Hi, The issue was very old (happened in 2017). I do not believe the recent dnsmasq/cloudstack still have the same problem. What cloudstack version do you use ?
"Allocated" public ip addresses, which do not have associated VM, could be used as source nat, port forwarding or load balancer, or even not in use. You can go to the details page of the public ip, and check the tabs. -Wei On Fri, 9 Feb 2024 at 08:40, Granwille Strauss <granwi...@namhost.com> wrote: > Hi > > Yes, I have Advanced network set up. I am going to check for the allocated > IPs that have zero VMs associated via the DB and see what I can find. I see > more than one that is "allocated" in different guest networks. However, I > would appreciate any clues or tips, as I have barely touched CS database in > my life. > > Then, the rvm does not seem to listen on a DNS server via port 53 only > dnsmaq, could this not be the issue too? As explained in the blog I linked > earlier? I am currently running a tcpdump for the day to see what happens > so far the dump is not providing any hits, but keep in mind I did run > apt-get update dnsmaq prior and rebooted the systemvms including router > vms. > On 2/9/24 09:23, Wei ZHOU wrote: > > +1 > it looks like one of the VMs in the isolated network is compromised. > try to capture the packets of port 53 (tcp/udp) by tcpdump in the virtual > router, and see what is the source IP of the packets. > > > -Wei > > On Fri, 9 Feb 2024 at 08:18, Jayanth Reddy <jayanthreddy5...@gmail.com> > <jayanthreddy5...@gmail.com> > wrote: > > > Hello, > The VR does process DNS queries, and if you're using cloud-init on VMs, > the primary nameserver would be your VR IP. VR is usually configured to > forward the requested DNS queries to upstream servers which is defined in > the zone settings. So I guess one of the VMs should have gotten compromised > leading to generating of attack. Usually the VR does SNAT, so the SNAT or > STATICNAT IP becomes the source on the Internet (unless there is double NAT > happening) > > > See if you can check the MAC address of that Public IP from your uplinks. > I've faced the same issue earlier wherein one VR was holding one IP but for > whatever reason db was updated as free. See > thishttps://github.com/apache/cloudstack/issues/6821. You should check in DB > for that IP. For me, I was able to get using the API, looked for routers > and filtered the MAC address for that IP. Happens.. > > Is it safe for me to assume your zone is "Advanced"? > > > Thanks > Jayanth Reddy > > Get Outlook for Android<https://aka.ms/AAb9ysg> <https://aka.ms/AAb9ysg> > > ________________________________ > From: Granwille Strauss <granwi...@namhost.com.INVALID> > <granwi...@namhost.com.INVALID> > Sent: Friday, February 9, 2024 11:38:13 am > To: users@cloudstack.apache.org <users@cloudstack.apache.org> > <users@cloudstack.apache.org> > Subject: DDOS Attacks from my virtual Router > > > Hei > > My DC has just sent me notice that two of my IP addresses from the > allocated subnets are responsible for amplifying DDOS attacks. One out of > the two is my virtual router IP address. I was advised to firewall port 53 > or deactivate recursive functions. Can you perhaps provide some in sight on > how this could be possible? > > The second IP address, I see under the guest networks that it is > "Allocated" but I have reviewed all my SystemVMs and all my virtual > routers, none of them have that IP address assigned. Nor any VM instance > either. Its assigned to something but I cannot tell what. Is there a better > way for me to see what server/service uses this IP in Cloudstack, please. > > -- > Regards / Groete > > [https://www.adsigner.com/v1/s/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/logo/621b3fa39fb210001f975298/cd2904ba-304d-4a49-bf33-cbe9ac76d929_248x-.png > ]<https://www.namhost.com> <https://www.namhost.com> Granwille Strauss // > Senior Systems Admin > > e: granwi...@namhost.com<mailto:granwi...@namhost.com> <granwi...@namhost.com> > m: +264 81 323 1260<tel:+264813231260> <+264813231260> > w: www.namhost.com<https://www.namhost.com/> <https://www.namhost.com/> > > [https://www.adsigner.com/v1/s/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/social_icon_01/621b3fa39fb210001f975298/9151954b-b298-41aa-89c8-1d68af075373_48x48.png > ]<https://www.facebook.com/namhost> <https://www.facebook.com/namhost> > [https://www.adsigner.com/v1/s/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/social_icon_02/621b3fa39fb210001f975298/85a9dc7c-7bd1-4958-85a9-e6a25baeb028_48x48.png]<https://twitter.com/namhost> > <https://twitter.com/namhost> > [https://www.adsigner.com/v1/s/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/social_icon_03/621b3fa39fb210001f975298/c1c5386c-914c-43cf-9d37-5b4aa8e317ab_48x48.png]<https://www.instagram.com/namhostinternetservices/> > <https://www.instagram.com/namhostinternetservices/> > [https://www.adsigner.com/v1/s/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/social_icon_04/621b3fa39fb210001f975298/3aaa7968-130e-48ec-821d-559a332cce47_48x48.png]<https://www.linkedin.com/company/namhos> > <https://www.linkedin.com/company/namhos> > [https://www.adsigner.com/v1/s/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/social_icon_05/621b3fa39fb210001f975298/3a8c09e6-588f-43a8-acfd-be4423fd3fb6_48x48.png]<https://www.youtube.com/channel/UCTd5v-kVPaic_dguGur15AA> > <https://www.youtube.com/channel/UCTd5v-kVPaic_dguGur15AA> > > [https://www.adsigner.com/v1/i/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/banner/940x300 > ]<https://www.adsigner.com/v1/l/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/banner > > Namhost Internet Services (Pty) Ltd, > > 24 Black Eagle Rd, Hermanus, 7210, RSA > > > The content of this message is confidential. If you have received it by > mistake, please inform us by email reply and then delete the message. It is > forbidden to copy, forward, or in any way reveal the contents of this > message to anyone without our explicit consent. The integrity and security > of this email cannot be guaranteed over the Internet. Therefore, the sender > will not be held liable for any damage caused by the message. For our full > privacy policy and disclaimers, please go > tohttps://www.namhost.com/privacy-policy > > [Powered by > AdSigner]<https://www.adsigner.com/v1/c/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818 > > -- > Regards / Groete > > <https://www.namhost.com> Granwille Strauss // Senior Systems Admin > > *e:* granwi...@namhost.com > *m:* +264 81 323 1260 <+264813231260> > *w:* www.namhost.com > > <https://www.facebook.com/namhost> <https://twitter.com/namhost> > <https://www.instagram.com/namhostinternetservices/> > <https://www.linkedin.com/company/namhos> > <https://www.youtube.com/channel/UCTd5v-kVPaic_dguGur15AA> > > > <https://www.adsigner.com/v1/l/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/banner> > > Namhost Internet Services (Pty) Ltd, > > 24 Black Eagle Rd, Hermanus, 7210, RSA > > > > The content of this message is confidential. If you have received it by > mistake, please inform us by email reply and then delete the message. It is > forbidden to copy, forward, or in any way reveal the contents of this > message to anyone without our explicit consent. The integrity and security > of this email cannot be guaranteed over the Internet. Therefore, the sender > will not be held liable for any damage caused by the message. For our full > privacy policy and disclaimers, please go to > https://www.namhost.com/privacy-policy > > [image: Powered by AdSigner] > <https://www.adsigner.com/v1/c/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818> >
