Jump to content
Sign in to follow this  
Igor Silva

IP sendo bloqueado

Recommended Posts

Olá pela 3 vez seguida o ip do vps foi bloqueado pela sys, alguem pode me ajudar como eu paro com esses ataques ou faço o bloqueio.

 

Attack detail : 17Kpps/5Mbps  dateTime srcIp:srcPort dstIp:dstPort protocol flags bytes reason 2016.07.18 21:43:20 CEST TCP SYN 40

 

 

Share this post


Link to post
Share on other sites

Seu cliente esta fazendo ataque de dentro da maquina.


Conecte Host - Soluções em Nuvem | Hospedagem Cloud | Registro de Domínios | Cloud Server | Servidores Dedicado EUA e BR | Cloud Server cPanel

Share this post


Link to post
Share on other sites

entao ele que esta utilizando ddos ?  Dear Customer, The IP address 51.255.105.202 had to be blocked by our services due to the various alerts received. Please don't hesitate to contact our technical support team so that this situation does not become critical. You can find the logs brought up by our system which lead to this alert. - START OF ADDITIONAL INFO - Attack detail : 17Kpps/5Mbps dateTime srcIp:srcPort dstIp:dstPort protocol flags bytes reaso 2016.07.18 21:43:20 CEST 51.255.105.202:156 121.207.227.9:7070 TCP SYN 40 ATTACK:TCP_SYN 2016.07.18 21:43:20 CEST 51.255.105.202:156 121.207.227.9:7070 TCP SYN 40 ATTACK:TCP_SYN 2016.07.18 21:43:20 CEST 51.255.105.202:156 121.207.227.9:7070 TCP SYN 40 ATTACK:TCP_SYN 2016.07.18 21:43:20 CEST 51.255.105.202:156 121.207.227.9:7070 TCP SYN 40 ATTACK:TCP_SYN 2016.07.18 21:43:20 CEST 51.255.105.202:156 121.207.227.9:7070 TCP SYN 40 ATTACK:TCP_SYN 2016.07.18 21:43:20 CEST 51.255.105.202:156 121.207.227.9:7070 TCP SYN 40 ATTACK:TCP_SYN 2016.07.18 21:43:20 CEST 51.255.105.202:156 121.207.227.9:7070 TCP SYN 40 ATTACK:TCP_SYN 2016.07.18 21:43:20 CEST 51.255.105.202:156 121.207.227.9:7070 TCP SYN 40 ATTACK:TCP_SYN 2016.07.18 21:43:20 CEST 51.255.105.202:156 121.207.227.9:7070 TCP SYN 40 ATTACK:TCP_SYN 2016.07.18 21:43:20 CEST 51.255.105.202:156 121.207.227.9:7070 TCP SYN 40 ATTACK:TCP_SYN 2016.07.18 21:43:20 CEST 51.255.105.202:156 121.207.227.9:7070 TCP SYN 40 ATTACK:TCP_SYN 2016.07.18 21:43:20 CEST 51.255.105.202:156 121.207.227.9:7070 TCP SYN 40 ATTACK:TCP_SYN 2016.07.18 21:43:20 CEST 51.255.105.202:156 121.207.227.9:7070 TCP SYN 40 ATTACK:TCP_SYN 2016.07.18 21:43:20 CEST 51.255.105.202:156 121.207.227.9:7070 TCP SYN 40 ATTACK:TCP_SYN 2016.07.18 21:43:20 CEST 51.255.105.202:156 121.207.227.9:7070 TCP SYN 40 ATTACK:TCP_SYN 2016.07.18 21:43:20 CEST 51.255.105.202:156 121.207.227.9:7070 TCP SYN 40 ATTACK:TCP_SYN 2016.07.18 21:43:20 CEST 51.255.105.202:156 121.207.227.9:7070 TCP SYN 40 ATTACK:TCP_SYN 2016.07.18 21:43:20 CEST 51.255.105.202:156 121.207.227.9:7070 TCP SYN 40 ATTACK:TCP_SYN 2016.07.18 21:43:20 CEST 51.255.105.202:156 121.207.227.9:7070 TCP SYN 40 ATTACK:TCP_SYN 2016.07.18 21:43:20 CEST 51.255.105.202:156 121.207.227.9:7070 TCP SYN 40 ATTACK:TCP_SYN - END OF ADDITIONAL INFO - OVH Customer Support.

entao ele que esta utilizando ddos ?  Dear Customer, The IP address 51.255.105.202 had to be blocked by our services due to the various alerts received. Please don't hesitate to contact our technical support team so that this situation does not become critical. You can find the logs brought up by our system which lead to this alert. - START OF ADDITIONAL INFO - Attack detail : 17Kpps/5Mbps dateTime srcIp:srcPort dstIp:dstPort protocol flags bytes reaso 2016.07.18 21:43:20 CEST 51.255.105.202:156 121.207.227.9:7070 TCP SYN 40 ATTACK:TCP_SYN 2016.07.18 21:43:20 CEST 51.255.105.202:156 121.207.227.9:7070 TCP SYN 40 ATTACK:TCP_SYN 2016.07.18 21:43:20 CEST 51.255.105.202:156 121.207.227.9:7070 TCP SYN 40 ATTACK:TCP_SYN 2016.07.18 21:43:20 CEST 51.255.105.202:156 121.207.227.9:7070 TCP SYN 40 ATTACK:TCP_SYN 2016.07.18 21:43:20 CEST 51.255.105.202:156 121.207.227.9:7070 TCP SYN 40 ATTACK:TCP_SYN 2016.07.18 21:43:20 CEST 51.255.105.202:156 121.207.227.9:7070 TCP SYN 40 ATTACK:TCP_SYN 2016.07.18 21:43:20 CEST 51.255.105.202:156 121.207.227.9:7070 TCP SYN 40 ATTACK:TCP_SYN 2016.07.18 21:43:20 CEST 51.255.105.202:156 121.207.227.9:7070 TCP SYN 40 ATTACK:TCP_SYN 2016.07.18 21:43:20 CEST 51.255.105.202:156 121.207.227.9:7070 TCP SYN 40 ATTACK:TCP_SYN 2016.07.18 21:43:20 CEST 51.255.105.202:156 121.207.227.9:7070 TCP SYN 40 ATTACK:TCP_SYN 2016.07.18 21:43:20 CEST 51.255.105.202:156 121.207.227.9:7070 TCP SYN 40 ATTACK:TCP_SYN 2016.07.18 21:43:20 CEST 51.255.105.202:156 121.207.227.9:7070 TCP SYN 40 ATTACK:TCP_SYN 2016.07.18 21:43:20 CEST 51.255.105.202:156 121.207.227.9:7070 TCP SYN 40 ATTACK:TCP_SYN 2016.07.18 21:43:20 CEST 51.255.105.202:156 121.207.227.9:7070 TCP SYN 40 ATTACK:TCP_SYN 2016.07.18 21:43:20 CEST 51.255.105.202:156 121.207.227.9:7070 TCP SYN 40 ATTACK:TCP_SYN 2016.07.18 21:43:20 CEST 51.255.105.202:156 121.207.227.9:7070 TCP SYN 40 ATTACK:TCP_SYN 2016.07.18 21:43:20 CEST 51.255.105.202:156 121.207.227.9:7070 TCP SYN 40 ATTACK:TCP_SYN 2016.07.18 21:43:20 CEST 51.255.105.202:156 121.207.227.9:7070 TCP SYN 40 ATTACK:TCP_SYN 2016.07.18 21:43:20 CEST 51.255.105.202:156 121.207.227.9:7070 TCP SYN 40 ATTACK:TCP_SYN 2016.07.18 21:43:20 CEST 51.255.105.202:156 121.207.227.9:7070 TCP SYN 40 ATTACK:TCP_SYN - END OF ADDITIONAL INFO - OVH Customer Support.

Share this post


Link to post
Share on other sites
2 horas atrás, Igor Silva disse:

Olá pela 3 vez seguida o ip do vps foi bloqueado pela sys, alguem pode me ajudar como eu paro com esses ataques ou faço o bloqueio.

 

Attack detail : 17Kpps/5Mbps  dateTime srcIp:srcPort dstIp:dstPort protocol flags bytes reason 2016.07.18 21:43:20 CEST TCP SYN 40

 

 

Eu tive esse problema na SYS quando eu colocava a senha das minhas máquinas Linux como "root" e aqueles chineses miseráveis acessavam a máquina e realizavam ataques.

Share this post


Link to post
Share on other sites
1 hora atrás, BSHosting disse:

Eu tive esse problema na SYS quando eu colocava a senha das minhas máquinas Linux como "root" e aqueles chineses miseráveis acessavam a máquina e realizavam ataques.

Desse jeito também né...  :)


Gerenciamento e otimização de servidores: Centos, Debian, Ubuntu, Cpanel e VestaCP.
Cloud otimizado e otimização para: Wordpress e Magento.
Virtualização: Implementação e gerenciamento Virtualizor, Proxmox, Openstack e VMware.

Share this post


Link to post
Share on other sites

Então o problema é ele usando ataque ddos syn flood?

1 hora atrás, BSHosting disse:

Eu tive esse problema na SYS quando eu colocava a senha das minhas máquinas Linux como "root" e aqueles chineses miseráveis acessavam a máquina e realizavam ataques.

como assim? o login era root e a senha root ? 

Share this post


Link to post
Share on other sites
8 minutos atrás, Igor Silva disse:

Então o problema é ele usando ataque ddos syn flood?

como assim? o login era root e a senha root ? 

Sim, ele está efetuando um ataque e por isso a SYS bloqueia o uso do IP.

Isso mesmo o painel gerava a senha "root" por padrão e acabava que os chineses faziam a merda.

Share this post


Link to post
Share on other sites

Então pessoal entrei em contato com eles e me responderam da seguinte forma:

Citar

 

Hello,

Thank you for contacting SoyouStart regarding your DDoS attack.

It is strongly recommended to use the firewall to only allow the incoming traffic you need, that way lots of attacks will be blocked by this firewall.

To start using the OVH network firewall, in the IP section of your OVH Manager, select the IP in question, click on the wheel gear icon and select 'Configure the firewall', click on 'Add a rule'.

This firewall only filters the traffic coming from outside the OVH network. It is limited to 20 (0-19) rules per IP. Make sure you assign the highest numbers (lowest priorities) to the Refuse/Deny/Block rules and the lowest numbers (highest priorities) to the Authorize/Allow/Permit rules. You can specify IP blocks with CIDR notation but you cannot use port ranges in the rules.

What you have to do is allow the TCP (SYN + Established) and UDP packets your services need to work and block all other traffic. For example, with these three rules you can allow http (port 80) connections and block any other tcp/udp traffic. Notice that you have to add 1 allow rule for each tcp port your services use (https, smtp, etc.) with the SYN flag set:

  •  Priority: 0 - Action: Authorize - Protocol: TCP - Source IP: Blank - Source port: Blank - Destination port: 80  Flags: SYN
  •  Priority: 1 - Action: Authorize - Protocol: TCP - Source IP: Blank - Source port: Blank - Destination port: Blank - Flags: Established
  •  Priority: 19 - Action: Refuse - Protocol: IPv4 - Source IP: Blank

The same is required for the UDP traffic, the only difference is that there is no SYN/Established flags and you only need to add one rule for each UDP port you want to allow.

If after you have the firewall configured you keep being attacked, you can take a capture of the network traffic. In Linux you can use the command:

  • tcpdump -w capture-ovh -c 100000 tcp port not 22

In Windows you can use the software WireShark.

If I misunderstood your issue, please clarify and I will gladly help you in resolving it.

For any other questions or concerns, please feel free to contact us through a support ticket or through our toll-free line at 1-844-768-7827. We’re here 24/7 to help you!

We thank you again for choosing SoyouStart,

Yann
Customer Advocate
Make sure to visit our FAQ: http://docs.ovh.ca/en/faqs.html

 

FAQ

Citar

DDoS Attack

Our servers all have DDoS protection included. However, the nature of DDoS attacks is always changing, and we have to constantly modify our system to stay up to date. In the event that our anti-DDoS doesn’t mitigate the attack, we would ask that you capture the traffic on your server and send us the logs. This way we can improve the anti-DDoS automatic detection.

To capture packets on any operating system, here is what you will need to do:

If LINUX: tcpdump -w capture-ovh -c 100000 port not ssh (this will create a file called capture-ovh)

If WINDOWS: Use Wireshark and save the info in a .pcap file

Note : You can always use the KVM from your OVH Manager to connect to your server if SSH is not wokring while under attack.

Ideally we would need around 100,000 packets (with a DDoS attack, that should happen within a second or two at most).

You can then send us the Capture file in your support ticket, or you can upload the file to http://demo.ovh.eu/ and provide the link to us. We will analyse the collected data and use it to further improve our Anti-DDoS protection for all OVH customers.

Eu ja tentei olhar pelo painel e nao achei esse firewall, no caso esse firewall deles é o pago de 47 dollares?

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.




×
×
  • Create New...