• Introducing WebPros Cloud - a fully managed infrastructure platform purpose-built to simplify the deployment of WebPros products !  WebPros Cloud enables you to easily deliver WebPros solutions — without the complexity of managing the infrastructure.
    Join the pilot program today!
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.

Incoming traffic [Help required]

B

belyakov

Guest
Incoming traffic [attack?]

Recently a huge amount of incoming traffic is going to our server.
We can't figure out where it is coming from neither where it is going to since the ip that receives all the traffic has no domains assigned - just an empty ip on eth0. (Addition: one client has this ip assigned to him, and one domain with no hosting configured.)

Disabling Apache or BIND Service helps.

Any help or suggestions would be greatly appreciated.
Thank you.
 
DNS vulnerability?

May this be because of recently announced DNS vulnerability?

We have a lot log messages like this in /var/log/warn:

Aug 7 08.50.19 myhost named[6328]: client 72.248.90.50#28549: error sending response: not enough free resources

about 10-15 per second!
 
Bump

The problem still exists no matter what we do.
As soon as we remove the attacked IP from eth0 the attack immediately moves to another IP from our range.

Any help or suggestions would are mostly welcome as i don't even know if such activity is logged somewhere.
 
Hello, run some traffic monitoring tool on localhost, even oldshool iptraf will do. Check IPs, port numbers and connection type (TCP/UDP).
 
Well i did localized the problem to one client who was generating incoming traffic. What was my surprise when i discovered that he used a software for retranstranslating video that used the default server IP when recieving things. How is that possible? If I restrict client to one dedicated IP why is he able to use other adresses on the same box that are not in his client's ip pool?
 
Install a firewall like the CSF ..(Free )
And set it to log every thing ..You can track down the IP'S and deny them ....
 
You must log in or register to reply here.

Similar threads

V
Issue Smarthost + SRS = relay?
Replies
2
Views
10K
vanlier
V
F
Issue SOGo - emails sent from webmail, both manually created and autoresponder/vacation/out-of-office, are rejected. They miss spf, dkim, dmarc, everything
Replies
1
Views
716
Farfalk
F
M
Question Help with managing multiple websites in Plesk along with DNS management
Replies
0
Views
941
MimiWeb
M
Azurel
Issue DNSSEC do not add entries in DNS Settings?
Replies
3
Views
911
scsa20
scsa20
C
Question Analysing Sender IP in Mail Headers
Replies
0
Views
2K
Change Maker
C
Back
Top