New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Can I use Observium to diagnose a ddos attack?
One of my vps was suspended due to ddos attack( they said it brought down the whole node ). However this vps had no live site and I had fail2ban enabled. I can't find a reason why a random lowend vps without a domain would get an attack (maybe a noob practicing?) so I was wondering what graph should I check in Observium to diagnose the issue and see how severe it was. I thought since my vps is gone, at least learn something about it!
Comments
Check the bandwidth graphs...?
I would check all the graphs. If it was a real DDoS attack you probably don't have any stats to look at though.
Bandwidth is the expected one : 50GB inbound in the past 24h which seems to be the expected as I was downloading roughly that amount.
Observium has lots of graph outputs that I have no clue what they are so I was trying to narrow those by suggestions. Surely there were no cpu,processes,ram spikes and apart from the bandwidth I have no idea what else is affected in a ddos attack. I was trying to find something like requests per second but can't seem to find such option and netstat graphs dont show anything suspicious.
What type of software were you running? If this was something that uses peer to peer (BitTorrent) this might look like a small DDoS attack.
Select the device, i.e. server1.domain.com and then select Ports. You should see your Ports, i.e. Eth0 or Venet0(for OpenVZ). Select the correct interface and scroll down, these are the the Port graphs, you should see a spike in traffic and PPS (packets per second). Here's a graph for an almost idle box:
If you were under a DDOS attack you'll see a very large spike in PPS and traffic.
If you want actually useful diagnostic results, install inmon's sflowd.
It'll at least tell you what IP got hit, and with how much of what from where. Observium simply tells you you're being hit (Assuming your deduction skills are good.)
Yes, I was using a cli based client. If the node went down because I downloaded few torrents from a private tracker, the node sucks!! Unless there was another issue with the node and I'm the scapegoat...
Thanks for the info! I was looking for something like the unicast packet graph! It shows a spike but only because I was downloading few torrents and the rest of the time the vps was idle. I compared the graph with my primary seedbox vps graph and and there are more packets there. So I come to the conclusion that there was no ddos attack,just the provider wanted to pin that on me! Of course I might be mistaken but from the graphs I can't find enough data flow to justify crashing the whole node!
Thanks for sflowd tool. Although it's too late for this vps (got suspended) ,it's a nice tool for the rest .
I doubt the node went down - your container was probably disabled. When torrenting make sure to reduce the amount of incoming connections allowed. Depending on who you are leaching from, for example at lot of home users (not severs), the torrent client may attempt hundreds of connections a second (may be considered a small DDoS attack).
Which host do you use? Is your server located in NY?
One of mine went down for around an hour yesterday (SolusVM showed the VPS was online, but I couldn't connect to it over the network) and the host said if it was down for an hour, it was probably null routed because of a DDoS attack, but this doesn't make sense to me either since there's no reason anyone should DDoS my VPS which isn't used for anything.
Thanks for the tip! I thought that since it was a non popular private tracker without too many users, I didn't have to limit the connections. But you're right, one peer is not a single connection, so I should always limit the number of connections to the client.
My vps was on the west coast. I will send you a message of the provider,because I don't want publicly to give the host a bad name, until I am certain that it wasn't my fault.