IP sendo bloqueado

[Igor Silva]

Olá pela 3 vez seguida o ip do vps foi bloqueado pela sys, alguem pode me ajudar como eu paro com esses ataques ou faço o bloqueio.

 

Attack detail : 17Kpps/5Mbps  dateTime srcIp:srcPort dstIp:dstPort protocol flags bytes reason 2016.07.18 21:43:20 CEST TCP SYN 40

 

 

[Breno Febronio]

Seu cliente esta fazendo ataque de dentro da maquina.

[Igor Silva]

entao ele que esta utilizando ddos ?  Dear Customer, The IP address 51.255.105.202 had to be blocked by our services due to the various alerts received. Please don't hesitate to contact our technical support team so that this situation does not become critical. You can find the logs brought up by our system which lead to this alert. - START OF ADDITIONAL INFO - Attack detail : 17Kpps/5Mbps dateTime srcIp:srcPort dstIp:dstPort protocol flags bytes reaso 2016.07.18 21:43:20 CEST 51.255.105.202:156 121.207.227.9:7070 TCP SYN 40 ATTACK:TCP_SYN 2016.07.18 21:43:20 CEST 51.255.105.202:156 121.207.227.9:7070 TCP SYN 40 ATTACK:TCP_SYN 2016.07.18 21:43:20 CEST 51.255.105.202:156 121.207.227.9:7070 TCP SYN 40 ATTACK:TCP_SYN 2016.07.18 21:43:20 CEST 51.255.105.202:156 121.207.227.9:7070 TCP SYN 40 ATTACK:TCP_SYN 2016.07.18 21:43:20 CEST 51.255.105.202:156 121.207.227.9:7070 TCP SYN 40 ATTACK:TCP_SYN 2016.07.18 21:43:20 CEST 51.255.105.202:156 121.207.227.9:7070 TCP SYN 40 ATTACK:TCP_SYN 2016.07.18 21:43:20 CEST 51.255.105.202:156 121.207.227.9:7070 TCP SYN 40 ATTACK:TCP_SYN 2016.07.18 21:43:20 CEST 51.255.105.202:156 121.207.227.9:7070 TCP SYN 40 ATTACK:TCP_SYN 2016.07.18 21:43:20 CEST 51.255.105.202:156 121.207.227.9:7070 TCP SYN 40 ATTACK:TCP_SYN 2016.07.18 21:43:20 CEST 51.255.105.202:156 121.207.227.9:7070 TCP SYN 40 ATTACK:TCP_SYN 2016.07.18 21:43:20 CEST 51.255.105.202:156 121.207.227.9:7070 TCP SYN 40 ATTACK:TCP_SYN 2016.07.18 21:43:20 CEST 51.255.105.202:156 121.207.227.9:7070 TCP SYN 40 ATTACK:TCP_SYN 2016.07.18 21:43:20 CEST 51.255.105.202:156 121.207.227.9:7070 TCP SYN 40 ATTACK:TCP_SYN 2016.07.18 21:43:20 CEST 51.255.105.202:156 121.207.227.9:7070 TCP SYN 40 ATTACK:TCP_SYN 2016.07.18 21:43:20 CEST 51.255.105.202:156 121.207.227.9:7070 TCP SYN 40 ATTACK:TCP_SYN 2016.07.18 21:43:20 CEST 51.255.105.202:156 121.207.227.9:7070 TCP SYN 40 ATTACK:TCP_SYN 2016.07.18 21:43:20 CEST 51.255.105.202:156 121.207.227.9:7070 TCP SYN 40 ATTACK:TCP_SYN 2016.07.18 21:43:20 CEST 51.255.105.202:156 121.207.227.9:7070 TCP SYN 40 ATTACK:TCP_SYN 2016.07.18 21:43:20 CEST 51.255.105.202:156 121.207.227.9:7070 TCP SYN 40 ATTACK:TCP_SYN 2016.07.18 21:43:20 CEST 51.255.105.202:156 121.207.227.9:7070 TCP SYN 40 ATTACK:TCP_SYN - END OF ADDITIONAL INFO - OVH Customer Support.

entao ele que esta utilizando ddos ?  Dear Customer, The IP address 51.255.105.202 had to be blocked by our services due to the various alerts received. Please don't hesitate to contact our technical support team so that this situation does not become critical. You can find the logs brought up by our system which lead to this alert. - START OF ADDITIONAL INFO - Attack detail : 17Kpps/5Mbps dateTime srcIp:srcPort dstIp:dstPort protocol flags bytes reaso 2016.07.18 21:43:20 CEST 51.255.105.202:156 121.207.227.9:7070 TCP SYN 40 ATTACK:TCP_SYN 2016.07.18 21:43:20 CEST 51.255.105.202:156 121.207.227.9:7070 TCP SYN 40 ATTACK:TCP_SYN 2016.07.18 21:43:20 CEST 51.255.105.202:156 121.207.227.9:7070 TCP SYN 40 ATTACK:TCP_SYN 2016.07.18 21:43:20 CEST 51.255.105.202:156 121.207.227.9:7070 TCP SYN 40 ATTACK:TCP_SYN 2016.07.18 21:43:20 CEST 51.255.105.202:156 121.207.227.9:7070 TCP SYN 40 ATTACK:TCP_SYN 2016.07.18 21:43:20 CEST 51.255.105.202:156 121.207.227.9:7070 TCP SYN 40 ATTACK:TCP_SYN 2016.07.18 21:43:20 CEST 51.255.105.202:156 121.207.227.9:7070 TCP SYN 40 ATTACK:TCP_SYN 2016.07.18 21:43:20 CEST 51.255.105.202:156 121.207.227.9:7070 TCP SYN 40 ATTACK:TCP_SYN 2016.07.18 21:43:20 CEST 51.255.105.202:156 121.207.227.9:7070 TCP SYN 40 ATTACK:TCP_SYN 2016.07.18 21:43:20 CEST 51.255.105.202:156 121.207.227.9:7070 TCP SYN 40 ATTACK:TCP_SYN 2016.07.18 21:43:20 CEST 51.255.105.202:156 121.207.227.9:7070 TCP SYN 40 ATTACK:TCP_SYN 2016.07.18 21:43:20 CEST 51.255.105.202:156 121.207.227.9:7070 TCP SYN 40 ATTACK:TCP_SYN 2016.07.18 21:43:20 CEST 51.255.105.202:156 121.207.227.9:7070 TCP SYN 40 ATTACK:TCP_SYN 2016.07.18 21:43:20 CEST 51.255.105.202:156 121.207.227.9:7070 TCP SYN 40 ATTACK:TCP_SYN 2016.07.18 21:43:20 CEST 51.255.105.202:156 121.207.227.9:7070 TCP SYN 40 ATTACK:TCP_SYN 2016.07.18 21:43:20 CEST 51.255.105.202:156 121.207.227.9:7070 TCP SYN 40 ATTACK:TCP_SYN 2016.07.18 21:43:20 CEST 51.255.105.202:156 121.207.227.9:7070 TCP SYN 40 ATTACK:TCP_SYN 2016.07.18 21:43:20 CEST 51.255.105.202:156 121.207.227.9:7070 TCP SYN 40 ATTACK:TCP_SYN 2016.07.18 21:43:20 CEST 51.255.105.202:156 121.207.227.9:7070 TCP SYN 40 ATTACK:TCP_SYN 2016.07.18 21:43:20 CEST 51.255.105.202:156 121.207.227.9:7070 TCP SYN 40 ATTACK:TCP_SYN - END OF ADDITIONAL INFO - OVH Customer Support.

[Breno Febronio]

Sim

[olokz]

ele ta usando algo para SYN_FLOOD, 

[Joel Emanoel]

2 horas atrás, Igor Silva disse:

Olá pela 3 vez seguida o ip do vps foi bloqueado pela sys, alguem pode me ajudar como eu paro com esses ataques ou faço o bloqueio.

 

Attack detail : 17Kpps/5Mbps  dateTime srcIp:srcPort dstIp:dstPort protocol flags bytes reason 2016.07.18 21:43:20 CEST TCP SYN 40

 

 

Eu tive esse problema na SYS quando eu colocava a senha das minhas máquinas Linux como "root" e aqueles chineses miseráveis acessavam a máquina e realizavam ataques.

[RevendaHost]

1 hora atrás, BSHosting disse:

Eu tive esse problema na SYS quando eu colocava a senha das minhas máquinas Linux como "root" e aqueles chineses miseráveis acessavam a máquina e realizavam ataques.

Desse jeito também né...  :)

[Igor Silva]

Então o problema é ele usando ataque ddos syn flood?

1 hora atrás, BSHosting disse:

Eu tive esse problema na SYS quando eu colocava a senha das minhas máquinas Linux como "root" e aqueles chineses miseráveis acessavam a máquina e realizavam ataques.

como assim? o login era root e a senha root ? 

[Joel Emanoel]

8 minutos atrás, Igor Silva disse:

Então o problema é ele usando ataque ddos syn flood?

como assim? o login era root e a senha root ? 

Sim, ele está efetuando um ataque e por isso a SYS bloqueia o uso do IP.

Isso mesmo o painel gerava a senha "root" por padrão e acabava que os chineses faziam a merda.

[Igor Silva]

Então pessoal entrei em contato com eles e me responderam da seguinte forma:

Citar

 

Hello,

Thank you for contacting SoyouStart regarding your DDoS attack.

It is strongly recommended to use the firewall to only allow the incoming traffic you need, that way lots of attacks will be blocked by this firewall.

To start using the OVH network firewall, in the IP section of your OVH Manager, select the IP in question, click on the wheel gear icon and select 'Configure the firewall', click on 'Add a rule'.

This firewall only filters the traffic coming from outside the OVH network. It is limited to 20 (0-19) rules per IP. Make sure you assign the highest numbers (lowest priorities) to the Refuse/Deny/Block rules and the lowest numbers (highest priorities) to the Authorize/Allow/Permit rules. You can specify IP blocks with CIDR notation but you cannot use port ranges in the rules.

What you have to do is allow the TCP (SYN + Established) and UDP packets your services need to work and block all other traffic. For example, with these three rules you can allow http (port 80) connections and block any other tcp/udp traffic. Notice that you have to add 1 allow rule for each tcp port your services use (https, smtp, etc.) with the SYN flag set:

•  Priority: 0 - Action: Authorize - Protocol: TCP - Source IP: Blank - Source port: Blank - Destination port: 80  Flags: SYN
•  Priority: 1 - Action: Authorize - Protocol: TCP - Source IP: Blank - Source port: Blank - Destination port: Blank - Flags: Established
•  Priority: 19 - Action: Refuse - Protocol: IPv4 - Source IP: Blank

The same is required for the UDP traffic, the only difference is that there is no SYN/Established flags and you only need to add one rule for each UDP port you want to allow.

If after you have the firewall configured you keep being attacked, you can take a capture of the network traffic. In Linux you can use the command:

• tcpdump -w capture-ovh -c 100000 tcp port not 22

In Windows you can use the software WireShark.

If I misunderstood your issue, please clarify and I will gladly help you in resolving it.

For any other questions or concerns, please feel free to contact us through a support ticket or through our toll-free line at 1-844-768-7827. We’re here 24/7 to help you!

We thank you again for choosing SoyouStart,

Yann
Customer Advocate
Make sure to visit our FAQ: http://docs.ovh.ca/en/faqs.html

 

FAQ

Citar

DDoS Attack

Our servers all have DDoS protection included. However, the nature of DDoS attacks is always changing, and we have to constantly modify our system to stay up to date. In the event that our anti-DDoS doesn’t mitigate the attack, we would ask that you capture the traffic on your server and send us the logs. This way we can improve the anti-DDoS automatic detection.

To capture packets on any operating system, here is what you will need to do:

If LINUX: tcpdump -w capture-ovh -c 100000 port not ssh (this will create a file called capture-ovh)

If WINDOWS: Use Wireshark and save the info in a .pcap file

Note : You can always use the KVM from your OVH Manager to connect to your server if SSH is not wokring while under attack.

Ideally we would need around 100,000 packets (with a DDoS attack, that should happen within a second or two at most).

You can then send us the Capture file in your support ticket, or you can upload the file to http://demo.ovh.eu/ and provide the link to us. We will analyse the collected data and use it to further improve our Anti-DDoS protection for all OVH customers.

Eu ja tentei olhar pelo painel e nao achei esse firewall, no caso esse firewall deles é o pago de 47 dollares?