Re: DDOS Attacks from my virtual Router

2024-03-11 Thread Wei ZHOU
oh, the first two rules should not exist -Wei On Mon, Mar 11, 2024 at 2:04 PM Wei ZHOU wrote: > Hi, > > The port 53 should be allowed for only the guest network > > root@r-4-VM:~# iptables-save |grep "port 53" > -A INPUT -d 10.111.17.4/32 -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT > -A INPUT

Re: DDOS Attacks from my virtual Router

2024-03-11 Thread Wei ZHOU
oad Balancer instead. The VR should > assign the IP on its interface if it is acquired in the network. > If I may ask, how are you concluding that IPs are unassigned > elsewhere, have you performed basic reachability tests? Your case > could be one of the below > > 1. That IP cou

Re: DDOS Attacks from my virtual Router

2024-03-11 Thread Granwille Strauss
From: Granwille Strauss Sent: Friday, February 9, 2024 1:40:05 pm To: users@cloudstack.apache.org Cc: Jayanth Reddy ; Wei ZHOU Subject: Re: DDOS Attacks from my virtual Router I run version 4.18.1.0  currently, oddly there was an update for dnsmasq so I applied them to all systemvms. I c

Re: DDOS Attacks from my virtual Router

2024-03-11 Thread Wei ZHOU
I remember it as well. The issue should have been fixed many years ago. see https://github.com/apache/cloudstack/pull/1663 -Wei On Mon, Mar 11, 2024 at 11:09 AM Nux wrote: > > I have seen this in the past where port 53 was open on these public IPs > on the VR and was indeed leading to amplificat

Re: DDOS Attacks from my virtual Router

2024-03-11 Thread Nux
se check your events. Get Outlook for Android<https://aka.ms/AAb9ysg> [1] <https://aka.ms/AAb9ysg> [1] From: Granwille Strauss Sent: Friday, February 9, 2024 1:40:05 pm To: users@cloudstack.apache.org Cc: Jayanth Reddy ; Wei ZHOU Subject: Re: DDOS A

Re: DDOS Attacks from my virtual Router

2024-03-11 Thread Granwille Strauss
Hi Wei Thank you for the provided script, the stats it shows, is it from initial VM creation date or from the time the server was rebooted? On 3/11/24 09:57, Wei ZHOU wrote: In my opinion, one of your VMs is compromised. If you are able to access the hosts, you can check the statistics of th

Re: DDOS Attacks from my virtual Router

2024-03-11 Thread Wei ZHOU
In my opinion, one of your VMs is compromised. If you are able to access the hosts, you can check the statistics of the virtual nics of the VMs in the network. vmname=i-xx-yyy-VM nics=$(virsh domiflist $vmname |awk '{print $1}' |grep vnet) for nic in $nics;do virsh domifstat $vmname $nic |grep

Re: DDOS Attacks from my virtual Router

2024-03-11 Thread Granwille Strauss
___ From: Granwille Strauss Sent: Friday, February 9, 2024 1:40:05 pm To:users@cloudstack.apache.org Cc: Jayanth Reddy ; Wei ZHOU Subject: Re: DDOS Attacks from my virtual Router I run version 4.18.1.0 currently, oddly there was an update for dnsmasq so I applied them to all s

Re: DDOS Attacks from my virtual Router

2024-02-12 Thread Wei ZHOU
g> > > > From: Granwille Strauss > Sent: Friday, February 9, 2024 1:40:05 pm > To: users@cloudstack.apache.org > > Cc: Jayanth Reddy ; > Wei ZHOU > Subject: Re: DDOS Attacks from my virtual Router > > > I run versio

Re: DDOS Attacks from my virtual Router

2024-02-12 Thread Jayanth Babu A
Reddy Sent from Outlook for Android<https://aka.ms/AAb9ysg> From: Granwille Strauss Sent: Tuesday, February 13, 2024 12:48:46 am To: users@cloudstack.apache.org Cc: Jayanth Reddy ; Wei ZHOU Subject: Re: DDOS Attacks from my virtual Router Update: So

Re: DDOS Attacks from my virtual Router

2024-02-12 Thread Granwille Strauss
roid<https://aka.ms/AAb9ysg> From: Granwille Strauss Sent: Friday, February 9, 2024 1:40:05 pm To:users@cloudstack.apache.org Cc: Jayanth Reddy; Wei ZHOU Subject: Re: DDOS Attacks from my virtual Router I run version 4.18.1.0 currently, oddly there was an update

Re: DDOS Attacks from my virtual Router

2024-02-09 Thread Jayanth Reddy
ent: Friday, February 9, 2024 1:10:32 pm To: users@cloudstack.apache.org<mailto:users@cloudstack.apache.org> <mailto:users@cloudstack.apache.org> Cc: Wei ZHOU <mailto:ustcweiz...@gmail.com>; jayanthreddy5...@gmail.com<mailto:jayanthreddy5...@gmail.com> <mailto:jayanthr

Re: DDOS Attacks from my virtual Router

2024-02-08 Thread Jayanth Reddy
ision them again. Thanks Get Outlook for Android<https://aka.ms/AAb9ysg> From: Granwille Strauss Sent: Friday, February 9, 2024 1:10:32 pm To: users@cloudstack.apache.org Cc: Wei ZHOU ; jayanthreddy5...@gmail.com Subject: Re: DDOS Attacks from my virtual

Re: DDOS Attacks from my virtual Router

2024-02-08 Thread Wei ZHOU
Hi, The issue was very old (happened in 2017). I do not believe the recent dnsmasq/cloudstack still have the same problem. What cloudstack version do you use ? "Allocated" public ip addresses, which do not have associated VM, could be used as source nat, port forwarding or load balancer, or even

Re: DDOS Attacks from my virtual Router

2024-02-08 Thread Granwille Strauss
Hi Yes, I have Advanced network set up. I am going to check for the allocated IPs that have zero VMs associated via the DB and see what I can find. I see more than one that is "allocated" in different guest networks. However, I would appreciate any clues or tips, as I have barely touched CS d

Re: DDOS Attacks from my virtual Router

2024-02-08 Thread Wei ZHOU
+1 it looks like one of the VMs in the isolated network is compromised. try to capture the packets of port 53 (tcp/udp) by tcpdump in the virtual router, and see what is the source IP of the packets. -Wei On Fri, 9 Feb 2024 at 08:18, Jayanth Reddy wrote: > Hello, > The VR does process DNS quer

Re: DDOS Attacks from my virtual Router

2024-02-08 Thread Jayanth Reddy
Hello, The VR does process DNS queries, and if you're using cloud-init on VMs, the primary nameserver would be your VR IP. VR is usually configured to forward the requested DNS queries to upstream servers which is defined in the zone settings. So I guess one of the VMs should have gotten comprom

Re: DDOS Attacks from my virtual Router

2024-02-08 Thread Granwille Strauss
I found this: https://cloudstack.apache.org/blog/dnsmasq-vulnerabilities-advisory-for-cloudstack/ and applied the recommended steps to all my SVMs, whether this will work or not I am not sure. Do you guys maybe know of anything else that can be done. What are the implications of blocking port 5