LINUX.ORG.RU
ФорумAdmin

Что за DDOS такой...

 


0

1

Привет!

Время от времени на сервере резко зашкаливает httpd, netstat ничего подозрительного не выводить трафик начинает летать с безумной скоростью..

netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n держится порядко 70 коннектов.

Хватал трафик через tcpdump, получил:


No.     Time        Source                Destination           Protocol Length Info
      1 0.000000    222.22.22.222           204.160.124.126       DNS      1375   Unknown operation (8)[Packet size limited during capture]

Frame 1: 1375 bytes on wire (11000 bits), 96 bytes captured (768 bits)
Ethernet II, Src: Micro-St_be:ce:89 (40:61:86:be:ce:89), Dst: JuniperN_75:d9:10 (00:26:88:75:d9:10)
Internet Protocol Version 4, Src: 222.22.22.222 (222.22.22.222), Dst: 204.160.124.126 (204.160.124.126)
User Datagram Protocol, Src Port: 44987 (44987), Dst Port: domain (53)
Domain Name System (query)
[Packet size limited during capture: DNS truncated]

No.     Time        Source                Destination           Protocol Length Info
      2 0.000112    222.22.22.222           204.160.124.126       DNS      1375   Unknown operation (8)[Packet size limited during capture]

Frame 2: 1375 bytes on wire (11000 bits), 96 bytes captured (768 bits)
Ethernet II, Src: Micro-St_be:ce:89 (40:61:86:be:ce:89), Dst: JuniperN_75:d9:10 (00:26:88:75:d9:10)
Internet Protocol Version 4, Src: 222.22.22.222 (222.22.22.222), Dst: 204.160.124.126 (204.160.124.126)
User Datagram Protocol, Src Port: 47568 (47568), Dst Port: domain (53)
Domain Name System (query)
[Packet size limited during capture: DNS truncated]

No.     Time        Source                Destination           Protocol Length Info
      3 0.000224    222.22.22.222           204.160.124.126       DNS      1375   Unknown operation (8)[Packet size limited during capture]

Frame 3: 1375 bytes on wire (11000 bits), 96 bytes captured (768 bits)
Ethernet II, Src: Micro-St_be:ce:89 (40:61:86:be:ce:89), Dst: JuniperN_75:d9:10 (00:26:88:75:d9:10)
Internet Protocol Version 4, Src: 222.22.22.222 (222.22.22.222), Dst: 204.160.124.126 (204.160.124.126)
User Datagram Protocol, Src Port: 54137 (54137), Dst Port: domain (53)
Domain Name System (query)
[Packet size limited during capture: DNS truncated]

No.     Time        Source                Destination           Protocol Length Info
      4 0.000336    222.22.22.222           204.160.124.126       DNS      1375   Unknown operation (8)[Packet size limited during capture]

Frame 4: 1375 bytes on wire (11000 bits), 96 bytes captured (768 bits)
Ethernet II, Src: Micro-St_be:ce:89 (40:61:86:be:ce:89), Dst: JuniperN_75:d9:10 (00:26:88:75:d9:10)
Internet Protocol Version 4, Src: 222.22.22.222 (222.22.22.222), Dst: 204.160.124.126 (204.160.124.126)
User Datagram Protocol, Src Port: 35424 (35424), Dst Port: domain (53)
Domain Name System (query)
[Packet size limited during capture: DNS truncated]

No.     Time        Source                Destination           Protocol Length Info
      5 0.000448    222.22.22.222           204.160.124.126       DNS      1375   Unknown operation (8)[Packet size limited during capture]

Frame 5: 1375 bytes on wire (11000 bits), 96 bytes captured (768 bits)
Ethernet II, Src: Micro-St_be:ce:89 (40:61:86:be:ce:89), Dst: JuniperN_75:d9:10 (00:26:88:75:d9:10)
Internet Protocol Version 4, Src: 222.22.22.222 (222.22.22.222), Dst: 204.160.124.126 (204.160.124.126)
User Datagram Protocol, Src Port: 34895 (34895), Dst Port: domain (53)
Domain Name System (query)
[Packet size limited during capture: DNS truncated]

No.     Time        Source                Destination           Protocol Length Info
      6 0.000560    222.22.22.222           204.160.124.126       DNS      1375   Unknown operation (8)[Packet size limited during capture]

Frame 6: 1375 bytes on wire (11000 bits), 96 bytes captured (768 bits)
Ethernet II, Src: Micro-St_be:ce:89 (40:61:86:be:ce:89), Dst: JuniperN_75:d9:10 (00:26:88:75:d9:10)
Internet Protocol Version 4, Src: 222.22.22.222 (222.22.22.222), Dst: 204.160.124.126 (204.160.124.126)
User Datagram Protocol, Src Port: 55490 (55490), Dst Port: domain (53)
Domain Name System (query)
[Packet size limited during capture: DNS truncated]

No.     Time        Source                Destination           Protocol Length Info
      7 0.000739    222.22.22.222           204.160.124.126       DNS      1375   Unknown operation (8)[Packet size limited during capture]

Frame 7: 1375 bytes on wire (11000 bits), 96 bytes captured (768 bits)
Ethernet II, Src: Micro-St_be:ce:89 (40:61:86:be:ce:89), Dst: JuniperN_75:d9:10 (00:26:88:75:d9:10)
Internet Protocol Version 4, Src: 222.22.22.222 (222.22.22.222), Dst: 204.160.124.126 (204.160.124.126)
User Datagram Protocol, Src Port: 57118 (57118), Dst Port: domain (53)
Domain Name System (query)
[Packet size limited during capture: DNS truncated]

No.     Time        Source                Destination           Protocol Length Info
      8 0.000803    222.22.22.222           204.160.124.126       DNS      1375   Unknown operation (8)[Packet size limited during capture]

Frame 8: 1375 bytes on wire (11000 bits), 96 bytes captured (768 bits)
Ethernet II, Src: Micro-St_be:ce:89 (40:61:86:be:ce:89), Dst: JuniperN_75:d9:10 (00:26:88:75:d9:10)
Internet Protocol Version 4, Src: 222.22.22.222 (222.22.22.222), Dst: 204.160.124.126 (204.160.124.126)
User Datagram Protocol, Src Port: 56666 (56666), Dst Port: domain (53)
Domain Name System (query)
[Packet size limited during capture: DNS truncated]

No.     Time        Source                Destination           Protocol Length Info
      9 0.000927    222.22.22.222           204.160.124.126       DNS      1375   Unknown operation (8)[Packet size limited during capture]

Frame 9: 1375 bytes on wire (11000 bits), 96 bytes captured (768 bits)
Ethernet II, Src: Micro-St_be:ce:89 (40:61:86:be:ce:89), Dst: JuniperN_75:d9:10 (00:26:88:75:d9:10)
Internet Protocol Version 4, Src: 222.22.22.222 (222.22.22.222), Dst: 204.160.124.126 (204.160.124.126)
User Datagram Protocol, Src Port: 53741 (53741), Dst Port: domain (53)
Domain Name System (query)
[Packet size limited during capture: DNS truncated]

No.     Time        Source                Destination           Protocol Length Info
     10 0.001007    222.22.22.222           204.160.124.126       DNS      1375   Unknown operation (8)[Packet size limited during capture]

Frame 10: 1375 bytes on wire (11000 bits), 96 bytes captured (768 bits)
Ethernet II, Src: Micro-St_be:ce:89 (40:61:86:be:ce:89), Dst: JuniperN_75:d9:10 (00:26:88:75:d9:10)
Internet Protocol Version 4, Src: 222.22.22.222 (222.22.22.222), Dst: 204.160.124.126 (204.160.124.126)
User Datagram Protocol, Src Port: 38839 (38839), Dst Port: domain (53)
Domain Name System (query)
[Packet size limited during capture: DNS truncated]

No.     Time        Source                Destination           Protocol Length Info
     11 0.001119    222.22.22.222           204.160.124.126       DNS      1375   Unknown operation (8)[Packet size limited during capture]

Frame 11: 1375 bytes on wire (11000 bits), 96 bytes captured (768 bits)
Ethernet II, Src: Micro-St_be:ce:89 (40:61:86:be:ce:89), Dst: JuniperN_75:d9:10 (00:26:88:75:d9:10)
Internet Protocol Version 4, Src: 222.22.22.222 (222.22.22.222), Dst: 204.160.124.126 (204.160.124.126)
User Datagram Protocol, Src Port: 54674 (54674), Dst Port: domain (53)
Domain Name System (query)
[Packet size limited during capture: DNS truncated]

No.     Time        Source                Destination           Protocol Length Info
     12 0.001231    222.22.22.222           204.160.124.126       DNS      1375   Unknown operation (8)[Packet size limited during capture]

Frame 12: 1375 bytes on wire (11000 bits), 96 bytes captured (768 bits)
Ethernet II, Src: Micro-St_be:ce:89 (40:61:86:be:ce:89), Dst: JuniperN_75:d9:10 (00:26:88:75:d9:10)
Internet Protocol Version 4, Src: 222.22.22.222 (222.22.22.222), Dst: 204.160.124.126 (204.160.124.126)
User Datagram Protocol, Src Port: 33308 (33308), Dst Port: domain (53)
Domain Name System (query)
[Packet size limited during capture: DNS truncated]

No.     Time        Source                Destination           Protocol Length Info
     13 0.001374    222.22.22.222           204.160.124.126       DNS      1375   Unknown operation (8)[Packet size limited during capture]

Frame 13: 1375 bytes on wire (11000 bits), 96 bytes captured (768 bits)
Ethernet II, Src: Micro-St_be:ce:89 (40:61:86:be:ce:89), Dst: JuniperN_75:d9:10 (00:26:88:75:d9:10)
Internet Protocol Version 4, Src: 222.22.22.222 (222.22.22.222), Dst: 204.160.124.126 (204.160.124.126)
User Datagram Protocol, Src Port: 46015 (46015), Dst Port: domain (53)
Domain Name System (query)
[Packet size limited during capture: DNS truncated]

No.     Time        Source                Destination           Protocol Length Info
     14 0.001455    222.22.22.222           204.160.124.126       DNS      1375   Unknown operation (8)[Packet size limited during capture]

Frame 14: 1375 bytes on wire (11000 bits), 96 bytes captured (768 bits)
Ethernet II, Src: Micro-St_be:ce:89 (40:61:86:be:ce:89), Dst: JuniperN_75:d9:10 (00:26:88:75:d9:10)
Internet Protocol Version 4, Src: 222.22.22.222 (222.22.22.222), Dst: 204.160.124.126 (204.160.124.126)
User Datagram Protocol, Src Port: 59414 (59414), Dst Port: domain (53)
Domain Name System (query)
[Packet size limited during capture: DNS truncated]

Я верно понимаю, что атакуют мой DNS, тогда почему httpd перегружает систему...



Последнее исправление: Acid_joY (всего исправлений: 1)
Какой nametype выбрать в dnssec-keygen - HOST или USER?
после замены сетевой карты не раздаётся инет в локальную сеть

nttpd

nnttppd

anonymous
()

Время от времени на сервере резко зашкаливает httpd

настрой apache server-status и в такие моменты смотри его. увидишь кто атакует и что атакуют.

Komintern ★★★★★
()

скажи tcpdump`ы пусть фрагменты хавает побольше. а то «Packet size limited during capture: DNS truncated» как-бэ мало - очень интерестно что конкретно там truncated.

вообще в подобных случаях tcpdump запускают с ооочень большим лимитом на размер пакета -s 2048 (пресловутый capture size, если есть jumbo frame - то и поболее того) и пишут всё напропалую в файл (то есть -w файло) чтобы уже потом на досуге изучать что пролетало в интерфейсе :)

p.s. а зачем у вас открыт 53 udp из внешней сети ?

MKuznetsov ★★★★★
()
Вы не можете добавлять комментарии в эту тему. Тема перемещена в архив.
Какой nametype выбрать в dnssec-keygen - HOST или USER?
Admin
после замены сетевой карты не раздаётся инет в локальную сеть