Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Can I use Observium to diagnose a ddos attack?
New on LowEndTalk? Please Register and read our Community Rules.

Can I use Observium to diagnose a ddos attack?

charoscharos Member
edited May 2014 in Help

One of my vps was suspended due to ddos attack( they said it brought down the whole node ). However this vps had no live site and I had fail2ban enabled. I can't find a reason why a random lowend vps without a domain would get an attack (maybe a noob practicing?) so I was wondering what graph should I check in Observium to diagnose the issue and see how severe it was. I thought since my vps is gone, at least learn something about it!

Comments

  • blackblack Member

    Check the bandwidth graphs...?

    Thanked by 1charos
  • I would check all the graphs. If it was a real DDoS attack you probably don't have any stats to look at though.

    Thanked by 1charos
  • charoscharos Member
    edited May 2014

    @black said:
    Check the bandwidth graphs...?

    Bandwidth is the expected one : 50GB inbound in the past 24h which seems to be the expected as I was downloading roughly that amount.

    @Silvenga said:
    I would check all the graphs. If it was a real DDoS attack you probably don't have any stats to look at though.

    Observium has lots of graph outputs that I have no clue what they are so I was trying to narrow those by suggestions. Surely there were no cpu,processes,ram spikes and apart from the bandwidth I have no idea what else is affected in a ddos attack. I was trying to find something like requests per second but can't seem to find such option and netstat graphs dont show anything suspicious.

  • charos said: 50GB inbound

    What type of software were you running? If this was something that uses peer to peer (BitTorrent) this might look like a small DDoS attack.

    Thanked by 1charos
  • nunimnunim Member
    edited May 2014

    Select the device, i.e. server1.domain.com and then select Ports. You should see your Ports, i.e. Eth0 or Venet0(for OpenVZ). Select the correct interface and scroll down, these are the the Port graphs, you should see a spike in traffic and PPS (packets per second). Here's a graph for an almost idle box:

    If you were under a DDOS attack you'll see a very large spike in PPS and traffic.

    Thanked by 1charos
  • If you want actually useful diagnostic results, install inmon's sflowd.

    It'll at least tell you what IP got hit, and with how much of what from where. Observium simply tells you you're being hit (Assuming your deduction skills are good.)

    Thanked by 2GIANT_CRAB charos
  • charoscharos Member

    @Silvenga said:
    What type of software were you running? If this was something that uses peer to peer (BitTorrent) this might look like a small DDoS attack.

    Yes, I was using a cli based client. If the node went down because I downloaded few torrents from a private tracker, the node sucks!! Unless there was another issue with the node and I'm the scapegoat...

    @nunim said:
    Select the device, i.e. server1.domain.com and then select Ports. You should see your Ports, i.e. Eth0 or Venet0(for OpenVZ). Select the correct interface and scroll down, these are the the Port graphs, you should see a spike in traffic and PPS (packets per second). Here's a graph for an almost idle box:

    If you were under a DDOS attack you'll see a very large spike in PPS and traffic.

    Thanks for the info! I was looking for something like the unicast packet graph! It shows a spike but only because I was downloading few torrents and the rest of the time the vps was idle. I compared the graph with my primary seedbox vps graph and and there are more packets there. So I come to the conclusion that there was no ddos attack,just the provider wanted to pin that on me! Of course I might be mistaken but from the graphs I can't find enough data flow to justify crashing the whole node!

    @Wintereise said:
    If you want actually useful diagnostic results, install inmon's sflowd.

    It'll at least tell you what IP got hit, and with how much of what from where. Observium simply tells you you're being hit (Assuming your deduction skills are good.)

    Thanks for sflowd tool. Although it's too late for this vps (got suspended) ,it's a nice tool for the rest .

  • charos said: Yes, I was using a cli based client. If the node went down because I downloaded few torrents from a private tracker, the node sucks!! Unless there was another issue with the node and I'm the scapegoat...

    I doubt the node went down - your container was probably disabled. When torrenting make sure to reduce the amount of incoming connections allowed. Depending on who you are leaching from, for example at lot of home users (not severs), the torrent client may attempt hundreds of connections a second (may be considered a small DDoS attack).

  • Which host do you use? Is your server located in NY?

    One of mine went down for around an hour yesterday (SolusVM showed the VPS was online, but I couldn't connect to it over the network) and the host said if it was down for an hour, it was probably null routed because of a DDoS attack, but this doesn't make sense to me either since there's no reason anyone should DDoS my VPS which isn't used for anything.

  • charoscharos Member

    @Silvenga said:
    I doubt the node went down - your container was probably disabled. When torrenting make sure to reduce the amount of incoming connections allowed. Depending on who you are leaching from, for example at lot of home users (not severs), the torrent client may attempt hundreds of connections a second (may be considered a small DDoS attack).

    Thanks for the tip! I thought that since it was a non popular private tracker without too many users, I didn't have to limit the connections. But you're right, one peer is not a single connection, so I should always limit the number of connections to the client.

    @hostnoob said:
    Which host do you use? Is your server located in NY?

    One of mine went down for around an hour yesterday (SolusVM showed the VPS was online, but I couldn't connect to it over the network) and the host said if it was down for an hour, it was probably null routed because of a DDoS attack, but this doesn't make sense to me either since there's no reason anyone should DDoS my VPS which isn't used for anything.

    My vps was on the west coast. I will send you a message of the provider,because I don't want publicly to give the host a bad name, until I am certain that it wasn't my fault.

Sign In or Register to comment.