Hi, Allocated means that it is assigned somewhere. You'll need to check the Public IP Address tab. Use the shared GH issue for exceptional case.
The VR does bind only on the internal network. No, manually updating packages on VRs and System VMs might produce strange results. Please provision them again. Thanks Get Outlook for Android<https://aka.ms/AAb9ysg> ________________________________ From: Granwille Strauss <granwi...@namhost.com> Sent: Friday, February 9, 2024 1:10:32 pm To: users@cloudstack.apache.org <users@cloudstack.apache.org> Cc: Wei ZHOU <ustcweiz...@gmail.com>; jayanthreddy5...@gmail.com <jayanthreddy5...@gmail.com> Subject: Re: DDOS Attacks from my virtual Router Hi Yes, I have Advanced network set up. I am going to check for the allocated IPs that have zero VMs associated via the DB and see what I can find. I see more than one that is "allocated" in different guest networks. However, I would appreciate any clues or tips, as I have barely touched CS database in my life. Then, the rvm does not seem to listen on a DNS server via port 53 only dnsmaq, could this not be the issue too? As explained in the blog I linked earlier? I am currently running a tcpdump for the day to see what happens so far the dump is not providing any hits, but keep in mind I did run apt-get update dnsmaq prior and rebooted the systemvms including router vms. On 2/9/24 09:23, Wei ZHOU wrote: +1 it looks like one of the VMs in the isolated network is compromised. try to capture the packets of port 53 (tcp/udp) by tcpdump in the virtual router, and see what is the source IP of the packets. -Wei On Fri, 9 Feb 2024 at 08:18, Jayanth Reddy <jayanthreddy5...@gmail.com><mailto:jayanthreddy5...@gmail.com> wrote: Hello, The VR does process DNS queries, and if you're using cloud-init on VMs, the primary nameserver would be your VR IP. VR is usually configured to forward the requested DNS queries to upstream servers which is defined in the zone settings. So I guess one of the VMs should have gotten compromised leading to generating of attack. Usually the VR does SNAT, so the SNAT or STATICNAT IP becomes the source on the Internet (unless there is double NAT happening) See if you can check the MAC address of that Public IP from your uplinks. I've faced the same issue earlier wherein one VR was holding one IP but for whatever reason db was updated as free. See this https://github.com/apache/cloudstack/issues/6821. You should check in DB for that IP. For me, I was able to get using the API, looked for routers and filtered the MAC address for that IP. Happens.. Is it safe for me to assume your zone is "Advanced"? Thanks Jayanth Reddy Get Outlook for Android<https://aka.ms/AAb9ysg><https://aka.ms/AAb9ysg> ________________________________ From: Granwille Strauss <granwi...@namhost.com.INVALID><mailto:granwi...@namhost.com.INVALID> Sent: Friday, February 9, 2024 11:38:13 am To: users@cloudstack.apache.org<mailto:users@cloudstack.apache.org> <users@cloudstack.apache.org><mailto:users@cloudstack.apache.org> Subject: DDOS Attacks from my virtual Router Hei My DC has just sent me notice that two of my IP addresses from the allocated subnets are responsible for amplifying DDOS attacks. One out of the two is my virtual router IP address. I was advised to firewall port 53 or deactivate recursive functions. Can you perhaps provide some in sight on how this could be possible? The second IP address, I see under the guest networks that it is "Allocated" but I have reviewed all my SystemVMs and all my virtual routers, none of them have that IP address assigned. Nor any VM instance either. Its assigned to something but I cannot tell what. Is there a better way for me to see what server/service uses this IP in Cloudstack, please. -- Regards / Groete [ https://www.adsigner.com/v1/s/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/logo/621b3fa39fb210001f975298/cd2904ba-304d-4a49-bf33-cbe9ac76d929_248x-.png ]<https://www.namhost.com><https://www.namhost.com> Granwille Strauss // Senior Systems Admin e: granwi...@namhost.com<mailto:granwi...@namhost.com><mailto:granwi...@namhost.com><mailto:granwi...@namhost.com> m: +264 81 323 1260<tel:+264813231260><tel:+264813231260> w: www.namhost.com<http://www.namhost.com><https://www.namhost.com/><https://www.namhost.com/> [ https://www.adsigner.com/v1/s/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/social_icon_01/621b3fa39fb210001f975298/9151954b-b298-41aa-89c8-1d68af075373_48x48.png ]<https://www.facebook.com/namhost><https://www.facebook.com/namhost> [ https://www.adsigner.com/v1/s/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/social_icon_02/621b3fa39fb210001f975298/85a9dc7c-7bd1-4958-85a9-e6a25baeb028_48x48.png] <https://twitter.com/namhost><https://twitter.com/namhost> [ https://www.adsigner.com/v1/s/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/social_icon_03/621b3fa39fb210001f975298/c1c5386c-914c-43cf-9d37-5b4aa8e317ab_48x48.png] <https://www.instagram.com/namhostinternetservices/><https://www.instagram.com/namhostinternetservices/> [ https://www.adsigner.com/v1/s/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/social_icon_04/621b3fa39fb210001f975298/3aaa7968-130e-48ec-821d-559a332cce47_48x48.png] <https://www.linkedin.com/company/namhos><https://www.linkedin.com/company/namhos> [ https://www.adsigner.com/v1/s/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/social_icon_05/621b3fa39fb210001f975298/3a8c09e6-588f-43a8-acfd-be4423fd3fb6_48x48.png] <https://www.youtube.com/channel/UCTd5v-kVPaic_dguGur15AA><https://www.youtube.com/channel/UCTd5v-kVPaic_dguGur15AA> [ https://www.adsigner.com/v1/i/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/banner/940x300 ]< https://www.adsigner.com/v1/l/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/banner Namhost Internet Services (Pty) Ltd, 24 Black Eagle Rd, Hermanus, 7210, RSA The content of this message is confidential. If you have received it by mistake, please inform us by email reply and then delete the message. It is forbidden to copy, forward, or in any way reveal the contents of this message to anyone without our explicit consent. The integrity and security of this email cannot be guaranteed over the Internet. Therefore, the sender will not be held liable for any damage caused by the message. For our full privacy policy and disclaimers, please go to https://www.namhost.com/privacy-policy [Powered by AdSigner]< https://www.adsigner.com/v1/c/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818 -- Regards / Groete [https://www.adsigner.com/v1/s/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/logo/621b3fa39fb210001f975298/cd2904ba-304d-4a49-bf33-cbe9ac76d929_248x-.png]<https://www.namhost.com> Granwille Strauss // Senior Systems Admin e: granwi...@namhost.com<mailto:granwi...@namhost.com> m: +264 81 323 1260<tel:+264813231260> w: www.namhost.com<https://www.namhost.com/> [https://www.adsigner.com/v1/s/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/social_icon_01/621b3fa39fb210001f975298/9151954b-b298-41aa-89c8-1d68af075373_48x48.png]<https://www.facebook.com/namhost> [https://www.adsigner.com/v1/s/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/social_icon_02/621b3fa39fb210001f975298/85a9dc7c-7bd1-4958-85a9-e6a25baeb028_48x48.png] <https://twitter.com/namhost> [https://www.adsigner.com/v1/s/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/social_icon_03/621b3fa39fb210001f975298/c1c5386c-914c-43cf-9d37-5b4aa8e317ab_48x48.png] <https://www.instagram.com/namhostinternetservices/> [https://www.adsigner.com/v1/s/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/social_icon_04/621b3fa39fb210001f975298/3aaa7968-130e-48ec-821d-559a332cce47_48x48.png] <https://www.linkedin.com/company/namhos> [https://www.adsigner.com/v1/s/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/social_icon_05/621b3fa39fb210001f975298/3a8c09e6-588f-43a8-acfd-be4423fd3fb6_48x48.png] <https://www.youtube.com/channel/UCTd5v-kVPaic_dguGur15AA> [https://www.adsigner.com/v1/i/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/banner/940x300]<https://www.adsigner.com/v1/l/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/banner> Namhost Internet Services (Pty) Ltd, 24 Black Eagle Rd, Hermanus, 7210, RSA The content of this message is confidential. If you have received it by mistake, please inform us by email reply and then delete the message. It is forbidden to copy, forward, or in any way reveal the contents of this message to anyone without our explicit consent. The integrity and security of this email cannot be guaranteed over the Internet. Therefore, the sender will not be held liable for any damage caused by the message. For our full privacy policy and disclaimers, please go to https://www.namhost.com/privacy-policy [Powered by AdSigner]<https://www.adsigner.com/v1/c/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818>
