Update:So since I ran updates for dnsmasq in all system vms, the issue seems to be solved. Our DC hasn't complained again. So it seems the vm templates need an update?
On 2/9/24 10:29, Jayanth Reddy wrote:
Please capture on 53/UDP as most of the DNS stack uses UDP by default. I looked the screenshot, No NAME means that the IP hasn't undergone STATIC NAT to a VM, which is okay wherein perhaps there could be port forwards or Load Balancer instead. The VR should assign the IP on its interface if it is acquired in the network. If I may ask, how are you concluding that IPs are unassigned elsewhere, have you performed basic reachability tests? Your case could be one of the below 1. That IP could be SNAT for that network. 2. Or there was an assignment to one of the VMs previously as STATIC NAT and later released. Please check your events. Get Outlook for Android<https://aka.ms/AAb9ysg> ________________________________ From: Granwille Strauss<granwi...@namhost.com> Sent: Friday, February 9, 2024 1:40:05 pm To:users@cloudstack.apache.org <users@cloudstack.apache.org> Cc: Jayanth Reddy<jayanthreddy5...@gmail.com>; Wei ZHOU<ustcweiz...@gmail.com> Subject: Re: DDOS Attacks from my virtual Router I run version 4.18.1.0 currently, oddly there was an update for dnsmasq so I applied them to all systemvms. I clean restarted the guest networks and so far everything seems to be running fine. If I pick up issues, I will destroy the routers so that cloudstack can recreate them again. In the meantime, I am running the tcpdump as recommended in the vritual router and will keep an eye on it, as mentioned there seems to be no movement on port 53 so far and I also asked the DC to provide an update on this after the changes I have applied. In any case, attached is a screenshot of the IP address that are allocated but zero VM associated, I checked all of them and these IPs show up no where. I have no loadbalancers, proxies nothing. Just simple setup, with two virtual routers, one SSVM and one Consolevm. The rest are VM instances. I am going to check the git url you provided and query the DB to see what these are. On 2/9/24 09:53, Jayanth Reddy wrote: Hi, Allocated means that it is assigned somewhere. You'll need to check the Public IP Address tab. Use the shared GH issue for exceptional case. The VR does bind only on the internal network. No, manually updating packages on VRs and System VMs might produce strange results. Please provision them again. Thanks Get Outlook for Android<https://aka.ms/AAb9ysg><https://aka.ms/AAb9ysg> ________________________________ From: Granwille Strauss<granwi...@namhost.com><mailto:granwi...@namhost.com> Sent: Friday, February 9, 2024 1:10:32 pm To:users@cloudstack.apache.org<mailto:users@cloudstack.apache.org> <users@cloudstack.apache.org><mailto:users@cloudstack.apache.org> Cc: Wei ZHOU<ustcweiz...@gmail.com><mailto:ustcweiz...@gmail.com>;jayanthreddy5...@gmail.com<mailto:jayanthreddy5...@gmail.com> <jayanthreddy5...@gmail.com><mailto:jayanthreddy5...@gmail.com> Subject: Re: DDOS Attacks from my virtual Router Hi Yes, I have Advanced network set up. I am going to check for the allocated IPs that have zero VMs associated via the DB and see what I can find. I see more than one that is "allocated" in different guest networks. However, I would appreciate any clues or tips, as I have barely touched CS database in my life. Then, the rvm does not seem to listen on a DNS server via port 53 only dnsmaq, could this not be the issue too? As explained in the blog I linked earlier? I am currently running a tcpdump for the day to see what happens so far the dump is not providing any hits, but keep in mind I did run apt-get update dnsmaq prior and rebooted the systemvms including router vms. On 2/9/24 09:23, Wei ZHOU wrote: +1 it looks like one of the VMs in the isolated network is compromised. try to capture the packets of port 53 (tcp/udp) by tcpdump in the virtual router, and see what is the source IP of the packets. -Wei On Fri, 9 Feb 2024 at 08:18, Jayanth Reddy<jayanthreddy5...@gmail.com><mailto:jayanthreddy5...@gmail.com><mailto:jayanthreddy5...@gmail.com><mailto:jayanthreddy5...@gmail.com> wrote: Hello, The VR does process DNS queries, and if you're using cloud-init on VMs, the primary nameserver would be your VR IP. VR is usually configured to forward the requested DNS queries to upstream servers which is defined in the zone settings. So I guess one of the VMs should have gotten compromised leading to generating of attack. Usually the VR does SNAT, so the SNAT or STATICNAT IP becomes the source on the Internet (unless there is double NAT happening) See if you can check the MAC address of that Public IP from your uplinks. I've faced the same issue earlier wherein one VR was holding one IP but for whatever reason db was updated as free. See this https://github.com/apache/cloudstack/issues/6821. You should check in DB for that IP. For me, I was able to get using the API, looked for routers and filtered the MAC address for that IP. Happens.. Is it safe for me to assume your zone is "Advanced"? Thanks Jayanth Reddy Get Outlook for Android<https://aka.ms/AAb9ysg><https://aka.ms/AAb9ysg><https://aka.ms/AAb9ysg><https://aka.ms/AAb9ysg> ________________________________ From: Granwille Strauss<granwi...@namhost.com.INVALID><mailto:granwi...@namhost.com.INVALID><mailto:granwi...@namhost.com.INVALID><mailto:granwi...@namhost.com.INVALID> Sent: Friday, February 9, 2024 11:38:13 am To:users@cloudstack.apache.org<mailto:users@cloudstack.apache.org><mailto:users@cloudstack.apache.org><mailto:users@cloudstack.apache.org> <users@cloudstack.apache.org><mailto:users@cloudstack.apache.org><mailto:users@cloudstack.apache.org><mailto:users@cloudstack.apache.org> Subject: DDOS Attacks from my virtual Router Hei My DC has just sent me notice that two of my IP addresses from the allocated subnets are responsible for amplifying DDOS attacks. One out of the two is my virtual router IP address. I was advised to firewall port 53 or deactivate recursive functions. Can you perhaps provide some in sight on how this could be possible? The second IP address, I see under the guest networks that it is "Allocated" but I have reviewed all my SystemVMs and all my virtual routers, none of them have that IP address assigned. Nor any VM instance either. Its assigned to something but I cannot tell what. Is there a better way for me to see what server/service uses this IP in Cloudstack, please. -- Regards / Groete [ https://www.adsigner.com/v1/s/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/logo/621b3fa39fb210001f975298/cd2904ba-304d-4a49-bf33-cbe9ac76d929_248x-.png ]<https://www.namhost.com><https://www.namhost.com><https://www.namhost.com><https://www.namhost.com> Granwille Strauss // Senior Systems Admin e:granwi...@namhost.com<mailto:granwi...@namhost.com><mailto:granwi...@namhost.com><mailto:granwi...@namhost.com><mailto:granwi...@namhost.com><mailto:granwi...@namhost.com><mailto:granwi...@namhost.com><mailto:granwi...@namhost.com> m: +264 81 323 1260<tel:+264813231260><tel:+264813231260><tel:+264813231260><tel:+264813231260> w:www.namhost.com<http://www.namhost.com><http://www.namhost.com><http://www.namhost.com><https://www.namhost.com/><https://www.namhost.com/><https://www.namhost.com/><https://www.namhost.com/> [ https://www.adsigner.com/v1/s/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/social_icon_01/621b3fa39fb210001f975298/9151954b-b298-41aa-89c8-1d68af075373_48x48.png ]<https://www.facebook.com/namhost><https://www.facebook.com/namhost><https://www.facebook.com/namhost><https://www.facebook.com/namhost> [ https://www.adsigner.com/v1/s/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/social_icon_02/621b3fa39fb210001f975298/85a9dc7c-7bd1-4958-85a9-e6a25baeb028_48x48.png] <https://twitter.com/namhost><https://twitter.com/namhost><https://twitter.com/namhost><https://twitter.com/namhost> [ https://www.adsigner.com/v1/s/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/social_icon_03/621b3fa39fb210001f975298/c1c5386c-914c-43cf-9d37-5b4aa8e317ab_48x48.png] <https://www.instagram.com/namhostinternetservices/><https://www.instagram.com/namhostinternetservices/><https://www.instagram.com/namhostinternetservices/><https://www.instagram.com/namhostinternetservices/> [ https://www.adsigner.com/v1/s/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/social_icon_04/621b3fa39fb210001f975298/3aaa7968-130e-48ec-821d-559a332cce47_48x48.png] <https://www.linkedin.com/company/namhos><https://www.linkedin.com/company/namhos><https://www.linkedin.com/company/namhos><https://www.linkedin.com/company/namhos> [ https://www.adsigner.com/v1/s/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/social_icon_05/621b3fa39fb210001f975298/3a8c09e6-588f-43a8-acfd-be4423fd3fb6_48x48.png] <https://www.youtube.com/channel/UCTd5v-kVPaic_dguGur15AA><https://www.youtube.com/channel/UCTd5v-kVPaic_dguGur15AA><https://www.youtube.com/channel/UCTd5v-kVPaic_dguGur15AA><https://www.youtube.com/channel/UCTd5v-kVPaic_dguGur15AA> [ https://www.adsigner.com/v1/i/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/banner/940x300 ]< https://www.adsigner.com/v1/l/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/banner Namhost Internet Services (Pty) Ltd, 24 Black Eagle Rd, Hermanus, 7210, RSA The content of this message is confidential. If you have received it by mistake, please inform us by email reply and then delete the message. It is forbidden to copy, forward, or in any way reveal the contents of this message to anyone without our explicit consent. The integrity and security of this email cannot be guaranteed over the Internet. Therefore, the sender will not be held liable for any damage caused by the message. For our full privacy policy and disclaimers, please go to https://www.namhost.com/privacy-policy [Powered by AdSigner]< https://www.adsigner.com/v1/c/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818 -- Regards / Groete [https://www.adsigner.com/v1/s/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/logo/621b3fa39fb210001f975298/cd2904ba-304d-4a49-bf33-cbe9ac76d929_248x-.png]<https://www.namhost.com><https://www.namhost.com> Granwille Strauss // Senior Systems Admin e:granwi...@namhost.com<mailto:granwi...@namhost.com><mailto:granwi...@namhost.com><mailto:granwi...@namhost.com> m: +264 81 323 1260<tel:+264813231260><tel:+264813231260> w:www.namhost.com<http://www.namhost.com><https://www.namhost.com/><https://www.namhost.com/> [https://www.adsigner.com/v1/s/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/social_icon_01/621b3fa39fb210001f975298/9151954b-b298-41aa-89c8-1d68af075373_48x48.png]<https://www.facebook.com/namhost><https://www.facebook.com/namhost> [https://www.adsigner.com/v1/s/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/social_icon_02/621b3fa39fb210001f975298/85a9dc7c-7bd1-4958-85a9-e6a25baeb028_48x48.png]<https://twitter.com/namhost><https://twitter.com/namhost> [https://www.adsigner.com/v1/s/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/social_icon_03/621b3fa39fb210001f975298/c1c5386c-914c-43cf-9d37-5b4aa8e317ab_48x48.png]<https://www.instagram.com/namhostinternetservices/><https://www.instagram.com/namhostinternetservices/> [https://www.adsigner.com/v1/s/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/social_icon_04/621b3fa39fb210001f975298/3aaa7968-130e-48ec-821d-559a332cce47_48x48.png]<https://www.linkedin.com/company/namhos><https://www.linkedin.com/company/namhos> [https://www.adsigner.com/v1/s/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/social_icon_05/621b3fa39fb210001f975298/3a8c09e6-588f-43a8-acfd-be4423fd3fb6_48x48.png]<https://www.youtube.com/channel/UCTd5v-kVPaic_dguGur15AA><https://www.youtube.com/channel/UCTd5v-kVPaic_dguGur15AA> [https://www.adsigner.com/v1/i/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/banner/940x300]<https://www.adsigner.com/v1/l/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/banner><https://www.adsigner.com/v1/l/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/banner> Namhost Internet Services (Pty) Ltd, 24 Black Eagle Rd, Hermanus, 7210, RSA The content of this message is confidential. If you have received it by mistake, please inform us by email reply and then delete the message. It is forbidden to copy, forward, or in any way reveal the contents of this message to anyone without our explicit consent. The integrity and security of this email cannot be guaranteed over the Internet. Therefore, the sender will not be held liable for any damage caused by the message. For our full privacy policy and disclaimers, please go tohttps://www.namhost.com/privacy-policy [Powered by AdSigner]<https://www.adsigner.com/v1/c/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818><https://www.adsigner.com/v1/c/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818> -- Regards / Groete [https://www.adsigner.com/v1/s/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/logo/621b3fa39fb210001f975298/cd2904ba-304d-4a49-bf33-cbe9ac76d929_248x-.png]<https://www.namhost.com> Granwille Strauss // Senior Systems Admin e:granwi...@namhost.com<mailto:granwi...@namhost.com> m: +264 81 323 1260<tel:+264813231260> w:www.namhost.com<https://www.namhost.com/> [https://www.adsigner.com/v1/s/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/social_icon_01/621b3fa39fb210001f975298/9151954b-b298-41aa-89c8-1d68af075373_48x48.png]<https://www.facebook.com/namhost> [https://www.adsigner.com/v1/s/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/social_icon_02/621b3fa39fb210001f975298/85a9dc7c-7bd1-4958-85a9-e6a25baeb028_48x48.png]<https://twitter.com/namhost> [https://www.adsigner.com/v1/s/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/social_icon_03/621b3fa39fb210001f975298/c1c5386c-914c-43cf-9d37-5b4aa8e317ab_48x48.png]<https://www.instagram.com/namhostinternetservices/> [https://www.adsigner.com/v1/s/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/social_icon_04/621b3fa39fb210001f975298/3aaa7968-130e-48ec-821d-559a332cce47_48x48.png]<https://www.linkedin.com/company/namhos> [https://www.adsigner.com/v1/s/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/social_icon_05/621b3fa39fb210001f975298/3a8c09e6-588f-43a8-acfd-be4423fd3fb6_48x48.png]<https://www.youtube.com/channel/UCTd5v-kVPaic_dguGur15AA> [https://www.adsigner.com/v1/i/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/banner/940x300]<https://www.adsigner.com/v1/l/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/banner> Namhost Internet Services (Pty) Ltd, 24 Black Eagle Rd, Hermanus, 7210, RSA The content of this message is confidential. If you have received it by mistake, please inform us by email reply and then delete the message. It is forbidden to copy, forward, or in any way reveal the contents of this message to anyone without our explicit consent. The integrity and security of this email cannot be guaranteed over the Internet. Therefore, the sender will not be held liable for any damage caused by the message. For our full privacy policy and disclaimers, please go tohttps://www.namhost.com/privacy-policy [Powered by AdSigner]<https://www.adsigner.com/v1/c/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818>
-- Regards / Groete <https://www.namhost.com> Granwille Strauss // Senior Systems Admin *e:* granwi...@namhost.com *m:* +264 81 323 1260 <tel:+264813231260> *w:* www.namhost.com <https://www.namhost.com/> <https://www.facebook.com/namhost><https://twitter.com/namhost><https://www.instagram.com/namhostinternetservices/><https://www.linkedin.com/company/namhos><https://www.youtube.com/channel/UCTd5v-kVPaic_dguGur15AA> <https://www.adsigner.com/v1/l/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/banner> Namhost Internet Services (Pty) Ltd, 24 Black Eagle Rd, Hermanus, 7210, RSAThe content of this message is confidential. If you have received it by mistake, please inform us by email reply and then delete the message. It is forbidden to copy, forward, or in any way reveal the contents of this message to anyone without our explicit consent. The integrity and security of this email cannot be guaranteed over the Internet. Therefore, the sender will not be held liable for any damage caused by the message. For our full privacy policy and disclaimers, please go to https://www.namhost.com/privacy-policy
Powered by AdSigner <https://www.adsigner.com/v1/c/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818>
smime.p7s
Description: S/MIME Cryptographic Signature
