Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


DDoS inquiries.
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

DDoS inquiries.

Hello,

I noticed all my websites hosted under my OVH Dedicated Server are always not working properly. Then after checking the control panel, I was shocked that the "Anti-DDoS" protection actually "blocked" my IPs and I have no idea why.

I just have 2 CentOS Web Panel installation. The first one uses Apache with Varnish, and the second one uses Varnish, nginx and Apache.

Anyway, for reference, here are the logs of OVH regarding the DDoS attacks.

Attack detail : 113Kpps/100Mbps dateTime srcIp:srcPort dstIp:dstPort protocol flags bytes reason 2015.08.08 18:45:24 CEST 167.X.X.69:19343 61.174.49.99:80 TCP SYN 936 ATTACK:TCP_SYN 2015.08.08 18:45:24 CEST 167.X.X.69:52574 61.174.49.99:80 TCP SYN 936 ATTACK:TCP_SYN 2015.08.08 18:45:24 CEST 167.X.X.69:60099 61.174.49.99:80 TCP SYN 936 ATTACK:TCP_SYN 2015.08.08 18:45:24 CEST 167.X.X.69:32168 61.174.49.99:80 TCP SYN 936 ATTACK:TCP_SYN 2015.08.08 18:45:24 CEST 167.X.X.69:40814 61.174.49.99:80 TCP SYN 936 ATTACK:TCP_SYN 2015.08.08 18:45:24 CEST 167.X.X.69:3550 61.174.49.99:80 TCP SYN 936 ATTACK:TCP_SYN 2015.08.08 18:45:24 CEST 167.X.X.69:3519 61.174.49.99:80 TCP SYN 936 ATTACK:TCP_SYN 2015.08.08 18:45:24 CEST 167.X.X.69:24980 61.174.49.99:80 TCP SYN 936 ATTACK:TCP_SYN 2015.08.08 18:45:24 CEST 167.X.X.69:51592 61.174.49.99:80 TCP SYN 936 ATTACK:TCP_SYN 2015.08.08 18:45:24 CEST 167.X.X.69:30214 61.174.49.99:80 TCP SYN 936 ATTACK:TCP_SYN 2015.08.08 18:45:24 CEST 167.X.X.69:49539 61.174.49.99:80 TCP SYN 936 ATTACK:TCP_SYN 2015.08.08 18:45:24 CEST 167.X.X.69:45648 61.174.49.99:80 TCP SYN 936 ATTACK:TCP_SYN 2015.08.08 18:45:24 CEST 167.X.X.69:2619 61.174.49.99:80 TCP SYN 936 ATTACK:TCP_SYN 2015.08.08 18:45:24 CEST 167.X.X.69:24919 61.174.49.99:80 TCP SYN 936 ATTACK:TCP_SYN 2015.08.08 18:45:24 CEST 167.X.X.69:53093 61.174.49.99:80 TCP SYN 936 ATTACK:TCP_SYN 2015.08.08 18:45:24 CEST 167.X.X.69:37711 61.174.49.99:80 TCP SYN 936 ATTACK:TCP_SYN 2015.08.08 18:45:24 CEST 167.X.X.69:16872 61.174.49.99:80 TCP SYN 936 ATTACK:TCP_SYN 2015.08.08 18:45:24 CEST 167.X.X.69:19043 61.174.49.99:80 TCP SYN 936 ATTACK:TCP_SYN 2015.08.08 18:45:24 CEST 167.X.X.69:33666 61.174.49.99:80 TCP SYN 936 ATTACK:TCP_SYN 2015.08.08 18:45:24 CEST 167.X.X.69:7683 61.174.49.99:80 TCP SYN 936 ATTACK:TCP_SYN

Attack detail : 101Kpps/91Mbps dateTime srcIp:srcPort dstIp:dstPort protocol flags bytes reason 2015.08.08 18:48:43 CEST 198.X.X.47:26756 61.174.49.99:80 TCP SYN 936 ATTACK:TCP_SYN 2015.08.08 18:48:43 CEST 198.X.X.47:56316 61.174.49.99:80 TCP SYN 936 ATTACK:TCP_SYN 2015.08.08 18:48:43 CEST 198.X.X.47:35233 61.174.49.99:80 TCP SYN 936 ATTACK:TCP_SYN 2015.08.08 18:48:43 CEST 198.X.X.47:56013 61.174.49.99:80 TCP SYN 936 ATTACK:TCP_SYN 2015.08.08 18:48:43 CEST 198.X.X.47:43843 61.174.49.99:80 TCP SYN 936 ATTACK:TCP_SYN 2015.08.08 18:48:43 CEST 198.X.X.47:65193 61.174.49.99:80 TCP SYN 936 ATTACK:TCP_SYN 2015.08.08 18:48:43 CEST 198.X.X.47:33684 61.174.49.99:80 TCP SYN 936 ATTACK:TCP_SYN 2015.08.08 18:48:43 CEST 198.X.X.47:5957 61.174.49.99:80 TCP SYN 936 ATTACK:TCP_SYN 2015.08.08 18:48:43 CEST 198.X.X.47:55075 61.174.49.99:80 TCP SYN 936 ATTACK:TCP_SYN 2015.08.08 18:48:43 CEST 198.X.X.47:54670 61.174.49.99:80 TCP SYN 936 ATTACK:TCP_SYN 2015.08.08 18:48:43 CEST 198.X.X.47:55055 61.174.49.99:80 TCP SYN 936 ATTACK:TCP_SYN 2015.08.08 18:48:43 CEST 198.X.X.47:63289 61.174.49.99:80 TCP SYN 936 ATTACK:TCP_SYN 2015.08.08 18:48:43 CEST 198.X.X.47:27728 61.174.49.99:80 TCP SYN 936 ATTACK:TCP_SYN 2015.08.08 18:48:43 CEST 198.X.X.47:58513 61.174.49.99:80 TCP SYN 936 ATTACK:TCP_SYN 2015.08.08 18:48:43 CEST 198.X.X.47:30378 61.174.49.99:80 TCP SYN 936 ATTACK:TCP_SYN 2015.08.08 18:48:43 CEST 198.X.X.47:48607 61.174.49.99:80 TCP SYN 936 ATTACK:TCP_SYN 2015.08.08 18:48:43 CEST 198.X.X.47:46149 61.174.49.99:80 TCP SYN 936 ATTACK:TCP_SYN 2015.08.08 18:48:43 CEST 198.X.X.47:45119 61.174.49.99:80 TCP SYN 936 ATTACK:TCP_SYN 2015.08.08 18:48:43 CEST 198.X.X.47:20494 61.174.49.99:80 TCP SYN 936 ATTACK:TCP_SYN 2015.08.08 18:48:43 CEST 198.X.X.47:7498 61.174.49.99:80 TCP SYN 936 ATTACK:TCP_SYN

Thanks.

Comments

  • Do you have syn cookies turned on, or something that "checks" ? Try blocking 61.174.49.99 outbound in iptables or OVH firewall.

  • your server's being used in a synchronized attack :)
    I'm surprised your websites still work at all, OVH normally blocks off your IP completely

    • ban account. You are lucky. Start to check your server for exploits. Stop internal DDoS attacks.
  • They did blocked my IP. I just unblocked it. Also, in the OVH Firewall, there is no way to block outgoing IP. Just the outgoing port.

    What's a syn cookies?

  • Sorry, please correct me if i'm wrong.

    1. You have dedi at OVH
    2. You have many websites on this dedi
    3. You noticed weird perfomance for your websites
    4. You noticed block from OVH to your IP
    5. You recieve logs about details of attack

    What is your question? What are you shold do?

    In few words: make backup of your projects, and reinstall your server, + do not use old passwords from your old dedi + start to use keys.

    your server is compromised, i think you understand that, if at some time you start attack one chines IP, where is guaranties if you event find with iftop a file which send attack to target address you will be safe?

    If you block just connection with iptables to this ip address, how are you know, if attacker will not try to use your bot-dedi to attack another target? Where are guarnties about extra exploits & etc shit on your server except this one?

    So, just make backups & reinstall.

  • same here, me always get repot about that, i just reinstall vps and back work again my vps,

  • The dedi has proxmox inside it with a few KVM VPS. 2 of those VPS with their own IPs are the ones experiencing blocked IP stuff through OVH's Anti-DDoS protection.

    What I did to isolate it, is just to turn on the firewall of CentOS Web Panel since I don't know why it is turned off by default. Then I also installed and enabled ModSecurity. So far, I haven't received any DDoS attack messages from OVH.

    Actually, recently, the only way that I am notified about DDoS (when OVH blocks an IP) is when a specific website is not working properly. Before, I used to get emails from OVH.

    As for the servers, I just installed CentOS 6 and updated everything then installed CentOS Web Panel. So, at least I was able to identify it that the firewall of those two KVM-VPS are just disabled. Plus, I ran a few tests from vBooter (I don't know if it really works) but hey, the website is still online up to now.

  • Just wondering, what need to do for get DDoS? :)

  • desperanddesperand Member
    edited August 2015

    @fitvpn said:
    Just wondering, what need to do for get DDoS? :)

    start to host any popular MMORPG server, and start to feel pain.

  • SplitIceSplitIce Member, Host Rep

    It looks like you only have two IPs attacking you? At 100K PPS you could just block them yourself using IPTables.

  • Those are my IPs in 2 separate KVM-VPS.

  • @fitvpn said:
    Just wondering, what need to do for get DDoS? :)

    Post website on LET :D

    Thanked by 1Makenai
  • Dillybob said: Dillybob

    Just wondering which folks do that? Kids, idiots etc? Which purposes, just for fun?

Sign In or Register to comment.