[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Suspected network problem after domUs come online

Gerard Beekmans wrote:

The actual problem is a "simple" DoS attack to my IP addresses. The host is receiving a huge amount of incoming of DNS requests. As soon as this attack starts and there's a DNS server listening on any of the domUs that happen to have that IP address the network slows to a crawl to the point the machine is overloaded and just locks up.

Of note, the NIC link to the switch is set to 10 Mbit Full Duplex (that's the speed I've signed up for with the hosting plan). Even if that link is flooded, the maximum incoming data is finite. I wouldn't have expected a Linux box to keel over and die at such a speed. Perhaps it's related to the fact the listening service runs in a DomU?

Don't forget that if your pipe is being filled, the device(s) at the other end of it will "become unresponsive" as you'll get lots of dropped packets. You've said yourself that while this is going on, internal communications seems OK.

It could just be that you are getting enough traffic that the DNS replies (typically larger than the queries) will fill the pipe. Once that happens, packets will be dropped. TCP will cope with dropped packets up to a point, but if it's severe, throughput will be terrible - responsiveness more so.

I do know exactly what that's like, I've worked remotely on machines when they've been under that sort of load - in my case, a users website had been compromised and the ***** was using it to attempt brute force logins against FTP servers. IIRC it had 1000 threads running, all doing brute force username/password guessing against a different address ! It's the traffic and the effect it had on the network that flagged it up.

In your case, there's ***-all you can do about the attack, other than to not run a DNS server on that address until the attacker gets bored and moves on. *IF* it's from a small number of addresses then your hosting provider may be able to block them upstream, but if it's a distributed attack then that isn't practical without blocking large chunks of the internet. You could rate-limit requests with an iptables rule - but you'll still be paying (I assume) for the bandwidth consumed by the requests.

If it is a single (or small number of) address(es) then a complaint to the owner of the IP block would be in order - they be unaware of the malware they are hosting.

Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.