How would you find the Proxmox VPS that is getting DDoS attacked?

[Mor H.]

Hi there,

We have a Proxmox cluster that seems to be getting DDoS attacked.

How would you find the VPS that is getting attacked?

Any and all help will be appreciated!

Thank you.

 

[Stoiko Ivanov]

I would try `tcpdump` on the physical interface where the traffic for the guests comes in.
`tcpdump -envi eno1` (if eno1 is your interface) and see where most packets are sent to

hope this helps!

 

[Mor H.]

How would you summarize that dump to something useable?

We're seeing this in the /var/log/syslog:

kernel: [ 8355.928291] nf_conntrack: table full, dropping packet
pmxcfs[3283]: [status] notice: received log

We believe that a VPS is getting attacked. Please advise.

 

[Stoiko Ivanov]

How would you summarize that dump to something useable?

the verbose output of tcpdump shows you the source and destination of a packet - if one VPS is being ddosed, its IP address will be the one that shows up most often in the destination column.
You can also record a pcap file with tcpdump and open it in wireshark - which has a nicer interface.
`tcpdump -s 0 -w ddos.pcap -nvi eno1`
after a while press ctrl+c and you'll have a file 'ddos.pcap', which you can download and analyze in wireshark

kernel: [ 8355.928291] nf_conntrack: table full, dropping packet

seems you need to adapt a few sysctl settings, in order to keep the connection tracking of the firewall functioning - see (for example):
* https://security.stackexchange.com/questions/43205/nf-conntrack-table-full-dropping-packet
* https://morganwu277.github.io/2018/...e-of-nf-conntrack-table-full-dropping-packet/
* https://miteshshah.github.io/linux/centos/how-to-fix-nf_conntrack-table-full-dropping-packet/
* https://www.kernel.org/doc/Documentation/networking/nf_conntrack-sysctl.txt (the reference documentation for the sysctl)

hope this helps