oh, the first two rules should not exist
-Wei
On Mon, Mar 11, 2024 at 2:04 PM Wei ZHOU wrote:
> Hi,
>
> The port 53 should be allowed for only the guest network
>
> root@r-4-VM:~# iptables-save |grep "port 53"
> -A INPUT -d 10.111.17.4/32 -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT
> -A INPUT
oad Balancer instead. The VR should
> assign the IP on its interface if it is acquired in the network.
> If I may ask, how are you concluding that IPs are unassigned
> elsewhere, have you performed basic reachability tests? Your case
> could be one of the below
>
> 1. That IP cou
From: Granwille Strauss
Sent: Friday, February 9, 2024 1:40:05 pm
To: users@cloudstack.apache.org
Cc: Jayanth Reddy
; Wei ZHOU
Subject: Re: DDOS Attacks from my virtual Router
I run version 4.18.1.0 currently, oddly there was an update for
dnsmasq so I applied them to all systemvms. I c
I remember it as well.
The issue should have been fixed many years ago. see
https://github.com/apache/cloudstack/pull/1663
-Wei
On Mon, Mar 11, 2024 at 11:09 AM Nux wrote:
>
> I have seen this in the past where port 53 was open on these public IPs
> on the VR and was indeed leading to amplificat
se check your events.
Get Outlook for Android<https://aka.ms/AAb9ysg> [1]
<https://aka.ms/AAb9ysg> [1]
From: Granwille Strauss
Sent: Friday, February 9, 2024 1:40:05 pm
To: users@cloudstack.apache.org
Cc: Jayanth Reddy
; Wei ZHOU
Subject: Re: DDOS A
Hi Wei
Thank you for the provided script, the stats it shows, is it from
initial VM creation date or from the time the server was rebooted?
On 3/11/24 09:57, Wei ZHOU wrote:
In my opinion, one of your VMs is compromised.
If you are able to access the hosts, you can check the statistics of
th
In my opinion, one of your VMs is compromised.
If you are able to access the hosts, you can check the statistics of
the virtual nics of the VMs in the network.
vmname=i-xx-yyy-VM
nics=$(virsh domiflist $vmname |awk '{print $1}' |grep vnet)
for nic in $nics;do
virsh domifstat $vmname $nic |grep
___
From: Granwille Strauss
Sent: Friday, February 9, 2024 1:40:05 pm
To:users@cloudstack.apache.org
Cc: Jayanth Reddy ; Wei
ZHOU
Subject: Re: DDOS Attacks from my virtual Router
I run version 4.18.1.0 currently, oddly there was an update for dnsmasq so I
applied them to all s
g>
>
>
> From: Granwille Strauss
> Sent: Friday, February 9, 2024 1:40:05 pm
> To: users@cloudstack.apache.org
>
> Cc: Jayanth Reddy ;
> Wei ZHOU
> Subject: Re: DDOS Attacks from my virtual Router
>
>
> I run versio
Reddy
Sent from Outlook for Android<https://aka.ms/AAb9ysg>
From: Granwille Strauss
Sent: Tuesday, February 13, 2024 12:48:46 am
To: users@cloudstack.apache.org
Cc: Jayanth Reddy ; Wei ZHOU
Subject: Re: DDOS Attacks from my virtual Router
Update:
So
roid<https://aka.ms/AAb9ysg>
From: Granwille Strauss
Sent: Friday, February 9, 2024 1:40:05 pm
To:users@cloudstack.apache.org
Cc: Jayanth Reddy; Wei ZHOU
Subject: Re: DDOS Attacks from my virtual Router
I run version 4.18.1.0 currently, oddly there was an update
ent: Friday, February 9, 2024 1:10:32 pm
To: users@cloudstack.apache.org<mailto:users@cloudstack.apache.org>
<mailto:users@cloudstack.apache.org>
Cc: Wei ZHOU <mailto:ustcweiz...@gmail.com>;
jayanthreddy5...@gmail.com<mailto:jayanthreddy5...@gmail.com>
<mailto:jayanthr
ision them
again.
Thanks
Get Outlook for Android<https://aka.ms/AAb9ysg>
From: Granwille Strauss
Sent: Friday, February 9, 2024 1:10:32 pm
To: users@cloudstack.apache.org
Cc: Wei ZHOU ; jayanthreddy5...@gmail.com
Subject: Re: DDOS Attacks from my virtual
Hi,
The issue was very old (happened in 2017). I do not believe the recent
dnsmasq/cloudstack still have the same problem. What cloudstack version do
you use ?
"Allocated" public ip addresses, which do not have associated VM, could be
used as source nat, port forwarding or load balancer, or even
Hi
Yes, I have Advanced network set up. I am going to check for the
allocated IPs that have zero VMs associated via the DB and see what I
can find. I see more than one that is "allocated" in different guest
networks. However, I would appreciate any clues or tips, as I have
barely touched CS d
+1
it looks like one of the VMs in the isolated network is compromised.
try to capture the packets of port 53 (tcp/udp) by tcpdump in the virtual
router, and see what is the source IP of the packets.
-Wei
On Fri, 9 Feb 2024 at 08:18, Jayanth Reddy
wrote:
> Hello,
> The VR does process DNS quer
Hello,
The VR does process DNS queries, and if you're using cloud-init on VMs, the
primary nameserver would be your VR IP. VR is usually configured to forward the
requested DNS queries to upstream servers which is defined in the zone
settings. So I guess one of the VMs should have gotten comprom
I found this:
https://cloudstack.apache.org/blog/dnsmasq-vulnerabilities-advisory-for-cloudstack/
and applied the recommended steps to all my SVMs, whether this will work
or not I am not sure. Do you guys maybe know of anything else that can
be done. What are the implications of blocking port 5
18 matches
Mail list logo