1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Incoming traffic [Help required]

Discussion in 'Plesk for Linux - 8.x and Older' started by belyakov, Aug 7, 2008.

  1. belyakov

    belyakov Guest

    0
     
    Incoming traffic [attack?]

    Recently a huge amount of incoming traffic is going to our server.
    We can't figure out where it is coming from neither where it is going to since the ip that receives all the traffic has no domains assigned - just an empty ip on eth0. (Addition: one client has this ip assigned to him, and one domain with no hosting configured.)

    Disabling Apache or BIND Service helps.

    Any help or suggestions would be greatly appreciated.
    Thank you.
     
  2. belyakov

    belyakov Guest

    0
     
    DNS vulnerability?

    May this be because of recently announced DNS vulnerability?

    We have a lot log messages like this in /var/log/warn:

    Aug 7 08.50.19 myhost named[6328]: client 72.248.90.50#28549: error sending response: not enough free resources

    about 10-15 per second!
     
  3. belyakov

    belyakov Guest

    0
     
    Bump

    The problem still exists no matter what we do.
    As soon as we remove the attacked IP from eth0 the attack immediately moves to another IP from our range.

    Any help or suggestions would are mostly welcome as i don't even know if such activity is logged somewhere.
     
  4. intosh

    intosh Guest

    0
     
    Hello, run some traffic monitoring tool on localhost, even oldshool iptraf will do. Check IPs, port numbers and connection type (TCP/UDP).
     
  5. belyakov

    belyakov Guest

    0
     
    Well i did localized the problem to one client who was generating incoming traffic. What was my surprise when i discovered that he used a software for retranstranslating video that used the default server IP when recieving things. How is that possible? If I restrict client to one dedicated IP why is he able to use other adresses on the same box that are not in his client's ip pool?
     
  6. padani

    padani Guest

    0
     
    Install a firewall like the CSF ..(Free )
    And set it to log every thing ..You can track down the IP'S and deny them ....
     
Loading...