cloudstack 4.19.0.0 has been released recently, which contains a new systemvm template. You can upgrade.
-Wei 在 2024年2月12日星期一,Granwille Strauss <granwi...@namhost.com> 写道: > Update: > > So since I ran updates for dnsmasq in all system vms, the issue seems to > be solved. Our DC hasn't complained again. So it seems the vm templates > need an update? > On 2/9/24 10:29, Jayanth Reddy wrote: > > Please capture on 53/UDP as most of the DNS stack uses UDP by default. > > I looked the screenshot, No NAME means that the IP hasn't undergone STATIC > NAT to a VM, which is okay wherein perhaps there could be port forwards or > Load Balancer instead. The VR should assign the IP on its interface if it is > acquired in the network. If I may ask, how are you concluding that IPs are > unassigned elsewhere, have you performed basic reachability tests? Your case > could be one of the below > > 1. That IP could be SNAT for that network. > 2. Or there was an assignment to one of the VMs previously as STATIC NAT and > later released. Please check your events. > > Get Outlook for Android<https://aka.ms/AAb9ysg> <https://aka.ms/AAb9ysg> > > ________________________________ > From: Granwille Strauss <granwi...@namhost.com> <granwi...@namhost.com> > Sent: Friday, February 9, 2024 1:40:05 pm > To: users@cloudstack.apache.org <users@cloudstack.apache.org> > <users@cloudstack.apache.org> > Cc: Jayanth Reddy <jayanthreddy5...@gmail.com> <jayanthreddy5...@gmail.com>; > Wei ZHOU <ustcweiz...@gmail.com> <ustcweiz...@gmail.com> > Subject: Re: DDOS Attacks from my virtual Router > > > I run version 4.18.1.0 currently, oddly there was an update for dnsmasq so I > applied them to all systemvms. I clean restarted the guest networks and so > far everything seems to be running fine. If I pick up issues, I will destroy > the routers so that cloudstack can recreate them again. > > In the meantime, I am running the tcpdump as recommended in the vritual > router and will keep an eye on it, as mentioned there seems to be no movement > on port 53 so far and I also asked the DC to provide an update on this after > the changes I have applied. > > In any case, attached is a screenshot of the IP address that are allocated > but zero VM associated, I checked all of them and these IPs show up no where. > I have no loadbalancers, proxies nothing. Just simple setup, with two virtual > routers, one SSVM and one Consolevm. The rest are VM instances. I am going to > check the git url you provided and query the DB to see what these are. > > On 2/9/24 09:53, Jayanth Reddy wrote: > > Hi, > Allocated means that it is assigned somewhere. You'll need to check the > Public IP Address tab. Use the shared GH issue for exceptional case. > > The VR does bind only on the internal network. No, manually updating packages > on VRs and System VMs might produce strange results. Please provision them > again. > > Thanks > > Get Outlook for Android<https://aka.ms/AAb9ysg> > <https://aka.ms/AAb9ysg><https://aka.ms/AAb9ysg> <https://aka.ms/AAb9ysg> > > ________________________________ > From: Granwille Strauss <granwi...@namhost.com> > <granwi...@namhost.com><mailto:granwi...@namhost.com> <granwi...@namhost.com> > Sent: Friday, February 9, 2024 1:10:32 pm > To: users@cloudstack.apache.org<mailto:users@cloudstack.apache.org> > <users@cloudstack.apache.org> <users@cloudstack.apache.org> > <users@cloudstack.apache.org><mailto:users@cloudstack.apache.org> > <users@cloudstack.apache.org> > Cc: Wei ZHOU <ustcweiz...@gmail.com> > <ustcweiz...@gmail.com><mailto:ustcweiz...@gmail.com> > <ustcweiz...@gmail.com>; > jayanthreddy5...@gmail.com<mailto:jayanthreddy5...@gmail.com> > <jayanthreddy5...@gmail.com> <jayanthreddy5...@gmail.com> > <jayanthreddy5...@gmail.com><mailto:jayanthreddy5...@gmail.com> > <jayanthreddy5...@gmail.com> > Subject: Re: DDOS Attacks from my virtual Router > > > Hi > > Yes, I have Advanced network set up. I am going to check for the allocated > IPs that have zero VMs associated via the DB and see what I can find. I see > more than one that is "allocated" in different guest networks. However, I > would appreciate any clues or tips, as I have barely touched CS database in > my life. > > Then, the rvm does not seem to listen on a DNS server via port 53 only > dnsmaq, could this not be the issue too? As explained in the blog I linked > earlier? I am currently running a tcpdump for the day to see what happens so > far the dump is not providing any hits, but keep in mind I did run apt-get > update dnsmaq prior and rebooted the systemvms including router vms. > > On 2/9/24 09:23, Wei ZHOU wrote: > > +1 > it looks like one of the VMs in the isolated network is compromised. > try to capture the packets of port 53 (tcp/udp) by tcpdump in the virtual > router, and see what is the source IP of the packets. > > > -Wei > > On Fri, 9 Feb 2024 at 08:18, Jayanth Reddy <jayanthreddy5...@gmail.com> > <jayanthreddy5...@gmail.com><mailto:jayanthreddy5...@gmail.com> > <jayanthreddy5...@gmail.com><mailto:jayanthreddy5...@gmail.com> > <jayanthreddy5...@gmail.com><mailto:jayanthreddy5...@gmail.com> > <jayanthreddy5...@gmail.com> > wrote: > > > > Hello, > The VR does process DNS queries, and if you're using cloud-init on VMs, > the primary nameserver would be your VR IP. VR is usually configured to > forward the requested DNS queries to upstream servers which is defined in > the zone settings. So I guess one of the VMs should have gotten compromised > leading to generating of attack. Usually the VR does SNAT, so the SNAT or > STATICNAT IP becomes the source on the Internet (unless there is double NAT > happening) > > > See if you can check the MAC address of that Public IP from your uplinks. > I've faced the same issue earlier wherein one VR was holding one IP but for > whatever reason db was updated as free. See > thishttps://github.com/apache/cloudstack/issues/6821. You should check in DB > for that IP. For me, I was able to get using the API, looked for routers > and filtered the MAC address for that IP. Happens.. > > Is it safe for me to assume your zone is "Advanced"? > > > Thanks > Jayanth Reddy > > Get Outlook for Android<https://aka.ms/AAb9ysg> > <https://aka.ms/AAb9ysg><https://aka.ms/AAb9ysg> > <https://aka.ms/AAb9ysg><https://aka.ms/AAb9ysg> > <https://aka.ms/AAb9ysg><https://aka.ms/AAb9ysg> <https://aka.ms/AAb9ysg> > > ________________________________ > From: Granwille Strauss <granwi...@namhost.com.INVALID> > <granwi...@namhost.com.INVALID><mailto:granwi...@namhost.com.INVALID> > <granwi...@namhost.com.INVALID><mailto:granwi...@namhost.com.INVALID> > <granwi...@namhost.com.INVALID><mailto:granwi...@namhost.com.INVALID> > <granwi...@namhost.com.INVALID> > Sent: Friday, February 9, 2024 11:38:13 am > To: users@cloudstack.apache.org<mailto:users@cloudstack.apache.org> > <users@cloudstack.apache.org><mailto:users@cloudstack.apache.org> > <users@cloudstack.apache.org><mailto:users@cloudstack.apache.org> > <users@cloudstack.apache.org> <users@cloudstack.apache.org> > <users@cloudstack.apache.org><mailto:users@cloudstack.apache.org> > <users@cloudstack.apache.org><mailto:users@cloudstack.apache.org> > <users@cloudstack.apache.org><mailto:users@cloudstack.apache.org> > <users@cloudstack.apache.org> > Subject: DDOS Attacks from my virtual Router > > > Hei > > My DC has just sent me notice that two of my IP addresses from the > allocated subnets are responsible for amplifying DDOS attacks. One out of > the two is my virtual router IP address. I was advised to firewall port 53 > or deactivate recursive functions. Can you perhaps provide some in sight on > how this could be possible? > > The second IP address, I see under the guest networks that it is > "Allocated" but I have reviewed all my SystemVMs and all my virtual > routers, none of them have that IP address assigned. Nor any VM instance > either. Its assigned to something but I cannot tell what. Is there a better > way for me to see what server/service uses this IP in Cloudstack, please. > > -- > Regards / Groete > > [https://www.adsigner.com/v1/s/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/logo/621b3fa39fb210001f975298/cd2904ba-304d-4a49-bf33-cbe9ac76d929_248x-.png > ]<https://www.namhost.com> <https://www.namhost.com><https://www.namhost.com> > <https://www.namhost.com><https://www.namhost.com> > <https://www.namhost.com><https://www.namhost.com> <https://www.namhost.com> > Granwille Strauss // Senior Systems Admin > > e: granwi...@namhost.com<mailto:granwi...@namhost.com> > <granwi...@namhost.com><mailto:granwi...@namhost.com> > <granwi...@namhost.com><mailto:granwi...@namhost.com> > <granwi...@namhost.com><mailto:granwi...@namhost.com> > <granwi...@namhost.com><mailto:granwi...@namhost.com> > <granwi...@namhost.com><mailto:granwi...@namhost.com> > <granwi...@namhost.com><mailto:granwi...@namhost.com> <granwi...@namhost.com> > m: +264 81 323 1260<tel:+264813231260> <+264813231260><tel:+264813231260> > <+264813231260><tel:+264813231260> <+264813231260><tel:+264813231260> > <+264813231260> > w: www.namhost.com<http://www.namhost.com> > <http://www.namhost.com><http://www.namhost.com> > <http://www.namhost.com><http://www.namhost.com> > <http://www.namhost.com><https://www.namhost.com/> > <https://www.namhost.com/><https://www.namhost.com/> > <https://www.namhost.com/><https://www.namhost.com/> > <https://www.namhost.com/><https://www.namhost.com/> > <https://www.namhost.com/> > > [https://www.adsigner.com/v1/s/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/social_icon_01/621b3fa39fb210001f975298/9151954b-b298-41aa-89c8-1d68af075373_48x48.png > ]<https://www.facebook.com/namhost> > <https://www.facebook.com/namhost><https://www.facebook.com/namhost> > <https://www.facebook.com/namhost><https://www.facebook.com/namhost> > <https://www.facebook.com/namhost><https://www.facebook.com/namhost> > <https://www.facebook.com/namhost> > [https://www.adsigner.com/v1/s/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/social_icon_02/621b3fa39fb210001f975298/85a9dc7c-7bd1-4958-85a9-e6a25baeb028_48x48.png]<https://twitter.com/namhost> > <https://twitter.com/namhost><https://twitter.com/namhost> > <https://twitter.com/namhost><https://twitter.com/namhost> > <https://twitter.com/namhost><https://twitter.com/namhost> > <https://twitter.com/namhost> > [https://www.adsigner.com/v1/s/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/social_icon_03/621b3fa39fb210001f975298/c1c5386c-914c-43cf-9d37-5b4aa8e317ab_48x48.png]<https://www.instagram.com/namhostinternetservices/> > > <https://www.instagram.com/namhostinternetservices/><https://www.instagram.com/namhostinternetservices/> > > <https://www.instagram.com/namhostinternetservices/><https://www.instagram.com/namhostinternetservices/> > > <https://www.instagram.com/namhostinternetservices/><https://www.instagram.com/namhostinternetservices/> > <https://www.instagram.com/namhostinternetservices/> > [https://www.adsigner.com/v1/s/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/social_icon_04/621b3fa39fb210001f975298/3aaa7968-130e-48ec-821d-559a332cce47_48x48.png]<https://www.linkedin.com/company/namhos> > > <https://www.linkedin.com/company/namhos><https://www.linkedin.com/company/namhos> > > <https://www.linkedin.com/company/namhos><https://www.linkedin.com/company/namhos> > > <https://www.linkedin.com/company/namhos><https://www.linkedin.com/company/namhos> > <https://www.linkedin.com/company/namhos> > [https://www.adsigner.com/v1/s/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/social_icon_05/621b3fa39fb210001f975298/3a8c09e6-588f-43a8-acfd-be4423fd3fb6_48x48.png]<https://www.youtube.com/channel/UCTd5v-kVPaic_dguGur15AA> > > <https://www.youtube.com/channel/UCTd5v-kVPaic_dguGur15AA><https://www.youtube.com/channel/UCTd5v-kVPaic_dguGur15AA> > > <https://www.youtube.com/channel/UCTd5v-kVPaic_dguGur15AA><https://www.youtube.com/channel/UCTd5v-kVPaic_dguGur15AA> > > <https://www.youtube.com/channel/UCTd5v-kVPaic_dguGur15AA><https://www.youtube.com/channel/UCTd5v-kVPaic_dguGur15AA> > <https://www.youtube.com/channel/UCTd5v-kVPaic_dguGur15AA> > > [https://www.adsigner.com/v1/i/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/banner/940x300 > ]<https://www.adsigner.com/v1/l/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/banner > > > Namhost Internet Services (Pty) Ltd, > > 24 Black Eagle Rd, Hermanus, 7210, RSA > > > The content of this message is confidential. If you have received it by > mistake, please inform us by email reply and then delete the message. It is > forbidden to copy, forward, or in any way reveal the contents of this > message to anyone without our explicit consent. The integrity and security > of this email cannot be guaranteed over the Internet. Therefore, the sender > will not be held liable for any damage caused by the message. For our full > privacy policy and disclaimers, please go > tohttps://www.namhost.com/privacy-policy > > [Powered by > AdSigner]<https://www.adsigner.com/v1/c/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818 > > > > > > -- > Regards / Groete > > [https://www.adsigner.com/v1/s/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/logo/621b3fa39fb210001f975298/cd2904ba-304d-4a49-bf33-cbe9ac76d929_248x-.png]<https://www.namhost.com> > <https://www.namhost.com><https://www.namhost.com> <https://www.namhost.com> > Granwille Strauss // Senior Systems Admin > > e: granwi...@namhost.com<mailto:granwi...@namhost.com> > <granwi...@namhost.com><mailto:granwi...@namhost.com> > <granwi...@namhost.com><mailto:granwi...@namhost.com> <granwi...@namhost.com> > m: +264 81 323 1260<tel:+264813231260> <+264813231260><tel:+264813231260> > <+264813231260> > w: www.namhost.com<http://www.namhost.com> > <http://www.namhost.com><https://www.namhost.com/> > <https://www.namhost.com/><https://www.namhost.com/> > <https://www.namhost.com/> > > [https://www.adsigner.com/v1/s/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/social_icon_01/621b3fa39fb210001f975298/9151954b-b298-41aa-89c8-1d68af075373_48x48.png]<https://www.facebook.com/namhost> > <https://www.facebook.com/namhost><https://www.facebook.com/namhost> > <https://www.facebook.com/namhost> > [https://www.adsigner.com/v1/s/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/social_icon_02/621b3fa39fb210001f975298/85a9dc7c-7bd1-4958-85a9-e6a25baeb028_48x48.png] > <https://twitter.com/namhost> > <https://twitter.com/namhost><https://twitter.com/namhost> > <https://twitter.com/namhost> > [https://www.adsigner.com/v1/s/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/social_icon_03/621b3fa39fb210001f975298/c1c5386c-914c-43cf-9d37-5b4aa8e317ab_48x48.png] > <https://www.instagram.com/namhostinternetservices/> > <https://www.instagram.com/namhostinternetservices/><https://www.instagram.com/namhostinternetservices/> > <https://www.instagram.com/namhostinternetservices/> > [https://www.adsigner.com/v1/s/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/social_icon_04/621b3fa39fb210001f975298/3aaa7968-130e-48ec-821d-559a332cce47_48x48.png] > <https://www.linkedin.com/company/namhos> > <https://www.linkedin.com/company/namhos><https://www.linkedin.com/company/namhos> > <https://www.linkedin.com/company/namhos> > [https://www.adsigner.com/v1/s/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/social_icon_05/621b3fa39fb210001f975298/3a8c09e6-588f-43a8-acfd-be4423fd3fb6_48x48.png] > <https://www.youtube.com/channel/UCTd5v-kVPaic_dguGur15AA> > <https://www.youtube.com/channel/UCTd5v-kVPaic_dguGur15AA><https://www.youtube.com/channel/UCTd5v-kVPaic_dguGur15AA> > <https://www.youtube.com/channel/UCTd5v-kVPaic_dguGur15AA> > > [https://www.adsigner.com/v1/i/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/banner/940x300]<https://www.adsigner.com/v1/l/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/banner> > > <https://www.adsigner.com/v1/l/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/banner><https://www.adsigner.com/v1/l/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/banner> > > <https://www.adsigner.com/v1/l/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/banner> > > Namhost Internet Services (Pty) Ltd, > > 24 Black Eagle Rd, Hermanus, 7210, RSA > > > The content of this message is confidential. If you have received it by > mistake, please inform us by email reply and then delete the message. It is > forbidden to copy, forward, or in any way reveal the contents of this message > to anyone without our explicit consent. The integrity and security of this > email cannot be guaranteed over the Internet. Therefore, the sender will not > be held liable for any damage caused by the message. For our full privacy > policy and disclaimers, please go to https://www.namhost.com/privacy-policy > > [Powered by > AdSigner]<https://www.adsigner.com/v1/c/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818> > > <https://www.adsigner.com/v1/c/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818><https://www.adsigner.com/v1/c/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818> > > <https://www.adsigner.com/v1/c/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818> > > > > > -- > Regards / Groete > > [https://www.adsigner.com/v1/s/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/logo/621b3fa39fb210001f975298/cd2904ba-304d-4a49-bf33-cbe9ac76d929_248x-.png]<https://www.namhost.com> > <https://www.namhost.com> Granwille Strauss // Senior Systems Admin > > e: granwi...@namhost.com<mailto:granwi...@namhost.com> <granwi...@namhost.com> > m: +264 81 323 1260<tel:+264813231260> <+264813231260> > w: www.namhost.com<https://www.namhost.com/> <https://www.namhost.com/> > > [https://www.adsigner.com/v1/s/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/social_icon_01/621b3fa39fb210001f975298/9151954b-b298-41aa-89c8-1d68af075373_48x48.png]<https://www.facebook.com/namhost> > <https://www.facebook.com/namhost> > [https://www.adsigner.com/v1/s/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/social_icon_02/621b3fa39fb210001f975298/85a9dc7c-7bd1-4958-85a9-e6a25baeb028_48x48.png] > <https://twitter.com/namhost> <https://twitter.com/namhost> > [https://www.adsigner.com/v1/s/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/social_icon_03/621b3fa39fb210001f975298/c1c5386c-914c-43cf-9d37-5b4aa8e317ab_48x48.png] > <https://www.instagram.com/namhostinternetservices/> > <https://www.instagram.com/namhostinternetservices/> > [https://www.adsigner.com/v1/s/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/social_icon_04/621b3fa39fb210001f975298/3aaa7968-130e-48ec-821d-559a332cce47_48x48.png] > <https://www.linkedin.com/company/namhos> > <https://www.linkedin.com/company/namhos> > [https://www.adsigner.com/v1/s/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/social_icon_05/621b3fa39fb210001f975298/3a8c09e6-588f-43a8-acfd-be4423fd3fb6_48x48.png] > <https://www.youtube.com/channel/UCTd5v-kVPaic_dguGur15AA> > <https://www.youtube.com/channel/UCTd5v-kVPaic_dguGur15AA> > > [https://www.adsigner.com/v1/i/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/banner/940x300]<https://www.adsigner.com/v1/l/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/banner> > > <https://www.adsigner.com/v1/l/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/banner> > > Namhost Internet Services (Pty) Ltd, > > 24 Black Eagle Rd, Hermanus, 7210, RSA > > > The content of this message is confidential. If you have received it by > mistake, please inform us by email reply and then delete the message. It is > forbidden to copy, forward, or in any way reveal the contents of this message > to anyone without our explicit consent. The integrity and security of this > email cannot be guaranteed over the Internet. Therefore, the sender will not > be held liable for any damage caused by the message. For our full privacy > policy and disclaimers, please go to https://www.namhost.com/privacy-policy > > [Powered by > AdSigner]<https://www.adsigner.com/v1/c/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818> > > <https://www.adsigner.com/v1/c/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818> > > -- > Regards / Groete > > <https://www.namhost.com> Granwille Strauss // Senior Systems Admin > > *e:* granwi...@namhost.com > *m:* +264 81 323 1260 <+264813231260> > *w:* www.namhost.com > > <https://www.facebook.com/namhost> <https://twitter.com/namhost> > <https://www.instagram.com/namhostinternetservices/> > <https://www.linkedin.com/company/namhos> > <https://www.youtube.com/channel/UCTd5v-kVPaic_dguGur15AA> > > > <https://www.adsigner.com/v1/l/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818/banner> > > Namhost Internet Services (Pty) Ltd, > > 24 Black Eagle Rd, Hermanus, 7210, RSA > > > > The content of this message is confidential. If you have received it by > mistake, please inform us by email reply and then delete the message. It is > forbidden to copy, forward, or in any way reveal the contents of this > message to anyone without our explicit consent. The integrity and security > of this email cannot be guaranteed over the Internet. Therefore, the sender > will not be held liable for any damage caused by the message. For our full > privacy policy and disclaimers, please go to https://www.namhost.com/ > privacy-policy > > [image: Powered by AdSigner] > <https://www.adsigner.com/v1/c/631091998d4670001fe43ec2/621c9b76c140bb001ed0f818> >
