 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 45595 pps during 5 second interval
Mon, 10 Mar 2014 14:04:33 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 45997 pps during 15 second interval
Mon, 10 Mar 2014 14:04:33 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 43165 pps during 60 second interval
Mon, 10 Mar 2014 14:04:48 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 44097 pps during 15 second interval
Mon, 10 Mar 2014 14:04:48 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 41630 pps during 60 second interval
Mon, 10 Mar 2014 14:05:04 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 40364 pps during 5 second interval
Mon, 10 Mar 2014 14:05:04 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 35774 pps during 15 second interval
Mon, 10 Mar 2014 14:05:04 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 43593 pps during 60 second interval
Mon, 10 Mar 2014 14:05:23 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 44457 pps during 5 second interval
Mon, 10 Mar 2014 14:05:23 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 35395 pps during 15 second interval
Mon, 10 Mar 2014 14:05:23 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 42629 pps during 60 second interval
Mon, 10 Mar 2014 14:05:39 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 39931 pps during 15 second interval
Mon, 10 Mar 2014 14:05:39 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 40079 pps during 60 second interval
Mon, 10 Mar 2014 14:05:53 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 37486 pps during 60 second interval
Mon, 10 Mar 2014 14:06:10 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 76173 pps during 5 second interval
Mon, 10 Mar 2014 14:06:10 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 41996 pps during 15 second interval
Mon, 10 Mar 2014 14:06:10 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 40269 pps during 60 second interval
Mon, 10 Mar 2014 14:06:10 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 33552 pps during 180 second interval
Mon, 10 Mar 2014 14:06:25 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 81335 pps during 5 second interval
Mon, 10 Mar 2014 14:06:25 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 57451 pps during 15 second interval
Mon, 10 Mar 2014 14:06:25 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 43164 pps during 60 second interval
Mon, 10 Mar 2014 14:06:25 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 35531 pps during 180 second interval
Mon, 10 Mar 2014 14:06:42 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 52360 pps during 5 second interval
Mon, 10 Mar 2014 14:06:42 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 69956 pps during 15 second interval
Mon, 10 Mar 2014 14:06:42 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 45383 pps during 60 second interval
Mon, 10 Mar 2014 14:06:42 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 36985 pps during 180 second interval
Mon, 10 Mar 2014 14:06:54 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 63642 pps during 5 second interval
Mon, 10 Mar 2014 14:06:54 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 65779 pps during 15 second interval
Mon, 10 Mar 2014 14:06:54 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 47292 pps during 60 second interval
Mon, 10 Mar 2014 14:06:54 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 38750 pps during 180 second interval
Mon, 10 Mar 2014 14:07:08 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 42728 pps during 5 second interval
Mon, 10 Mar 2014 14:07:08 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 52910 pps during 15 second interval
Mon, 10 Mar 2014 14:07:08 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 48597 pps during 60 second interval
Mon, 10 Mar 2014 14:07:08 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 39937 pps during 180 second interval
Mon, 10 Mar 2014 14:07:26 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 45705 pps during 5 second interval
Mon, 10 Mar 2014 14:07:26 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 50692 pps during 15 second interval
Mon, 10 Mar 2014 14:07:26 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 46961 pps during 60 second interval
Mon, 10 Mar 2014 14:07:26 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 41206 pps during 180 second interval
Mon, 10 Mar 2014 14:07:41 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 98623 pps during 5 second interval
Mon, 10 Mar 2014 14:07:41 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 62352 pps during 15 second interval
Mon, 10 Mar 2014 14:07:41 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 51380 pps during 60 second interval
Mon, 10 Mar 2014 14:07:41 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 43945 pps during 180 second interval
Mon, 10 Mar 2014 14:08:00 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 83242 pps during 5 second interval
Mon, 10 Mar 2014 14:08:00 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 75856 pps during 15 second interval
Mon, 10 Mar 2014 14:08:00 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 56537 pps during 60 second interval
Mon, 10 Mar 2014 14:08:00 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 46243 pps during 180 second interval
Mon, 10 Mar 2014 14:08:15 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 91286 pps during 5 second interval
Mon, 10 Mar 2014 14:08:15 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 91050 pps during 15 second interval
Mon, 10 Mar 2014 14:08:15 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 60781 pps during 60 second interval
Mon, 10 Mar 2014 14:08:15 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 48538 pps during 180 second interval
Mon, 10 Mar 2014 14:08:34 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 80239 pps during 5 second interval
Mon, 10 Mar 2014 14:08:34 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 84922 pps during 15 second interval
Mon, 10 Mar 2014 14:08:34 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 63762 pps during 60 second interval
Mon, 10 Mar 2014 14:08:34 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 46654 pps during 180 second interval
Mon, 10 Mar 2014 14:08:47 -0500 node1ssd. NODEWATCH: VPS xxx (xxx.xxx.xxx.xxx) (172125 pps during 5 second interval). Probably false-positive unless repeats.
Mon, 10 Mar 2014 14:08:47 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 114550 pps during 15 second interval
Mon, 10 Mar 2014 14:08:47 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 75192 pps during 60 second interval
Mon, 10 Mar 2014 14:08:47 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 49938 pps during 180 second interval
Mon, 10 Mar 2014 14:09:05 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 93801 pps during 15 second interval
Mon, 10 Mar 2014 14:09:05 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 76375 pps during 60 second interval
Mon, 10 Mar 2014 14:09:05 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 49514 pps during 180 second interval
Mon, 10 Mar 2014 14:09:23 -0500 SUSPENDING DoSing VPS xxx (xxx.xxx.xxx.xxx): 111636 pps during 5 second interval
Mon, 10 Mar 2014 14:09:28 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 104267 pps during 15 second interval
Mon, 10 Mar 2014 14:09:28 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 79330 pps during 60 second interval
Mon, 10 Mar 2014 14:09:28 -0500 Possible DoS VPS xxx (xxx.xxx.xxx.xxx): 52049 pps during 180 second interval

Comments

  • nerouxneroux Member

    It would be good to know if you have any guaranteed bandwidth. Now an auto-suspension for a possible attack (which isnt one as it turns out) is certainly not a good thing, however assuming it is a shared line you might have simply hogged it for other users.

    Thanked by 1zhuanyi
  • perennateperennate Member, Host Rep

    That sounds like reasonable pps for a 1gbit download (3000 bytes per packet or so).

    Thanked by 1zhuanyi
  • mikegmikeg Member

    40k pps is quite small to rate as a DoS attack. Are you downloading via FTP or HTTP? You could rate limit the source you are downloading from.

    Thanked by 1zhuanyi
  • zhuanyizhuanyi Member

    I am downloading using wget from HTTP. What I don't understand is why downloading stuff would be treated as a DOS? And it is not like I am downloading this for a million times, it was simply a one-off download.

    And is the only way to get by it rate-limit my wget?

  • rds100rds100 Member

    40k 1500 byte sized packets pet second is 60 Megabytes / second or 480Mbps. So yes, if you were downloading at 480Mbps this would result in 40k pps.
    Ask your provider how are you supposed to use 1Gbps (with what kind of packet size) so it wouldn't result in a DDoS warning.

    And you can use wget --limit-rate to download at a slower rate and not get hit by this.

  • nerouxneroux Member
    edited March 2014

    As I already said do you have a guaranteed bandwidth? Respectively at what speed were you downloading and for how long?

  • zhuanyizhuanyi Member

    rds100 said: Ask your provider how are you supposed to use 1Gbps (with what kind of packet size) so it wouldn't result in a DDoS warning.

    That is what I ended up doing. They told me I have to rate-limit my download to 100mbps.

    neroux said: As I already said do you have a guaranteed bandwidth? Respectively at what speed were you downloading and for how long?

    They only mentioned at the node level, this is what they have:

    4Gbps Uplink (4 x 1Gbps Load Balanced)

    So I would assume it is shared.

    I was downloading at around 30MB/s

  • mikegmikeg Member

    @zhuanyi said:

    >

    That seems like a bit of a raw deal if they are advertising it as 1Gbps port.

  • AlexanderMAlexanderM Member, Top Host, Host Rep

    Just say your downloading a file. It's just their NodeWatch tightly configured.

    Alexander

  • nerouxneroux Member

    zhuanyi said: 4Gbps Uplink (4 x 1Gbps Load Balanced)

    So I would assume it is shared.

    I was downloading at around 30MB/s

    Well, that would be ~17 minutes at 240 mbps. A 4 gbps line should be able to handle that. But it all depends on what they allocate for each customer.

  • serverianserverian Member

    It seems this is VPSDime. I looked up for the tickets including the keyword wget and found the ticket.

    Nodewatch is the software that suspends after it goes over 100k pps for 5 seconds.

    We never encountered this suspending a legitimate usage before.

    I've whitelisted your VPS from PPS alerting/suspending system.

    Sorry for the issue caused.

    Oktay

    Thanked by 3zhuanyi ErawanArifNugroho Pwner
  • Mark_RMark_R Member

    Lol. If they call that a DoS attack I would consider taking my business elsewhere.

  • zhuanyizhuanyi Member

    @serverian said:
    It seems this is VPSDime. I looked up for the tickets including the keyword wget and found the ticket.

    Nodewatch is the software that suspends after it goes over 100k pps for 5 seconds.

    We never encountered this suspending a legitimate usage before.

    I've whitelisted your VPS from PPS alerting/suspending system.

    Sorry for the issue caused.

    Oktay

    Thanks for being so pro-active, really appreciate it :)

    However just out of curiosity, is there any way for a provider to distinguish between a legitimate file download versus a DOS attack with the existing technology? Obviously a packet inspection could do the job but I guess no provider will want to do that (and we as customers probably won't want that too)

Sign In or Register to comment.