I'm under DoS attack, please help me!

[emanuelebruno]

I'm a ProxMox user with a ProxMox server with the following configuration: Intel i7 ,24 GB, Hard disk 2 TB, 1 primary ip address, and 4 ip fail over.

Somebody is attacking one of the ip fail over, saturating all the bandwith of the server network interface. My provider says that it can't do nothing without logs, and it advice to use a firewall... I use ZeroShell firewall on the attacked ip fail over but I don't know to log these attacks...

Unfortunately, although I have a firewall , it does not solve the problem because the saturation of bandwith it can't be solved from firewall: my provider says that the one solution is to DISABLE THE IP DURING THE ATTACK, but it means that I have to put off the mail server, the voip server, and the web server!!!

Is it possibile to log all the traffic , mac address, ip address , etc... of the attacked ip interface?

To enable the attacked ip interface, I use this command:

ip route add IP.FAIL.OVER dev vmbr1

To disable the attacked ip interface, I use this command:

ip route del IP.FAIL.OVER dev vmbr1

I hope that somebody can help me...

 

[Dustyny]

DOSs suck. Usually this issue is handled by your provider, they should be able to log all traffic to your ip addresses. Sorry I'm not really knowledgable about Proxmox but I figured I throw a suggestion out since you Ned help ASAP.

Have you taken a look at your router's logs? Hopefully its not a distributed attack.

 

[hec]

First try to install failban and configure it. You should also configure a iptables firewall on proxmox host. Then you can set limits and log everything. Or you think about a real firewall like pfSense. Then you can also install snort an IDS. All this things help as long as you have only Problems with DOS. At the time you have DDOS attacks you can only shutdown the network interfaces. A very import thing is to use nagios or something to monitor your server.

 

[emanuelebruno]

Hi to all and thanks for your reply. I have found an interesting answer in this post: http://serverfault.com/questions/388024/log-tcpdump-output

I do a copy-and-past of the code:

****
interface=eth0
dumpdir=/tmp/

while /bin/true; do
pkt_old=`grep $interface: /proc/net/dev | cut -d : -f2 | awk '{ print $2 }'`
sleep 1
pkt_new=`grep $interface: /proc/net/dev | cut -d : -f2 | awk '{ print $2 }'`

pkt=$(( $pkt_new - $pkt_old ))
echo -ne "\r$pkt packets/s\033[0K"

if [ $pkt -gt 5000 ]; then
echo -e "\n`date` Under attack, dumping packets."
tcpdump -n -s0 -c 2000 -w $dumpdir/dump.`date +"%Y%m%d-%H%M%S"`.cap
echo "`date` Packets dumped, sleeping now."
sleep 300
fi
done
****

The author says that "...instead of logging all traffic, he would suggest the following: Monitor the number of packets sent to your server. If it exceeds a certain threshold, log a couple of 1000 packets, then wait for a longer time. That packet trace should contain plenty of information which can be used for analysis..."

If I want to use this script, do you think that it is a good idea to launch from proxmox shell? Is there a way to log only the attacked ip failover? I ask it, because if I capture all the traffic from the primary ip address of proxmox server , I'll capture also the good traffic of the others ip fail over address... I'd like to capture only the bad and under attack ip fail over interface...

Sincerely,
Emanuele Bruno.

 

[emanuelebruno]

Another software that I have found is darkstat: http://unix4lyfe.org/darkstat/

What do you think about it? is it compatible with ProxMox? I have just installed using "apt-get install darkstat" command... and I have lunched with the following sintax:
darkstat -i eth0

root@xxxxxx:~# apt-get install darksat
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Unable to locate package darksat
root@xxxxxx:~# apt-get install darkstat
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
darkstat
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 63.9 kB of archives.
After this operation, 172 kB of additional disk space will be used.
Get:1 http://debian.mirrors.ovh.net/debian/ squeeze/main darkstat amd64 3.0.713-2 [63.9 kB]
Fetched 63.9 kB in 0s (357 kB/s)
Preconfiguring packages ...
Selecting previously deselected package darkstat.
(Reading database ... 32396 files and directories currently installed.)
Unpacking darkstat (from .../darkstat_3.0.713-2_amd64.deb) ...
Processing triggers for man-db ...
Setting up darkstat (3.0.713-2) ...
insserv: warning: script 'K01ipfailover.sh' missing LSB tags and overrides
insserv: warning: script 'ipfailover.sh' missing LSB tags and overrides
please change the value of START_DARKSTAT in /etc/darkstat/init.cfg, in order to start darkstat ... (warning).
root@xxxxxx:~# darkstat -i eth0

For testing I have installed darkstat even in a private server ... taking a look to the attached picture, you can see that there are many duplicated mac addreses... I think that it is normal because this server is behind a telecom.italia router ... I have installed darkstat in this server only for testing and evaluation purpose...

 

[Don Daniello]

You can't do anything about (D)DoS. Data Center should handle that. Good (expensive) ones do, Kimsufi doesn't.

 

[emanuelebruno]

You can't do anything about (D)DoS. Data Center should handle that. Good (expensive) ones do, Kimsufi doesn't.

5 days ago I have opened a ticket about the dos attack, and ovh said that they are able to blow the Dos traffic if I give to them a list of IP addresses to ban ... So Don Daniello, I think that I have to collect these dos attackers ip ... I hope to do with the help of the proxmox community.

 

[Don Daniello]

5 days ago I have opened a ticket about the dos attack, and ovh said that they are able to blow the Dos traffic if I give to them a list of IP addresses to ban ... So Don Daniello, I think that I have to collect these dos attackers ip ... I hope to do with the help of the proxmox community.

Well, the procedure they use is unacceptable. They should handle it on their own and much faster.
If you want to find out IP adddresses, here is the simplest method: run iftop. It will hang (SSH connection) when you get attacked but you will have the IP address(es).

 

[emanuelebruno]

Hi Don Daniello,
I have installed iftop in the following way:

root@xxxxxx:~# apt-get install iftop
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
iftop
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 35.0 kB of archives.
After this operation, 73.7 kB of additional disk space will be used.
Get:1 http://debian.mirrors.ovh.net/debian/ squeeze/main iftop amd64 0.17-16 [35.0 kB]
Fetched 35.0 kB in 0s (431 kB/s)
Selecting previously deselected package iftop.
(Reading database ... 32410 files and directories currently installed.)
Unpacking iftop (from .../iftop_0.17-16_amd64.deb) ...
Processing triggers for man-db ...
Setting up iftop (0.17-16) ...

It seems that it works but I have noticed the following warning message : Unable to get IP address for interface: eth0 ; ioctl(SIOCGIFADDR): Cannot assign requested address

Do you think that it is important?

 

[Don Daniello]

Nope, it's not.
You should now see the connections and IP addresses ordered by transfer rate.

 

[emanuelebruno]

Nope, it's not.
You should now see the connections and IP addresses ordered by transfer rate.

Yes, it is... In this moment I have iftop and darkstat in execution ; I hope to be in front of the monitor when will be the attack because I think that iftop doesn't write any log file...

 

[marotori]

A true ddos is pretty much impossible to stop without some rather expensive equipment. For eample a RIOREY box!

Normal ISP response would be to null route the ip that is being targetted on their upstream routers. This protects all the other clients while the attack is in progress.

 

[emanuelebruno]

Fortunately, yesterday there wasn't any attack; in the mean time I'm trying to understand the reason that "darkstat" seems not work properly: taking a look to the attached picture, you can see that it doesn't collect any information ; in the graphics I can't see not even min / avg /max data rate in last 60 seconds / 60 minutes / 24 hours / last 31 days ... Anybody know why?