Attached is the pcap file form which I captured the attack, the attack is on source port 80 and it literally has downed my VPN and it keeps me from doing anything it kills all program connections if anyone can help me fix this please reply to the thread or contact me at [email protected] THank you to anyone who trys to help!
Looks to me like a SYN-ACK reflection attack, an inefficient form of DDOS. Some recent analysis of such attacks from Akamai can be found here.
Like most DDOS attacks this requires upstream support to mitigate. If only network operators would prevent spoofed IP source packets from egressing their network life would be much easier.
So from you perspective what should I do to gry this taken care of? Because this seems to be like a killall method people are using
Hello SuicideLinux
As Graham pointed out this is a DDoS Attack that can be mitigated by your provider. The target IP address of the attack shown in your trace file puts you into group of OVH customers.
I am pretty sure that they have some type of device to block this attack. A method would be a device called "Peakflow", made by Arbor Networks, now Netscout. One method to deflect this type of attack with the Peakflow is the SYN-Cookie feature. Once activated the Peakflow would filter incoming traffic to your host and make sure that only those SYNs are forwarded that are answered by an ACK.
Please note that a DDoS protection service like this is usually subject to an additional charge.
Good Luck! Eddi
The IP address being attacked in the capture looks like it is the VPS address at OVH.
Here is their guide to protect the VPS with Anti-DDoS:
https://docs.ovh.com/gb/en/dedicated/...
Asked: 2019-11-17 05:06:42 +0000
Seen: 1,471 times
Last updated: Nov 17 '19
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
You'd have to provide the capture through some public file sharing site. And the type of VPN service would be nice to know too.
https://drive.google.com/file/d/1mYjn...
I was using an OVH i have a ton of iptables and internal firewall rules setup but this still bypasses it.
Was the capture file modified (anonymized) or is it as captured?
I only modified to the capture beginning and ending of the attack this is from my vpn.
What is the topology?
Does the VPN server belong to the ISP or are you hosting your own VPN server?
Where was the capture done?