+1 it looks like one of the VMs in the isolated network is compromised. try to capture the packets of port 53 (tcp/udp) by tcpdump in the virtual router, and see what is the source IP of the packets.
-Wei On Fri, 9 Feb 2024 at 08:18, Jayanth Reddy <jayanthreddy5...@gmail.com> wrote: > Hello, > The VR does process DNS queries, and if you're using cloud-init on VMs, > the primary nameserver would be your VR IP. VR is usually configured to > forward the requested DNS queries to upstream servers which is defined in > the zone settings. So I guess one of the VMs should have gotten compromised > leading to generating of attack. Usually the VR does SNAT, so the SNAT or > STATICNAT IP becomes the source on the Internet (unless there is double NAT > happening) > > > See if you can check the MAC address of that Public IP from your uplinks. > I've faced the same issue earlier wherein one VR was holding one IP but for > whatever reason db was updated as free. See this > https://github.com/apache/cloudstack/issues/6821. You should check in DB > for that IP. For me, I was able to get using the API, looked for routers > and filtered the MAC address for that IP. Happens.. > > Is it safe for me to assume your zone is "Advanced"? > > > Thanks > Jayanth Reddy > > Get Outlook for Android<https://aka.ms/AAb9ysg> > > ________________________________ > From: Granwille Strauss <granwi...@namhost.com.INVALID> > Sent: Friday, February 9, 2024 11:38:13 am > To: users@cloudstack.apache.org <users@cloudstack.apache.org> > Subject: DDOS Attacks from my virtual Router > > > Hei > > My DC has just sent me notice that two of my IP addresses from the > allocated subnets are responsible for amplifying DDOS attacks. One out of > the two is my virtual router IP address. I was advised to firewall port 53 > or deactivate recursive functions. Can you perhaps provide some in sight on > how this could be possible? > > The second IP address, I see under the guest networks that it is > "Allocated" but I have reviewed all my SystemVMs and all my virtual > routers, none of them have that IP address assigned. Nor any VM instance > either. Its assigned to something but I cannot tell what. Is there a better > way for me to see what server/service uses this IP in Cloudstack, please. > > -- > Regards / Groete > > [ > https://www.adsigner.com/v1/s/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/logo/621b3fa39fb210001f975298/cd2904ba-304d-4a49-bf33-cbe9ac76d929_248x-.png > ]<https://www.namhost.com> Granwille Strauss // Senior Systems Admin > > e: granwi...@namhost.com<mailto:granwi...@namhost.com> > m: +264 81 323 1260<tel:+264813231260> > w: www.namhost.com<https://www.namhost.com/> > > [ > https://www.adsigner.com/v1/s/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/social_icon_01/621b3fa39fb210001f975298/9151954b-b298-41aa-89c8-1d68af075373_48x48.png > ]<https://www.facebook.com/namhost> [ > https://www.adsigner.com/v1/s/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/social_icon_02/621b3fa39fb210001f975298/85a9dc7c-7bd1-4958-85a9-e6a25baeb028_48x48.png] > <https://twitter.com/namhost> [ > https://www.adsigner.com/v1/s/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/social_icon_03/621b3fa39fb210001f975298/c1c5386c-914c-43cf-9d37-5b4aa8e317ab_48x48.png] > <https://www.instagram.com/namhostinternetservices/> [ > https://www.adsigner.com/v1/s/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/social_icon_04/621b3fa39fb210001f975298/3aaa7968-130e-48ec-821d-559a332cce47_48x48.png] > <https://www.linkedin.com/company/namhos> [ > https://www.adsigner.com/v1/s/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/social_icon_05/621b3fa39fb210001f975298/3a8c09e6-588f-43a8-acfd-be4423fd3fb6_48x48.png] > <https://www.youtube.com/channel/UCTd5v-kVPaic_dguGur15AA> > > [ > https://www.adsigner.com/v1/i/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/banner/940x300 > ]< > https://www.adsigner.com/v1/l/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/banner > > > > Namhost Internet Services (Pty) Ltd, > > 24 Black Eagle Rd, Hermanus, 7210, RSA > > > The content of this message is confidential. If you have received it by > mistake, please inform us by email reply and then delete the message. It is > forbidden to copy, forward, or in any way reveal the contents of this > message to anyone without our explicit consent. The integrity and security > of this email cannot be guaranteed over the Internet. Therefore, the sender > will not be held liable for any damage caused by the message. For our full > privacy policy and disclaimers, please go to > https://www.namhost.com/privacy-policy > > [Powered by AdSigner]< > https://www.adsigner.com/v1/c/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818 > > > >
