New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Probably best all round, we don't need this type of traffic on our network.
Example of your DDOS traffic - this is four minutes of it:
Part 1: http://pastebin.com/Whcm3DNn
Part 2: http://pastebin.com/aUBy04L6
Part 3: http://pastebin.com/WcQvKF35
Part 4: http://pastebin.com/2GNhwpct
Part 5: http://pastebin.com/ADH3CxwA
5000 lines per paste
@MarkTurner you may want to censor part of your IPs too. Given current predicament.
@Spirit - there is only one IP mentioned which is the OP's one. That will have to be quarantined anyway once his service is gone. Its probably blacklisted all over the place, we will blackhole for 3 months. I set the pastes to self destruct, not ideal but neither is copy/pasting 25,000 lines of garbage.
But thanks for obfuscating the posting he made.
I don't exactly see what the problem is... It's not my fault that my server got selected randomly
You had an open resolver and by the look of the port 123 traffic on some of the other incidents an open NTP server as well. These are basic attack vectors that should be setup properly.
What is interesting with this, is all this PPS was done by a $5 Atom server. Thats not bad performance for such a little box.
Anything left open?
Ive got hit by a few DDoS's in my time and they are either really crap at targeting me (moved into a host for a few days then suddenly got nulled due to inbound attacks) or they were 'randomly selected'.
$10, paying monthly
Then why haven't i had this before on other servers? Or is it just bad luck this time
DNS and NTP reflection happened because you didn't secure the server. That should be the second thing you do after changing the password.
Thats why you have to take the proactive step to secure them.
and the reason why managed servers cost more.
there's a market for a service to check security on your server. but that just encourages people to be lazy
I was using their Ubuntu 13.04 64 Bit template, updated it to 13.10 using distro-upgrade
Any idea if that one has a vuln?
I'm disappointed nobody noticed my pun.
Put it another way - before loading bind and ntpd did you configure them to ensure that the obvious attack vectors were covered?
Ahum, i didn't install either of the above, just used the template that was provided, installed gcc and that's about it!
So when you installed the default Ubuntu OS, you of course changed the password, changed SSH port, removed any unnecessary daemons, locked down the server so that only the ports you wanted open were open.
So if you didn't want port 53 or port 123 open then they would have been closed.
The problem here is that you took an unmanaged server, you didn't bother securing it and then were party to a DDOS. You need to get a managed server where someone who understands these things will setup the box for you with the basic security settings in place, then you can use the box without these headaches.
Attention seeker.
Yeah of course go blame it all on me! I have never ever had any problems with any of my servers over the last 4-5 years
Thanks!
No-one else has access to that server but you, so yes you have to take responsibility to secure your machine.
So, when something is wrong you just blame your customers?
how can I confirm if my server is exploitable with ntp/dns? i'm using Debian, is this OS exploitable like that by default? if yes then I really have to know!
It's true though. It's your server, it's your responsibility to secure it.
@joodle why didn't you remove all the unnecessary software before using it? That's what I do in all my servers
It didn't came with bind, apache2, etc installed
And yes, i always remove bind/named and apache from a new server because i simply do not use that
would be good to have VPS templates that are easy to use. don't include DOS magnets. secure by default. enforce decent password. and so on
Yup..
Anyway.. Still wondering when my server will be back online
Btw @MarkTurner i found my own IP several times in that log (probably when i was logged into SSH), could you please remove those? Thanks
You're a punny guy.
Finally got a reply from them when i asked when my server would be back online
This is just total bullshit!
What a scam company damn, never gonna do business with them again
if this is a one-off incident, it seems harsh. but if the user doesn't understand why it all went wrong in the first place, then it will likely happen again.