Ask Your Question
0

I captured what I believe is an unpatchable attack [closed]

asked 2019-11-17 05:06:42 +0000

Attached is the pcap file form which I captured the attack, the attack is on source port 80 and it literally has downed my VPN and it keeps me from doing anything it kills all program connections if anyone can help me fix this please reply to the thread or contact me at [email protected] THank you to anyone who trys to help!

edit retag flag offensive reopen merge delete

Closed for the following reason the question is answered, right answer was accepted by SuicideLinux
close date 2019-11-19 06:39:24.304096

Comments

You'd have to provide the capture through some public file sharing site. And the type of VPN service would be nice to know too.

Jaap gravatar imageJaap ( 2019-11-17 07:01:55 +0000 )edit

https://drive.google.com/file/d/1mYjn...
I was using an OVH i have a ton of iptables and internal firewall rules setup but this still bypasses it.

SuicideLinux gravatar imageSuicideLinux ( 2019-11-17 07:07:02 +0000 )edit

Was the capture file modified (anonymized) or is it as captured?

bubbasnmp gravatar imagebubbasnmp ( 2019-11-17 18:35:16 +0000 )edit

I only modified to the capture beginning and ending of the attack this is from my vpn.

SuicideLinux gravatar imageSuicideLinux ( 2019-11-17 18:49:57 +0000 )edit

What is the topology?
Does the VPN server belong to the ISP or are you hosting your own VPN server?
Where was the capture done?

bubbasnmp gravatar imagebubbasnmp ( 2019-11-17 20:03:38 +0000 )edit

3 Answers

Sort by ยป oldest newest most voted
2

answered 2019-11-17 17:09:39 +0000

grahamb gravatar image

Looks to me like a SYN-ACK reflection attack, an inefficient form of DDOS. Some recent analysis of such attacks from Akamai can be found here.

Like most DDOS attacks this requires upstream support to mitigate. If only network operators would prevent spoofed IP source packets from egressing their network life would be much easier.

edit flag offensive delete link more

Comments

So from you perspective what should I do to gry this taken care of? Because this seems to be like a killall method people are using

SuicideLinux gravatar imageSuicideLinux ( 2019-11-17 18:50:41 +0000 )edit
1

answered 2019-11-17 20:14:04 +0000

Eddi gravatar image

Hello SuicideLinux

As Graham pointed out this is a DDoS Attack that can be mitigated by your provider. The target IP address of the attack shown in your trace file puts you into group of OVH customers.

I am pretty sure that they have some type of device to block this attack. A method would be a device called "Peakflow", made by Arbor Networks, now Netscout. One method to deflect this type of attack with the Peakflow is the SYN-Cookie feature. Once activated the Peakflow would filter incoming traffic to your host and make sure that only those SYNs are forwarded that are answered by an ACK.

Please note that a DDoS protection service like this is usually subject to an additional charge.

Good Luck! Eddi

edit flag offensive delete link more
0

answered 2019-11-17 21:25:35 +0000

bubbasnmp gravatar image

The IP address being attacked in the capture looks like it is the VPS address at OVH.
Here is their guide to protect the VPS with Anti-DDoS:
https://docs.ovh.com/gb/en/dedicated/...

edit flag offensive delete link more

Question Tools

1 follower

Stats

Asked: 2019-11-17 05:06:42 +0000

Seen: 87 times

Last updated: Nov 17