[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Security Guideance
- Subject: Security Guideance
- From: nanog at lacutt.com (LaDerrick H.)
- Date: Tue, 23 Feb 2010 14:45:05 -0600
- In-reply-to: <[email protected]>
- References: <[email protected]>
On Tue, Feb 23, 2010 at 02:46:54PM -0500, Paul Stewart wrote:
> Hi folks...
>
>
>
> We have a strange series of events going on in the past while.... Brief
> history here, looking for input from the community - especially some of
> the security folks on here.
>
>
>
> We provide web hosting services - one of our hosting boxes was found a
> while back with root kits installed, un patched software and lots of
> other "goodies". With some staff changes in place (don't think I need
> to elaborate on that) we are trying to clean up several issues including
> this particular server. A new server was provisioned, patched, and
> deployed. User data was moved over and now the same issue is coming
> back....
>
>
>
> The problem is that a user on this box appears to be launching high
> traffic DOS attacks from it towards other sites. These are UDP based
> floods that move around from time to time - most of these attacks only
> last a few minutes.
Counting outbound udp bytes and packets can help spot anomalies.
Something like this would help but may be unwieldy if you have thousands
of users on a single box:
WANIF=eth0
userlist="userA userB user..."
for i in ${userlist}
do
iptables -N ${i}_UDP
iptables -I OUTPUT -m owner -o ${WANIF} -p udp --uid-owner ${i} -j ${i}_UDP
done
Then look at counters with:
iptables -nvL OUTPUT | grep _UDP | sort.......
I wouldn't leave this in place full-time for thousands of accounts
though without attempting to measure the impact on network performance.
>
>
>
> I've done tcpdumps within seconds of the attack starting and to date
> been unable to find the source of this attack (we know the server,
> just not sure which customer it is on the server that's been
> compromised). Several hours of scanning for php, cgi, pl type files
> have been wasted and come up nowhere...
>
>
>
> It's been suggested to dump IDS in front of this box and I know I'll
> get some feedback positive and negative in that aspect.
>
>
>
> What tools/practices do others use to resolve this issue? It's a
> Centos 5.4 box running latest Plesk control panel.
>
>
>
> Typically we have found it easy to track down the offending script or
> program - this time hasn't been easy at all...
>
>
>
> Thanks,
>
>
>
> Paul
>
>
>
>
>
>
>
>
>
>
>
>
> ----------------------------------------------------------------------------
>
> "The information transmitted is intended only for the person or entity
> to which it is addressed and contains confidential and/or privileged
> material. If you received this in error, please contact the sender
> immediately and then destroy this transmission, including all
> attachments, without copying, distributing or disclosing same. Thank
> you."