Hello, The VR does process DNS queries, and if you're using cloud-init on VMs, the primary nameserver would be your VR IP. VR is usually configured to forward the requested DNS queries to upstream servers which is defined in the zone settings. So I guess one of the VMs should have gotten compromised leading to generating of attack. Usually the VR does SNAT, so the SNAT or STATICNAT IP becomes the source on the Internet (unless there is double NAT happening)
See if you can check the MAC address of that Public IP from your uplinks. I've faced the same issue earlier wherein one VR was holding one IP but for whatever reason db was updated as free. See this https://github.com/apache/cloudstack/issues/6821. You should check in DB for that IP. For me, I was able to get using the API, looked for routers and filtered the MAC address for that IP. Happens.. Is it safe for me to assume your zone is "Advanced"? Thanks Jayanth Reddy Get Outlook for Android<https://aka.ms/AAb9ysg> ________________________________ From: Granwille Strauss <granwi...@namhost.com.INVALID> Sent: Friday, February 9, 2024 11:38:13 am To: users@cloudstack.apache.org <users@cloudstack.apache.org> Subject: DDOS Attacks from my virtual Router Hei My DC has just sent me notice that two of my IP addresses from the allocated subnets are responsible for amplifying DDOS attacks. One out of the two is my virtual router IP address. I was advised to firewall port 53 or deactivate recursive functions. Can you perhaps provide some in sight on how this could be possible? The second IP address, I see under the guest networks that it is "Allocated" but I have reviewed all my SystemVMs and all my virtual routers, none of them have that IP address assigned. Nor any VM instance either. Its assigned to something but I cannot tell what. Is there a better way for me to see what server/service uses this IP in Cloudstack, please. -- Regards / Groete [https://www.adsigner.com/v1/s/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/logo/621b3fa39fb210001f975298/cd2904ba-304d-4a49-bf33-cbe9ac76d929_248x-.png]<https://www.namhost.com> Granwille Strauss // Senior Systems Admin e: granwi...@namhost.com<mailto:granwi...@namhost.com> m: +264 81 323 1260<tel:+264813231260> w: www.namhost.com<https://www.namhost.com/> [https://www.adsigner.com/v1/s/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/social_icon_01/621b3fa39fb210001f975298/9151954b-b298-41aa-89c8-1d68af075373_48x48.png]<https://www.facebook.com/namhost> [https://www.adsigner.com/v1/s/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/social_icon_02/621b3fa39fb210001f975298/85a9dc7c-7bd1-4958-85a9-e6a25baeb028_48x48.png] <https://twitter.com/namhost> [https://www.adsigner.com/v1/s/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/social_icon_03/621b3fa39fb210001f975298/c1c5386c-914c-43cf-9d37-5b4aa8e317ab_48x48.png] <https://www.instagram.com/namhostinternetservices/> [https://www.adsigner.com/v1/s/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/social_icon_04/621b3fa39fb210001f975298/3aaa7968-130e-48ec-821d-559a332cce47_48x48.png] <https://www.linkedin.com/company/namhos> [https://www.adsigner.com/v1/s/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/social_icon_05/621b3fa39fb210001f975298/3a8c09e6-588f-43a8-acfd-be4423fd3fb6_48x48.png] <https://www.youtube.com/channel/UCTd5v-kVPaic_dguGur15AA> [https://www.adsigner.com/v1/i/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/banner/940x300]<https://www.adsigner.com/v1/l/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/banner> Namhost Internet Services (Pty) Ltd, 24 Black Eagle Rd, Hermanus, 7210, RSA The content of this message is confidential. If you have received it by mistake, please inform us by email reply and then delete the message. It is forbidden to copy, forward, or in any way reveal the contents of this message to anyone without our explicit consent. The integrity and security of this email cannot be guaranteed over the Internet. Therefore, the sender will not be held liable for any damage caused by the message. For our full privacy policy and disclaimers, please go to https://www.namhost.com/privacy-policy [Powered by AdSigner]<https://www.adsigner.com/v1/c/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818>
