Rashid Posted January 30, 2014 Report Share Posted January 30, 2014 (edited) Ассаламу аллейкум! Сегодня где то в пять часов вечера\дня на мой комп идет ддос атака с 19888 адресов, комп чуть было не повис(касперский загрузил процессор), пришлось кабель выдернуть)), у кого нить такое бывало? Edited January 30, 2014 by Rashid Quote Link to comment Share on other sites More sharing options...
Shady24 Posted January 30, 2014 Report Share Posted January 30, 2014 Rashid, а из-за чего тебя ддосили?) Quote Link to comment Share on other sites More sharing options...
Rashid Posted January 30, 2014 Report Share Posted January 30, 2014 Rashid, а из-за чего тебя ддосили?)Если бы я знал)) Конкретно именно меня ддосить они по идее не могут, потому что я как и многие другие сижу за NAT`том через ip адрес, поэтому скорее я посто попал под замес))) может через какой то скрытый vpn клиент идет трафик но это врядли Quote Link to comment Share on other sites More sharing options...
Rektor12 Posted January 30, 2014 Report Share Posted January 30, 2014 Rashid, Какой айпи у тебя? Quote Link to comment Share on other sites More sharing options...
Rate Limit Posted January 31, 2014 Report Share Posted January 31, 2014 Наверное Одмины баловались Quote Link to comment Share on other sites More sharing options...
marcelo12 Posted January 31, 2014 Report Share Posted January 31, 2014 я как и многие другие сижу за NAT`том через ip адресУ Сабнет в том числе используется NAT при котором при каждой новой сессии ты получаешь случайный адрес, и трансляция осуществляется порт в порт(смотря через какой сервер подключаешься). Так что вполне могли и с интернета досить Quote Link to comment Share on other sites More sharing options...
marcelo12 Posted June 5, 2014 Report Share Posted June 5, 2014 Уже несколько раз к нам приходили письма такого рода: ---------- Forwarded message ----------From: NFOservers.com DDoS notifier <ddos-response@nfoservers.com>Date: 2014-05-29 3:08 GMT+04:00Subject: Open recursive resolver used for an attack: 176.120.ХХХ.ХХХTo: You appear to be running an open recursive resolver at IP address 176.120.ХХХ.ХХХ that participated in an attack against a customer of ours today, generating large UDP responses to spoofed queries, with those responses becoming fragmented because of their size. Please consider reconfiguring your resolver in one or more of these ways: - To only serve your customers and not respond to outside IP addresses (in BIND, this is done by defining a limited set of hosts in "allow-query"; with a Windows DNS server, you would need to use firewall rules to block external access to UDP port 53)- To only serve domains that it is authoritative for (in BIND, this is done by defining a limited set of hosts in "allow-query" for the server overall but setting "allow-query" to "any" for each zone)- To rate-limit responses to individual source IP addresses (DNS Response Rate Limiting, or DNS RRL) More information on this type of attack and what each party can do to mitigate it can be found here: http://www.us-cert.gov/ncas/alerts/TA13-088A If you are an ISP, please also look at your network configuration and make sure that you do not allow spoofed traffic (that pretends to be from external IP addresses) to leave the network. Hosts that allow spoofed traffic make possible this type of attack. If you already have your resolver configured to rate-limit, please accept our apologies for bothering you. These attackers use any server that will respond, and they (and we) can't easily tell that the traffic is being rate-limited. If you rate limit and contact us at noc@nfoe.net, we can whitelist your IP address in our database so that you don't receive more of these notifications for it. Example DNS responses from your resolver during this attack are given below.Timestamps (far left) are PST (UTC-8), and the date is 2014-05-28. 15:58:44.877753 IP (tos 0x0, ttl 51, id 27986, offset 0, flags [+], proto UDP (17), length 1396) 176.120.ХХХ.ХХХ.53 > 66.150.188.x.15897: 2201| 253/0/0 magas.bslrpg.com. A 2.2.2.160, magas.bslrpg.com.[|domain] 0x0000: 4500 0574 6d52 2000 3311 7c21 b078 c9ad E..tmR..3.|!.x.. 0x0010: 4296 bc49 0035 3e19 0ffa 581d 0899 8380 B..I.5>...X..... 0x0020: 0001 00fd 0000 0000 056d 6167 6173 0662 .........magas.b 0x0030: 736c 7270 6703 636f 6d00 00ff 0001 c00c slrpg.com....... 0x0040: 0001 0001 0000 1a9a 0004 0202 02a0 c00c ................ 0x0050: 0001 ..15:58:44.901065 IP (tos 0x0, ttl 51, id 27987, offset 0, flags [+], proto UDP (17), length 1396) 176.120.ХХХ.ХХХ.53 > 66.150.188.x.15897: 2201| 253/0/0 magas.bslrpg.com. A 2.2.2.161, magas.bslrpg.com.[|domain] 0x0000: 4500 0574 6d53 2000 3311 7c20 b078 c9ad E..tmS..3.|..x.. 0x0010: 4296 bc49 0035 3e19 0ffa 5a20 0899 8380 B..I.5>...Z..... 0x0020: 0001 00fd 0000 0000 056d 6167 6173 0662 .........magas.b 0x0030: 736c 7270 6703 636f 6d00 00ff 0001 c00c slrpg.com....... 0x0040: 0001 0001 0000 1a9a 0004 0202 02a1 c00c ................ 0x0050: 0001 ..15:58:44.923798 IP (tos 0x0, ttl 51, id 27988, offset 0, flags [+], proto UDP (17), length 1396) 176.120.ХХХ.ХХХ.53 > 66.150.188.x.15897: 2201| 253/0/0 magas.bslrpg.com. A 2.2.2.162, magas.bslrpg.com.[|domain] 0x0000: 4500 0574 6d54 2000 3311 7c1f b078 c9ad E..tmT..3.|..x.. 0x0010: 4296 bc49 0035 3e19 0ffa 5c23 0899 8380 B..I.5>...\#.... 0x0020: 0001 00fd 0000 0000 056d 6167 6173 0662 .........magas.b 0x0030: 736c 7270 6703 636f 6d00 00ff 0001 c00c slrpg.com....... 0x0040: 0001 0001 0000 1a9a 0004 0202 02a2 c00c ................ 0x0050: 0001 .. (The final octet of our customer's IP address is masked in the above output because some automatic parsers become confused when multiple IP addresses are included. The value of that octet is "73".) -JohnPresidentNuclearfallout, Enterprises, Inc. (NFOservers.com) (We're sending out so many of these notices, and seeing so many auto-responses, that we can't go through this email inbox effectively. If you have follow-up questions, please contact us at noc@nfoe.net.) На этом ip адресе стоит роутер микротик с внешним адресом. Сканирование адреса показало: PORT STATE SERVICE21/tcp open ftp22/tcp open ssh23/tcp open telnet53/tcp open domain80/tcp open http2000/tcp open cisco-sccp8291/tcp open unknown Скорее всего в силу того что там есть открытые порты его использовали для атаки на какой то хост, как в случае с Rashid Кстати такие случаи были зарегистрированы у нас дважды. Когда хост в нашей сети оказывался в качестве атакуемого, атака осуществлялась с использованием NTP серверов. Принцип такой: некий злоумышленник делает запрос (о последних 600 запрашивающих время) на тысячи NTP серверов. В качестве своего адреса он подставляет адрес жертвы. Сервера уже отвечают на реальный адрес, тем самым генерируют огромное количество трафика, которое жертва переварить не в силах. Вывод такой: закрывайте порты ))) Quote Link to comment Share on other sites More sharing options...
marcelo12 Posted June 8, 2014 Report Share Posted June 8, 2014 Все у кого есть NTP сервера (серверы точного времени) прочтите статью и отнеситесь серьезно:http://habrahabr.ru/post/209438/ Quote Link to comment Share on other sites More sharing options...
marcelo12 Posted June 9, 2014 Report Share Posted June 9, 2014 Вчера такое письмо пришло нам и еще одному провайдеру Махачкалы (а может и не одному)) ). Все никак их в покое не оставят A public NTP server on your network, running on IP address 176.120.XXX.XXX and UDP port 123, participated in a very large-scale attack against a customer of ours, generating UDP responses to spoofed "monlist" requests that claimed to be from the attack target. Please consider reconfiguring this NTP server in one or more of these ways: 1. If you run ntpd, upgrading to the latest version, which removes the "monlist" command that is used for these attacks; alternately, disabling the monitoring function by adding "disable monitor" to your /etc/ntp.conf file.2. Setting the NTP installation to act as a client only. With ntpd, that can be done with "restrict default ignore" in /etc/ntp.conf; other daemons should have a similar configuration option. More information on configuring different devices can be found here: https://www.team-cymru.org/ReadingRoom/Templates/secure-ntp-template.html.3. Adjusting your firewall or NTP server configuration so that it only serves your users and does not respond to outside IP addresses. If you don't mean to run a public NTP server, we recommend #1 and #2. If you do mean to run a public NTP server, we recommend #1, and also that you rate-limit responses to individual source IP addresses -- silently discarding those that exceed a low number, such as one request per IP address per second. Rate-limit functionality is built into many recently-released NTP daemons, including ntpd, but needs to be enabled; it would help with different types of attacks than this one. Fixing open NTP servers is important; with the 1000x+ amplification factor of NTP DRDoS attacks -- one 40-byte-long request can generate up to 46800 bytes worth of response traffic -- it only takes one machine on an unfiltered 100 Mbps link to create a 100+ Gbps attack!If you are an ISP, please also look at your network configuration and make sure that you do not allow spoofed traffic (that pretends to be from external IP addresses) to leave the network. Hosts that allow spoofed traffic make possible this type of attack. Further reading: https://cert.litnet.lt/en/docs/ntp-distributed-reflection-dos-attackshttps://isc.sans.org/forums/diary/NTP+reflection+attack/17300http://www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attackshttp://kb.juniper.net/InfoCenter/index?page=content&id=JSA10613&smlogin=true You can find more vulnerable servers on a network through this site: http://openntpproject.org/ Example NTP responses from the host during this attack are given below.Timestamps (far left) are PDT (UTC-7), and the date is 2014-06-06. 14:56:00.582232 IP 176.120.XXX.XXX.123 > 66.150.155.x.27015: NTPv2, Reserved, length 440 0x0000: 4500 01d4 e456 4000 3211 f6a8 b078 de04 E....V@.2....x.. 0x0010: 4296 9b06 007b 6987 01c0 67de d700 032a B....{i...g....* 0x0020: 0006 0048 0000 0000 0000 0000 0000 0000 ...H............ 0x0030: 0000 002d 4296 9b06 b078 de04 0100 0000 ...-B....x...... 0x0040: 6987 0702 0000 0000 0000 0000 0000 0000 i............... 0x0050: 0000 ..14:56:00.582469 IP 176.120.XXX.XXX.123 > 66.150.155.x.27015: NTPv2, Reserved, length 440 0x0000: 4500 01d4 e457 4000 3211 f6a7 b078 de04 E....W@.2....x.. 0x0010: 4296 9b06 007b 6987 01c0 30b2 d701 032a B....{i...0....* 0x0020: 0006 0048 0000 0000 0000 00ac 0000 0000 ...H............ 0x0030: 0000 0001 2eae 3056 b078 de04 0100 0000 ......0V.x...... 0x0040: 6987 0702 0000 0000 0000 0000 0000 0000 i............... 0x0050: 0000 ..14:56:00.582659 IP 176.120.XXX.XXX.123 > 66.150.155.x.27015: NTPv2, Reserved, length 440 0x0000: 4500 01d4 e458 4000 3211 f6a6 b078 de04 E....X@.2....x.. 0x0010: 4296 9b06 007b 6987 01c0 f340 d702 032a B....{i....@...* 0x0020: 0006 0048 0000 000d 0000 01a2 0000 0000 ...H............ 0x0030: 0000 0004 4657 f03b b078 de04 0100 0000 ....FW.;.x...... 0x0040: 007b 0702 0000 0000 0000 0000 0000 0000 .{.............. 0x0050: 0000 ..14:56:00.582824 IP 176.120.XXX.XXX.123 > 66.150.155.x.27015: NTPv2, Reserved, length 440 0x0000: 4500 01d4 e459 4000 3211 f6a5 b078 de04 E....Y@.2....x.. 0x0010: 4296 9b06 007b 6987 01c0 2ebe d703 032a B....{i........* 0x0020: 0006 0048 0000 0036 0000 05e5 0000 0000 ...H...6........ 0x0030: 0000 0004 184a 29ea b078 de04 0100 0000 .....J)..x...... 0x0040: 0050 0702 0000 0000 0000 0000 0000 0000 .P.............. 0x0050: 0000 ..14:56:00.583035 IP 176.120.XXX.XXX.123 > 66.150.155.x.27015: NTPv2, Reserved, length 440 0x0000: 4500 01d4 e45a 4000 3211 f6a4 b078 de04 E....Z@.2....x.. 0x0010: 4296 9b06 007b 6987 01c0 10a6 d704 032a B....{i........* 0x0020: 0006 0048 0000 0170 0000 0c80 0000 0000 ...H...p........ 0x0030: 0000 0003 6c4a 9c76 b078 de04 0100 0000 ....lJ.v.x...... 0x0040: 0050 0702 0000 0000 0000 0000 0000 0000 .P.............. 0x0050: 0000 ..14:56:00.583215 IP 176.120.XXX.XXX.123 > 66.150.155.x.27015: NTPv2, Reserved, length 440 0x0000: 4500 01d4 e45b 4000 3211 f6a3 b078 de04 E....[@.2....x.. 0x0010: 4296 9b06 007b 6987 01c0 efcf d705 032a B....{i........* 0x0020: 0006 0048 0000 0003 0000 1819 0000 0000 ...H............ 0x0030: 0000 04ea 4256 f40d b078 de04 0100 0000 ....BV...x...... 0x0040: 0050 0702 0000 0000 0000 0000 0000 0000 .P.............. 0x0050: 0000 .. (The final octet of our customer's IP address is masked in the above output because some automatic parsers become confused when multiple IP addresses are included. The value of that octet is "6".) -JohnPresidentNuclearfallout, Enterprises, Inc. (NFOservers.com) (We're sending out so many of these notices, and seeing so many auto-responses, that we can't go through this email inbox effectively. If you have follow-up questions, please contact us at noc@nfoe.net.) Quote Link to comment Share on other sites More sharing options...
as_lan Posted June 10, 2014 Report Share Posted June 10, 2014 marcelo12, Отключайте инет клиету. Он сам вам сразу позвонит))Потом уже объясните, что надо бы исправить уязвимость. Quote Link to comment Share on other sites More sharing options...
marcelo12 Posted June 10, 2014 Report Share Posted June 10, 2014 as_lan, Пока что мы сами звоним им)) Quote Link to comment Share on other sites More sharing options...
MAGNUM007 Posted June 21, 2014 Report Share Posted June 21, 2014 а куда надо написать по поводу ограничения скорости в локалке? Quote Link to comment Share on other sites More sharing options...
Thorkero Posted April 25, 2016 Report Share Posted April 25, 2016 Я думаю если вы просто арендуете хостинг, то вам заботиться о защите против DDoS-атак не стоит. Это сделают за вас, ваш хостер. Quote Link to comment Share on other sites More sharing options...
as_lan Posted April 25, 2016 Report Share Posted April 25, 2016 @Thorkero, Некропост? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.