New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
vps - dns only - 750gb traffic in under 30 days
I have a vps with ubuntu 24 and only adguard home + unbound is installed. Provider suspended the server atm cause traffic raised over 750gb. I tried to check everything on the server and cant find any suspicious behaviour, ...
nload, iptraf-ng, nethogs, netstat -tunap shows no spikes in used traffic.
Latest updates, password auth is deactivated, only ssh is allowed. No other user account, ...
Any ideas what to check and what could cause the traffic?
Thanked by 1oloke
Comments
DNS Amplification attack
https://www.akamai.com/glossary/what-is-a-dns-amplification-attack
https://www.cloudflare.com/learning/ddos/dns-amplification-ddos-attack/
Server has a rate limit for dns requests and plain dns requests are blocked.
Run a
tcpdumpto see what traffic there is.Doesn't really matter... if you advertise 53 without some additional protection (say wireguard in docker was added into the mix, you don't advertise 53 on unbound/adguard, this is better but not perfect, you can allow only the wireguard ip or the traffic originating from the wg docker to send a request to your resolver), you're going to have a VERY bad time. This is exactly why most hosts don't allow you to do what you are doing in most cases.
Fix your security... or better yet... don't do this at all (what are we trying to achieve?)
aha. name the provider. 750gb is not that much...
any GRE ?
Right now server is suspended cause monthly traffic is reached but nload, iptraf-ng, nethogs, netstat -tunap showed nothing special. tcpdumb was the only thing i could not run until server was suspended
But whats the exact security problem? Could also misscounted traffic frim the providers side. Same setup is running on a second server with over 5 times the dns requests but half the traffic.
Hosteroid and yeah 750gb is not much but it was clearly stated when i purchased the vps
You should've posted your order number to get doubled
Did you add it hetrixtools?
Can you see network there - was it constant at some level or jumped at day X?
Maybe just some idiot in the network with misconfigured shit (or provider?) and most of this traffic is local thing that "shouldn't" count?
but no strange behaviour in can find any logs, no higher dns requests, ...
Your monitoring shows you've used over 1TiB of traffic in 30 days, (Total Network Usage: 599.16GIB In and 544.26GiB Out), so it's unlikely to be misconfiguration by the Provider.
July 17th looks like it was busy pushing a lot of data for most of the day, so if that wasn't you then I'd reinstall it from scratch because no legitimate telemetry is going to generate those patterns.
Already reinstalled it and changed all logins (ssh key, ...). Im just curious to find out what caused this traffic spikes and how to prevent it. Ive added more ip ranges to the blocked ones and lowered the rate limit and changed some settings.
You probably yabs'd it a bunch.
Nope.
@Hosteroid
What's your monthly DNS query for this instance?
My AdGuard Home instances on ClawCloud consumes less than 1GB of bandwidth for DoT/DoH/DoQ requests. So I can't imagine how large your DNS volumes would be to use this much bandwidth.
With the spikes on traffic you shared, I'm assuming either you are work on system updates, or you have a VPN or Proxy going on...
No proxy, no VPN. It's a minimal Ubuntu installation with regular os updates. How much queries do you have per day or per month?
From different servers:
2M DoH queries ~ 3 GB monthly
11M mixed (primary plain DNS w/ some DoH) queries ~ 3.5GB monthly
All the above includes unattended package updates.
The traffic graph is basically flat unless I perform updates.
Your traffic shows sustained activity between July 16th - 18th, which is not normal for recursive DNS resolvers (can you imagine a small DNS resolver sustain 20 Mbps traffic for a entire day or more?)
2M queries per month?
I have more than that daily
I have more than that daily
Then it tracks with the usage and you used 750GB of traffic (-:
Real question is how the fuck you have 2M queries per day, TTL ignored, botting half of internet? :-D
publicly available dns resolver. Like written before rate limited and plain dns is disabled.
i use the "Allowed Clients" function of Adguard Home to add my home ISPs ip ranges. never had any issues with abuse
https://github.com/Galang23/adguardhome-fail2ban-intelligent-blocking/
try this tool i made earlier this month. i also suffered the same problem as you and created this
You'll need to setup monitoring and notifications if traffic exceeds X GB a day so you can investigate when it's happening in the future.
Thanks will try it on my test vps!