Incoming traffic [Help required]

[belyakov]

Incoming traffic [attack?]

Recently a huge amount of incoming traffic is going to our server.
We can't figure out where it is coming from neither where it is going to since the ip that receives all the traffic has no domains assigned - just an empty ip on eth0. (Addition: one client has this ip assigned to him, and one domain with no hosting configured.)

Disabling Apache or BIND Service helps.

Any help or suggestions would be greatly appreciated.
Thank you.

 

[belyakov]

DNS vulnerability?

May this be because of recently announced DNS vulnerability?

We have a lot log messages like this in /var/log/warn:

Aug 7 08.50.19 myhost named[6328]: client 72.248.90.50#28549: error sending response: not enough free resources

about 10-15 per second!

 

[belyakov]

Bump

The problem still exists no matter what we do.
As soon as we remove the attacked IP from eth0 the attack immediately moves to another IP from our range.

Any help or suggestions would are mostly welcome as i don't even know if such activity is logged somewhere.

 

[intosh]

Hello, run some traffic monitoring tool on localhost, even oldshool iptraf will do. Check IPs, port numbers and connection type (TCP/UDP).

 

[belyakov]

Well i did localized the problem to one client who was generating incoming traffic. What was my surprise when i discovered that he used a software for retranstranslating video that used the default server IP when recieving things. How is that possible? If I restrict client to one dedicated IP why is he able to use other adresses on the same box that are not in his client's ip pool?

 

[padani]

Install a firewall like the CSF ..(Free )
And set it to log every thing ..You can track down the IP'S and deny them ....