DNS Attack - Please help

Support for security such as Firewalls and securing linux
agriz
Posts: 267
Joined: 2011/11/19 15:17:40

Re: DNS Attack - Please help

Post by agriz » 2015/06/14 11:59:13

TrevorH wrote:Then exclude the changed ssh port in my command to the one you used.
I changed that ethX to enp3s3
It is keep running. I can't even read anything it is very fast.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: DNS Attack - Please help

Post by TrevorH » 2015/06/14 12:01:15

Now Ctrl-C it and look at the scroll back for similarities in the pckets arriving. Pick out the IP address and the ports involved and see if you can see what is being exploited.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

agriz
Posts: 267
Joined: 2011/11/19 15:17:40

Re: DNS Attack - Please help

Post by agriz » 2015/06/14 12:07:04

TrevorH wrote:Now Ctrl-C it and look at the scroll back for similarities in the pckets arriving. Pick out the IP address and the ports involved and see if you can see what is being exploited.

Code: Select all

17:28:24.984795 IP 173.252.120.113.13781 > MY_IP_ADDRESS.80: Flags [.], ack 36201, win 340, options [nop,nop,TS val 2373959945 ecr 3762504079], length 0
17:28:24.984818 IP 173.252.120.113.13781 > MY_IP_ADDRESS.80: Flags [.], ack 37649, win 352, options [nop,nop,TS val 2373959945 ecr 3762504079], length 0
17:28:24.984825 IP 173.252.120.113.13781 > MY_IP_ADDRESS.80: Flags [.], ack 39097, win 363, options [nop,nop,TS val 2373959945 ecr 3762504079], length 0
17:28:24.984888 IP 173.252.120.113.13781 > MY_IP_ADDRESS.80: Flags [.], ack 40545, win 374, options [nop,nop,TS val 2373959945 ecr 3762504079], length 0
17:28:24.984900 IP 173.252.120.113.13781 > MY_IP_ADDRESS.80: Flags [.], ack 41993, win 386, options [nop,nop,TS val 2373959945 ecr 3762504079], length 0
17:28:24.984908 IP 173.252.120.113.13781 > MY_IP_ADDRESS.80: Flags [.], ack 43441, win 397, options [nop,nop,TS val 2373959945 ecr 3762504079], length 0
17:28:24.984914 IP 173.252.120.113.13781 > MY_IP_ADDRESS.80: Flags [.], ack 44889, win 408, options [nop,nop,TS val 2373959945 ecr 3762504079], length 0
17:28:24.984921 IP 173.252.120.113.13781 > MY_IP_ADDRESS.80: Flags [.], ack 46337, win 420, options [nop,nop,TS val 2373959945 ecr 3762504079], length 0
17:28:24.984928 IP 173.252.120.113.13781 > MY_IP_ADDRESS.80: Flags [.], ack 47785, win 431, options [nop,nop,TS val 2373959945 ecr 3762504079], length 0
17:28:24.984943 IP 173.252.120.113.13781 > MY_IP_ADDRESS.80: Flags [.], ack 49233, win 442, options [nop,nop,TS val 2373959945 ecr 3762504079], length 0
17:28:24.984951 IP 173.252.120.113.13781 > MY_IP_ADDRESS.80: Flags [.], ack 50681, win 453, options [nop,nop,TS val 2373959945 ecr 3762504079], length 0
17:28:24.984958 IP 173.252.120.113.13781 > MY_IP_ADDRESS.80: Flags [.], ack 52129, win 465, options [nop,nop,TS val 2373959945 ecr 3762504079], length 0
17:28:24.984992 IP 173.252.120.113.13781 > MY_IP_ADDRESS.80: Flags [.], ack 53577, win 476, options [nop,nop,TS val 2373959946 ecr 3762504079], length 0
17:28:24.985003 IP 173.252.120.113.13781 > MY_IP_ADDRESS.80: Flags [.], ack 55025, win 487, options [nop,nop,TS val 2373959946 ecr 3762504079], length 0
17:28:24.985041 IP 173.252.120.113.13781 > MY_IP_ADDRESS.80: Flags [.], ack 56473, win 499, options [nop,nop,TS val 2373959946 ecr 3762504079], length 0
17:28:24.985095 IP 173.252.120.113.13781 > MY_IP_ADDRESS.80: Flags [.], ack 57921, win 510, options [nop,nop,TS val 2373959946 ecr 3762504079], length 0
17:28:24.985108 IP 173.252.120.113.13781 > MY_IP_ADDRESS.80: Flags [.], ack 59369, win 521, options [nop,nop,TS val 2373959946 ecr 3762504079], length 0
17:28:24.985115 IP 173.252.120.113.13781 > MY_IP_ADDRESS.80: Flags [.], ack 60817, win 533, options [nop,nop,TS val 2373959946 ecr 3762504079], length 0
17:28:24.985123 IP 173.252.120.113.13781 > MY_IP_ADDRESS.80: Flags [.], ack 62265, win 544, options [nop,nop,TS val 2373959946 ecr 3762504079], length 0
17:28:24.985130 IP 173.252.120.113.13781 > MY_IP_ADDRESS.80: Flags [.], ack 63713, win 555, options [nop,nop,TS val 2373959946 ecr 3762504079], length 0
17:28:24.985201 IP 173.252.120.113.13781 > MY_IP_ADDRESS.80: Flags [.], ack 65161, win 567, options [nop,nop,TS val 2373959946 ecr 3762504079], length 0
17:28:24.985246 IP 173.252.120.113.13781 > MY_IP_ADDRESS.80: Flags [.], ack 66609, win 578, options [nop,nop,TS val 2373959946 ecr 3762504079], length 0
17:28:24.985295 IP 173.252.120.113.13781 > MY_IP_ADDRESS.80: Flags [.], ack 68057, win 589, options [nop,nop,TS val 2373959946 ecr 3762504079], length 0
17:28:24.985306 IP 173.252.120.113.13781 > MY_IP_ADDRESS.80: Flags [.], ack 69505, win 601, options [nop,nop,TS val 2373959946 ecr 3762504079], length 0
17:28:24.985350 IP 173.252.120.113.13781 > MY_IP_ADDRESS.80: Flags [.], ack 71537, win 616, options [nop,nop,TS val 2373959946 ecr 3762504079], length 0



17:28:25.094181 IP 1.39.63.41.15269 > MY_IP_ADDRESS.80: Flags [.], ack 20360, win 48100, length 0
17:28:25.094211 IP MY_IP_ADDRESS.80 > 1.39.63.41.15269: Flags [P.], seq 30760:33360, ack 2964, win 161, length 2600
17:28:25.094219 IP 1.39.63.41.15269 > MY_IP_ADDRESS.80: Flags [.], ack 22960, win 45500, length 0
17:28:25.094225 IP 1.39.63.41.15269 > MY_IP_ADDRESS.80: Flags [.], ack 25560, win 49400, length 0
17:28:25.094254 IP MY_IP_ADDRESS.80 > 1.39.63.41.15269: Flags [.], seq 33360:35960, ack 2964, win 161, length 2600
17:28:25.094263 IP MY_IP_ADDRESS.80 > 1.39.63.41.15269: Flags [.], seq 35960:38560, ack 2964, win 161, length 2600
17:28:25.094268 IP MY_IP_ADDRESS.80 > 1.39.63.41.15269: Flags [.], seq 38560:41160, ack 2964, win 161, length 2600
17:28:25.094288 IP 1.39.63.41.15269 > MY_IP_ADDRESS.80: Flags [.], ack 28160, win 46800, length 0
17:28:25.094307 IP MY_IP_ADDRESS.80 > 1.39.63.41.15269: Flags [.], seq 41160:43760, ack 2964, win 161, length 2600
17:28:25.094320 IP 1.39.63.41.15269 > MY_IP_ADDRESS.80: Flags [.], ack 30760, win 50700, length 0
17:28:25.094333 IP MY_IP_ADDRESS.80 > 1.39.63.41.15269: Flags [.], seq 43760:46360, ack 2964, win 161, length 2600
17:28:25.094376 IP MY_IP_ADDRESS.80 > 1.39.63.41.15269: Flags [.], seq 46360:48960, ack 2964, win 161, length 2600
17:28:25.113383 IP 59.88.215.39.49672 > MY_IP_ADDRESS.80: Flags [.], ack 47227, win 256, options [nop,nop,sack 1 {50067:51487}], length 0
17:28:25.113438 IP MY_IP_ADDRESS.80 > 59.88.215.39.49672: Flags [.], seq 51487:52907, ack 1356, win 140, length 1420
17:28:25.304064 IP 1.39.63.41.15269 > MY_IP_ADDRESS.80: Flags [.], ack 33360, win 50700, length 0
17:28:25.304099 IP MY_IP_ADDRESS.80 > 1.39.63.41.15269: Flags [.], seq 48960:51560, ack 2964, win 161, length 2600
17:28:25.304104 IP MY_IP_ADDRESS.80 > 1.39.63.41.15269: Flags [P.], seq 51560:51847, ack 2964, win 161, length 287
17:28:25.304106 IP 1.39.63.41.15269 > MY_IP_ADDRESS.80: Flags [.], ack 35960, win 48100, length 0
17:28:25.304110 IP 1.39.63.41.15269 > MY_IP_ADDRESS.80: Flags [.], ack 38560, win 45500, length 0
17:28:25.304215 IP 1.39.63.41.15269 > MY_IP_ADDRESS.80: Flags [.], ack 41160, win 49400, length 0
17:28:25.304227 IP 1.39.63.41.15269 > MY_IP_ADDRESS.80: Flags [.], ack 43760, win 46800, length 0
17:28:25.304232 IP 1.39.63.41.15269 > MY_IP_ADDRESS.80: Flags [.], ack 46360, win 50700, length 0
17:28:25.304236 IP 1.39.63.41.15269 > MY_IP_ADDRESS.80: Flags [.], ack 48960, win 48100, length 0
17:28:25.431556 IP 59.88.215.39.49672 > MY_IP_ADDRESS.80: Flags [.], ack 47227, win 256, options [nop,nop,sack 1 {50067:52907}], length 0
17:28:25.431592 IP MY_IP_ADDRESS.80 > 59.88.215.39.49672: Flags [.], seq 47227:48647, ack 1356, win 140, length 1420
17:28:25.473926 IP 117.208.147.130.34575 > MY_IP_ADDRESS.80: Flags [F.], seq 1720, ack 127688, win 9256, options [nop,nop,TS val 30366065 ecr 3762497801], length 0
17:28:25.474006 IP MY_IP_ADDRESS.80 > 117.208.147.130.34575: Flags [F.], seq 127688, ack 1721, win 141, options [nop,nop,TS val 3762504591 ecr 30366065], length 0
17:28:25.514905 IP 1.39.63.41.15269 > MY_IP_ADDRESS.80: Flags [.], ack 51560, win 48100, length 0
17:28:25.534503 ARP, Request who-has 108.61.46.219 tell 108.61.46.217, length 46
17:28:25.581484 IP MY_IP_ADDRESS.80 > 69.171.230.119.45643: Flags [F.], seq 961950923, ack 2179729382, win 122, options [nop,nop,TS val 3762504699 ecr 1515591276], length 0
17:28:25.616973 IP 1.39.63.41.15269 > MY_IP_ADDRESS.80: Flags [.], ack 51847, win 50700, length 0
17:28:25.669459 IP 69.171.230.119.45643 > MY_IP_ADDRESS.80: Flags [F.], seq 1, ack 1, win 612, options [nop,nop,TS val 1515666275 ecr 3762504699], length 0
17:28:25.669496 IP MY_IP_ADDRESS.80 > 69.171.230.119.45643: Flags [.], ack 2, win 122, options [nop,nop,TS val 3762504787 ecr 1515666275], length 0



User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: DNS Attack - Please help

Post by TrevorH » 2015/06/14 12:26:13

All you're showing there is port 80 (http) traffic from facebook, vodafone and similar places. The whois command (part of the jwhois package) can look up ip addresses and tell you who they are registered to.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

agriz
Posts: 267
Joined: 2011/11/19 15:17:40

Re: DNS Attack - Please help

Post by agriz » 2015/06/14 12:35:19

Sir,

It is either port 80 or 443
I can't find any other port

agriz
Posts: 267
Joined: 2011/11/19 15:17:40

Re: DNS Attack - Please help

Post by agriz » 2015/06/14 12:51:05

609759 packets received by filter
600282 packets dropped by kernel

Sir, What does those number mean?

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: DNS Attack - Please help

Post by TrevorH » 2015/06/14 15:20:11

It tells you how many packets were captured by tcpdump while it was running.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

agriz
Posts: 267
Joined: 2011/11/19 15:17:40

Re: DNS Attack - Please help

Post by agriz » 2015/06/14 15:30:03

TrevorH wrote:It tells you how many packets were captured by tcpdump while it was running.
No sir,

I mean does it tell anything about the attack?
Is it normal or huge number?

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: DNS Attack - Please help

Post by TrevorH » 2015/06/14 15:32:16

I saw no evidence of an attack in the packet listing you posted. All packets looked like normal web traffic from facebook etc.

As to whether that's a 'normal' number of packets, that would depend on how long you had it running for. If it was 680k packets in 10 seconds then that's quite some traffic, if it was 10 hours then it's not.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

agriz
Posts: 267
Joined: 2011/11/19 15:17:40

Re: DNS Attack - Please help

Post by agriz » 2015/06/14 15:34:13

It is not a busy site sir.
I will run that command again for five seconds i will post the count again

Post Reply