Other Under a huge DDOS

[yagokurt]

Hi to everybody, since than yesterday I'm expecting a huge DDOS attack but I have a lack knowledge about this theme and I would like know if someone here could give me an advice. When the attack start I lose every access I have to the server, ftp, ssh, ping everything. I really don't know where I could go to try take any help or find a solution I really appreciate if someone could give me an light about this. Here I will leave a graphs about the download traffic.

Daily

Last 5 hours

 

[SirDice]

Hi to everybody, since than yesterday I'm expecting a huge DDOS attack but I have a lack knowledge about this theme and I would like know if someone here could give me an advice.

Contact your ISP. But I would hardly call a 200 Mbps burst for a couple of minutes a "DDoS". But then again, I have to maintain a website that pushes 1.5 Gbps continuously.

When the attack start I lose every access I have to the server, ftp, ssh, ping everything.

Have you thought about other causes? What makes you think it's a DDoS? How is your machine connected to the internet (100 Mbit, 1000 Mbit)? What's the machine running? Have you looked at the log files? What are they telling you?

 

[yagokurt]

Contact your ISP. But I would hardly call a 200 Mbps burst for a couple of minutes a "DDoS". But then again, I have to maintain a website that pushes 1.5 Gbps continuously.


Have you thought about other causes? What makes you think it's a DDoS? How is your machine connected to the internet (100 Mbit, 1000 Mbit)? What's the machine running? Have you looked at the log files? What are they telling you?

I try spoke with the company that I rent this server and they said they cant do anything about that. This pass even the mitigation protection they put by default. For my server 200 Mbps is too much, normally I use really less than that like you can see on the small bar from last screenshot on 11:00 compared to the others.

I think it is a DDoS because of the high download usage and because sometimes it even activate the mitigation. The machine connection is Network connection 1 Gbps, Bandwidth 250 Mbps. About the logs do you recommend any log in specific? Because I try take a look on httpd-access.log , httpd-error.log and messages and don't see something relevant. Here i will leave the messages maybe for you it have more information than I see. http://pastebin.com/GUxBezrM

 

[SirDice]

If your server is connected to the internet with 1 Gbps it shouldn't fall to it's knees with 200 Mbps of traffic. Sure, it may be a lot more than normal but I very much doubt this is caused by a DoS or even a DDoS.

Looking at your messages, you have a flapping interface (re0 goes up, then down, back up again, etc). What card (type and model) is it?

 

[yagokurt]

If your server is connected to the internet with 1 Gbps it shouldn't fall to it's knees with 200 Mbps of traffic. Sure, it may be a lot more than normal but I very much doubt this is caused by a DoS or even a DDoS.

Looking at your messages, you have a flapping interface (re0 goes up, then down, back up again, etc). What card (type and model) is it?

Here I leave for you the model of the card after run a pciconf -lv.

re0@pci0:3:0:0: class=0x020000 card=0x85051043 chip=0x816810ec rev=0x09 hdr=0x00
    vendor     = 'Realtek Semiconductor Co., Ltd.'
    device     = 'RTL8111/8168B PCI Express Gigabit Ethernet controller'
    class      = network
    subclass   = ethernet

Right now the high traffic still happening and I get disconnected from the server every time. I comment that because maybe while its happening its easy to identify the problem I don't know.

 

[kpa]

I'd look into upgrading the NIC to a PCIe Intel server class NIC as soon as possible. Anything by Realtek is ok for desktop/laptop usage but doesn't cut it for heavy lifting in server environment.

 

[usdmatt]

I had to deal with a DDoS attack a few weeks ago and I know how horrible it is.

If you can, try and identify what's going on. On the graph, does download relate to what your server is downloading, or is it data being downloaded from your server (i.e. going out to the Internet)?

As mentioned if you have a Gbit uplink, the server should really be able to handle 200Mbps, unless the providers protection is doing something funny with the uplink. It's interesting that you have a Xeon with 32GB of RAM but a cheap desktop class network interface.

 

[yagokurt]

I apologize with everybody I said a wrong information I call the company to make sure about this information and it was wrong. My connection is only 250 mbps. I'm really sorry for it. And I don't know if this information is relevant but I haven't access to the server right now and I get this output from SSH client.

14:20:03.367 The SSH2 session has terminated with error. Reason: FlowSocketReader: Error receiving bytes. Windows error 10054: An existing connection was forcibly closed by the remote host.

Right now the download usage

I'd look into upgrading the NIC to a PCIe Intel server class NIC as soon as possible. Anything by Realtek is ok for desktop/laptop usage but doesn't cut it for heavy lifting in server environment.

I call the company right now and we gonna check about change the Realtek for a Intel. They said at the moment I'm using the onboard network card.

I had to deal with a DDoS attack a few weeks ago and I know how horrible it is.

If you can, try and identify what's going on. On the graph, does download relate to what your server is downloading, or is it data being downloaded from your server (i.e. going out to the Internet)?

As mentioned if you have a Gbit uplink, the server should really be able to handle 200Mbps, unless the providers protection is doing something funny with the uplink. It's interesting that you have a Xeon with 32GB of RAM but a cheap desktop class network interface.

On the graph they don't show from where this traffic are coming if have something I can do on the server to check it make me know. I'm going to check about change the network interface thank you.

 

[usdmatt]

Can the provider give no insight into what's happening? If you're currently using 200Mbps and can't get into the server then you're a bit stuck. In a lot of cases real DDoS attacks can't be stopped on your own if it's overwhelming your equipment, and require help from those upstream.

If the traffic is inbound (most common for DDoS if you're the target) then usually it's UDP traffic - NTP or DNS most times. If the provider truly have mitigation, then I would expect them to be able to stop that fairly easily. Hopefully their mitigation technique isn't just to drop the interface for a bit in the hope the attack stops (which would explain all the interface down/up events), although I've never heard of an ISP doing that.

If it's outbound then it should be easier to stop. If you are running NTP or DNS services, then it could be your server being used as part of a bigger attack. Easiest thing there it to temporarily lock down those services or disabled them.

I'd be surprised if the web server was involved unless they are requesting large files off your server. Was there anything at all out of the ordinary in the web lots which suggested there might be an unusual number of requests going on? Are the logs themselves unusually large in file size for example which would indicate lots of requests.

Obviously I'm speculating a lot as I don't know for certain which direction the traffic is, what's enabled on your server or access to any logs. In our case though, we were running around in a flap until we worked out exactly what was happening. Once we'd identified what was going on, it was easy as we only really had two choices, and one of those wasn't available.

 

[gkontos]

It would really help if you tell us what services are you running in that machine and if you are using any host based firewall. Please also post the output of:

# sockstat -46

*you can omit 6 if you are not using IPv6

 

[yagokurt]

Can the provider give no insight into what's happening? If you're currently using 200Mbps and can't get into the server then you're a bit stuck. In a lot of cases real DDoS attacks can't be stopped on your own if it's overwhelming your equipment, and require help from those upstream.

If the traffic is inbound (most common for DDoS if you're the target) then usually it's UDP traffic - NTP or DNS most times. If the provider truly have mitigation, then I would expect them to be able to stop that fairly easily. Hopefully their mitigation technique isn't just to drop the interface for a bit in the hope the attack stops (which would explain all the interface down/up events), although I've never heard of an ISP doing that.

If it's outbound then it should be easier to stop. If you are running NTP or DNS services, then it could be your server being used as part of a bigger attack. Easiest thing there it to temporarily lock down those services or disabled them.

I'd be surprised if the web server was involved unless they are requesting large files off your server. Was there anything at all out of the ordinary in the web lots which suggested there might be an unusual number of requests going on? Are the logs themselves unusually large in file size for example which would indicate lots of requests.

Obviously I'm speculating a lot as I don't know for certain which direction the traffic is, what's enabled on your server or access to any logs. In our case though, we were running around in a flap until we worked out exactly what was happening. Once we'd identified what was going on, it was easy as we only really had two choices, and one of those wasn't available.

The provider said they could not do anything they recommend me to put it in a rescue mode and find someone who understand about network protection and about FreeBSD.
About the mitigation I do not know why but today it do not activated as it did yesterday. I do not detect what is happening was a DDoS. They just restart the server and auto-change to rescue. I clean the httpd logs and they was normal. So I think is not using the webserver for it. In addition, you used a couple of terms that I really do not understand because of my lack knowledge if have something I can do to check if is inbound or outbound or any other requested info make me know.

It would really help if you tell us what services are you running in that machine and if you are using any host based firewall. Please also post the output of:

# sockstat -46

*you can omit 6 if you are not using IPv6

Soon was possible I can connect the server I gonna run this command and I post here the output.

 

[gkontos]

We also need to know if you are running any other services that are exposed to the internet besides the web server and also the size of the data are you serving.

 

[yagokurt]

Running services:

mysql_enable="YES"
apache24_enable="YES"
linux_enable="YES"

Output of sockstat -46

Script started on Mon Apr 20 23:31:15 2015
You have mail.
root@ns3362353:/ # sockstat -46

USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS      
www      httpd      1739  3  tcp6   *:80                  *:*
www      httpd      1739  4  tcp4   *:80                  *:*
www      httpd      1738  3  tcp6   *:80                  *:*
www      httpd      1738  4  tcp4   *:80                  *:*
www      httpd      1737  3  tcp6   *:80                  *:*
www      httpd      1737  4  tcp4   *:80                  *:*
www      httpd      1736  3  tcp6   *:80                  *:*
www      httpd      1736  4  tcp4   *:80                  *:*
www      httpd      1735  3  tcp6   *:80                  *:*
www      httpd      1735  4  tcp4   *:80                  *:*
www      httpd      1734  3  tcp6   *:80                  *:*
www      httpd      1734  4  tcp4   *:80                  *:*
www      httpd      1733  3  tcp6   *:80                  *:*
www      httpd      1733  4  tcp4   *:80                  *:*
www      httpd      1732  3  tcp6   *:80                  *:*
www      httpd      1732  4  tcp4   *:80                  *:*
www      httpd      1732  13 tcp4   37.187.73.33:80       186.125.122.72:60218
www      httpd      1729  3  tcp6   *:80                  *:*
www      httpd      1729  4  tcp4   *:80                  *:*
www      httpd      1729  13 tcp4   37.187.73.33:80       189.180.24.228:53643
www      httpd      1728  3  tcp6   *:80                  *:*
www      httpd      1728  4  tcp4   *:80                  *:*
www      httpd      1728  13 tcp4   37.187.73.33:80       189.180.24.228:53642
www      httpd      1727  3  tcp6   *:80                  *:*
www      httpd      1727  4  tcp4   *:80                  *:*
www      httpd      1726  3  tcp6   *:80                  *:*
www      httpd      1726  4  tcp4   *:80                  *:*
www      httpd      1725  3  tcp6   *:80                  *:*
www      httpd      1725  4  tcp4   *:80                  *:*
www      httpd      1721  3  tcp6   *:80                  *:*
www      httpd      1721  4  tcp4   *:80                  *:*
www      httpd      1634  3  tcp6   *:80                  *:*
www      httpd      1634  4  tcp4   *:80                  *:*
www      httpd      1634  13 tcp4   37.187.73.33:80       189.180.24.228:53640
www      httpd      1632  3  tcp6   *:80                  *:*
www      httpd      1632  4  tcp4   *:80                  *:*
www      httpd      1629  3  tcp6   *:80                  *:*
www      httpd      1629  4  tcp4   *:80                  *:*
www      httpd      1627  3  tcp6   *:80                  *:*
www      httpd      1627  4  tcp4   *:80                  *:*
www      httpd      1625  3  tcp6   *:80                  *:*
www      httpd      1625  4  tcp4   *:80                  *:*
www      httpd      1624  3  tcp6   *:80                  *:*
www      httpd      1624  4  tcp4   *:80                  *:*
www      httpd      1617  3  tcp6   *:80                  *:*
www      httpd      1617  4  tcp4   *:80                  *:*
root     sshd       1515  3  tcp4   37.187.73.33:22       189.83.48.139:53330
www      httpd      1513  3  tcp6   *:80                  *:*
www      httpd      1513  4  tcp4   *:80                  *:*
www      httpd      1513  13 tcp4   37.187.73.33:80       201.210.225.118:50447
www      httpd      1419  3  tcp6   *:80                  *:*
www      httpd      1419  4  tcp4   *:80                  *:*
www      httpd      1419  13 tcp4   37.187.73.33:80       201.210.225.118:50450
www      httpd      1410  3  tcp6   *:80                  *:*
www      httpd      1410  4  tcp4   *:80                  *:*
root     sshd       1316  3  tcp4   37.187.73.33:22       189.83.48.139:52919
root     sshd       1222  3  tcp4   37.187.73.33:22       189.83.48.139:52793
www      httpd      1039  3  tcp6   *:80                  *:*
www      httpd      1039  4  tcp4   *:80                  *:*
www      httpd      1039  13 tcp4   37.187.73.33:80       189.180.24.228:53641
root     sendmail   875   3  tcp4   127.0.0.1:25          *:*
root     httpd      867   3  tcp6   *:80                  *:*
root     httpd      867   4  tcp4   *:80                  *:*
root     sshd       862   3  tcp6   *:22                  *:*
root     sshd       862   4  tcp4   *:22                  *:*
mysql    mysqld     840   20 tcp4 6 *:3306                *:*
root     syslogd    535   8  udp6   *:514                 *:*
root     syslogd    535   9  udp4   *:514                 *:*
?        ?          ?     ?  tcp4   37.187.73.33:80       201.210.225.118:50391
?        ?          ?     ?  tcp4   37.187.73.33:80       201.210.225.118:50428
?        ?          ?     ?  tcp4   37.187.73.33:80       186.125.122.72:60219
?        ?          ?     ?  tcp4   37.187.73.33:80       95.17.60.172:59858
?        ?          ?     ?  tcp4   37.187.73.33:80       84.123.54.170:28172
?        ?          ?     ?  tcp4   37.187.73.33:80       84.123.54.170:28167
?        ?          ?     ?  tcp4   37.187.73.33:80       62.175.222.35:51502
?        ?          ?     ?  tcp4   37.187.73.33:80       189.180.24.228:65519
?        ?          ?     ?  tcp4   37.187.73.33:80       217.217.16.74:51958
?        ?          ?     ?  tcp4   37.187.73.33:80       181.53.250.192:54821
?        ?          ?     ?  tcp4   37.187.73.33:80       201.210.225.118:50448
?        ?          ?     ?  tcp4   37.187.73.33:80       181.53.250.192:54461
?        ?          ?     ?  tcp4   37.187.73.33:80       201.210.225.118:50390
?        ?          ?     ?  tcp4   37.187.73.33:80       181.53.250.192:54470
?        ?          ?     ?  tcp4   37.187.73.33:80       84.123.54.170:28185
?        ?          ?     ?  tcp4   37.187.73.33:80       201.210.225.118:50392
?        ?          ?     ?  tcp4   37.187.73.33:80       181.53.250.192:54557
?        ?          ?     ?  tcp4   37.187.73.33:80       84.123.54.170:28170
?        ?          ?     ?  tcp4   37.187.73.33:80       84.123.54.170:28181
?        ?          ?     ?  tcp4   37.187.73.33:80       95.17.60.172:59859
?        ?          ?     ?  tcp4   37.187.73.33:80       87.221.59.66:3598
?        ?          ?     ?  tcp4   37.187.73.33:80       84.123.54.170:28168
?        ?          ?     ?  tcp4   37.187.73.33:80       78.29.179.12:59807
?        ?          ?     ?  tcp4   37.187.73.33:80       190.183.84.187:51347
?        ?          ?     ?  tcp4   37.187.73.33:80       62.175.222.35:51501
?        ?          ?     ?  tcp4   37.187.73.33:80       37.133.204.3:50550
?        ?          ?     ?  tcp4   37.187.73.33:80       217.217.16.74:51953
?        ?          ?     ?  tcp4   37.187.73.33:80       217.217.16.74:51956
?        ?          ?     ?  tcp4   37.187.73.33:80       217.217.16.74:51951
?        ?          ?     ?  tcp4   37.187.73.33:80       181.53.250.192:54471
?        ?          ?     ?  tcp4   37.187.73.33:80       83.33.126.128:21111
?        ?          ?     ?  tcp4   37.187.73.33:80       217.217.16.74:51954
?        ?          ?     ?  tcp4   37.187.73.33:80       84.123.54.170:28182
?        ?          ?     ?  tcp4   37.187.73.33:80       62.175.222.35:51500
?        ?          ?     ?  tcp4   37.187.73.33:80       84.123.54.170:28169
?        ?          ?     ?  tcp4   37.187.73.33:80       217.217.16.74:51952
?        ?          ?     ?  tcp4   37.187.73.33:80       84.123.54.170:28180
?        ?          ?     ?  tcp4   37.187.73.33:80       95.17.60.172:59860
?        ?          ?     ?  tcp4   37.187.73.33:80       84.123.54.170:27999
?        ?          ?     ?  tcp4   37.187.73.33:80       84.123.54.170:27998
?        ?          ?     ?  tcp4   37.187.73.33:80       37.133.204.3:50552
?        ?          ?     ?  tcp4   37.187.73.33:80       84.123.54.170:28171
?        ?          ?     ?  tcp4   37.187.73.33:80       189.180.24.228:65515
?        ?          ?     ?  tcp4   37.187.73.33:80       181.53.250.192:54456
?        ?          ?     ?  tcp4   37.187.73.33:80       190.183.84.187:51350
?        ?          ?     ?  tcp4   37.187.73.33:80       217.217.16.74:51955
?        ?          ?     ?  tcp4   37.187.73.33:80       181.53.250.192:54462
?        ?          ?     ?  tcp4   37.187.73.33:80       181.53.250.192:54460
?        ?          ?     ?  tcp4   37.187.73.33:80       84.123.54.170:28184
?        ?          ?     ?  tcp4   37.187.73.33:80       84.123.54.170:28183
root@ns3362353:/ # exit

exit

Script done on Mon Apr 20 23:31:30 2015

PS: Right now the server isn't under attack.

We also need to know if you are running any other services that are exposed to the internet besides the web server and also the size of the data are you serving.

Have any command that I could run to check something?

 

[usdmatt]

The server is behind a firewall right?
Looking at the open ports, you could do with making sure everything other than port 80 is locked down. Of course if it's a proper DDoS attack and they're just blindly throwing traffic at you, that won't specifically solve the attack itself. If it is a proper DDoS though, it tends to be lots of hosts sending fairly similar traffic, which if the ISP does have real DDoS protection, they should be able to stop really.

As you have access to the server (well did during your last post) have you looked at the web logs to see if there's anything strange, like huge numbers of similar requests? If it involves the web server, for that amount of traffic they'd either need to be sending large requests or requesting a large file off your server (which would be easy to fix - just move the file). As I said though, http isn't a common method for DDoS attacks. The current favourite is DNS/NTP reflection-amplification.

Also if the server has been up since the last high volume attack, run systat -ifstat, and see whether the bulk of the traffic is into the network interface or out. (You have to press :q to get out of that command, like vi)

 

[SirDice]

I'm still a little worried about the network card flapping. Even if there's 200 Mbps of traffic the network card shouldn't go offline. So there's something really not working properly. I thought it may perhaps be the DDoS mitigation of the ISP but that wouldn't result in watchdog time-outs. With a load close to your maximum you should still be able to login without problems. But if the network card craps out you're lost.

As for the services, I highly recommend binding MySQL to lo0 if it's only used for the website. Ideally it won't even need an interface as you can also connect to the file socket from a client (PHP script on the website?). MySQL does have authentication but there's no access logging and nothing to stop a brute-force attack.

Any open port connected to the internet can and will get abused. Think long and hard before you open any port. If it's not required don't open one.

 

[gkontos]

I took the liberty to scan your server for a few minutes. It appears as if you are running some sort of game server application that also listens on port tcp/6699.

If you are not aware of that then that could be a problem. Game servers and file sharing applications do tend to become DDOS attack targets.

 

[yagokurt]

The server is behind a firewall right?
Looking at the open ports, you could do with making sure everything other than port 80 is locked down. Of course if it's a proper DDoS attack and they're just blindly throwing traffic at you, that won't specifically solve the attack itself. If it is a proper DDoS though, it tends to be lots of hosts sending fairly similar traffic, which if the ISP does have real DDoS protection, they should be able to stop really.

As you have access to the server (well did during your last post) have you looked at the web logs to see if there's anything strange, like huge numbers of similar requests? If it involves the web server, for that amount of traffic they'd either need to be sending large requests or requesting a large file off your server (which would be easy to fix - just move the file). As I said though, http isn't a common method for DDoS attacks. The current favourite is DNS/NTP reflection-amplification.

Also if the server has been up since the last high volume attack, run systat -ifstat, and see whether the bulk of the traffic is into the network interface or out. (You have to press :q to get out of that command, like vi)

Yes it have a firewall. But I don't know if mine is very effective. To install my firewall I run those commands and my pf.conf is clean.

cd /../  && fetch ftp://ftp.freebsd.org/pub/FreeBSD/releases/amd64/amd64/9.3-RELEASE/src.txz
tar -xzvf src.txz
cd /usr/src/sys/amd64/conf
cp GENERIC FIREW

Then I open the FIREW and add

ident  FIREW
# Firewall

options IPFIREWALL

options IPFIREWALL_VERBOSE

options IPFIREWALL_VERBOSE_LIMIT=5

options IPFIREWALL_DEFAULT_TO_ACCEPT

options IPDIVERT

[ENTER]

And build kernel. But I think isn't effective I search for it to start ban some persons by IP using:
ipfw add deny ip from x.x.x.x to any

Since than yesterday I didn't get a huge traffic anymore but maybe that happen because I remove my entire website and just left a index.html with a message "Page under maintenance". And had a couple of requisition of my index.php from IP's from USA and Germany. And those isn't my normal clients. Here I will leave my http-error.log.
Error

Yes the server is up, here I leave the output that you asked. Maybe a idiot question I normally do a CTRL + C to leave it isn't that right?

                    /0   /1   /2   /3   /4   /5   /6   /7   /8   /9   /10
     Load Average   |

      Interface           Traffic               Peak                Total
            lo0  in     10.214 KB/s         10.214 KB/s          388.037 MB
                 out    10.214 KB/s         10.214 KB/s          388.030 MB

            re0  in     15.564 KB/s         22.396 KB/s          686.781 MB
                 out    43.120 KB/s         58.731 KB/s            3.004 GB

I'm still a little worried about the network card flapping. Even if there's 200 Mbps of traffic the network card shouldn't go offline. So there's something really not working properly. I thought it may perhaps be the DDoS mitigation of the ISP but that wouldn't result in watchdog time-outs. With a load close to your maximum you should still be able to login without problems. But if the network card craps out you're lost.

As for the services, I highly recommend binding MySQL to lo0 if it's only used for the website. Ideally it won't even need an interface as you can also connect to the file socket from a client (PHP script on the website?). MySQL does have authentication but there's no access logging and nothing to stop a brute-force attack.

Any open port connected to the internet can and will get abused. Think long and hard before you open any port. If it's not required don't open one.

I received a couple of email from my rent company and they said this maybe for you have more sense than for me.

Server check
Date 2015-04-20 20:01:57, gregory.dubois made Server check:
Server find on login but no ping no services started.

On screen: re0: watchdog timeout.

A soft reboot has corrected the situation.

My MYSQL it's used on the website was you said and used for my system when I start it on the server, and also external connect from my PC. How could i do it about the binding?

PS: I get a high traffic with my system offline.

Yes I will try find and do a good PF and open only the needed ports. Last time I try it i lock my self out of the server haha.

I took the liberty to scan your server for a few minutes. It appears as if you are running some sort of game server application that also listens on port tcp/6699.

If you are not aware of that then that could be a problem. Game servers and file sharing applications do tend to become DDOS attack targets.

No problem scan it without problem. This is really strange my system don't use this port. Do you have any suggestion.


Right now I have my system running and I will leave here the out from sockstat -46
The message get more than 12000 characters so i will post on pastebin. It will expire in 1 day.
OUTPUT
This is my normal traffic.

 

[gkontos]

I hate to break it to you but:

a) You don't have a firewall.
b) Your server looks like it has been compromised.

 

[yagokurt]

I hate to break it to you but:

a) You don't have a firewall.
b) Your server looks like it has been compromised.

No problem.

a) The firewall that's really bad I though it was maybe even a small firewall or something. Have any possibility you guide me to a firewall installation?

b) Why do you think my server is compromised? Have something I can do about it?


I'm looking to put this PF on my server what do you think about it? Its good? Have something I can do to make it better?

# Change the value to reflect your public interface. You can see this with ifconfig.
ext_if="re0"

# Ports used for services
service_ports="{ 22, 80 }"

# Ports used by system
system_ports="{ 11152, 13050, 13051, 13052, 13053, 13054, 17050, 17051, 17052, 17053, 17054, 13098 }"

# IP addresses that should override the firewall rules, such as your web server.
table <trusted_hosts> const { X.X.X.X, Y.Y.Y.Y }

table <abusive_hosts> persist

set block-policy drop
set loginterface $ext_if
set skip on lo

scrub on $ext_if reassemble tcp no-df random-id

antispoof quick for { lo0 $ext_if }

block in

pass out all keep state
pass out on $ext_if all modulate state

pass in quick from <trusted_hosts>
block in quick from <abusive_hosts>

# Allow ping in
pass in inet proto icmp all icmp-type echoreq

# Rate limits, trial and error
pass in on $ext_if proto tcp to any port $service_ports flags S/SA keep state \
        (max-src-conn 30, max-src-conn-rate 15/5, overload <abusive_hosts> flush)

pass in on $ext_if proto {tcp,udp} to any port $system_ports flags S/SA keep state \
        (max-src-conn 30, max-src-conn-rate 15/5, overload <abusive_hosts> flush)
To completely block UDP on the firewall change this line:

?
pass in on $ext_if proto {tcp,udp} to any port $system_ports flags S/SA keep state \
to

?
pass in on $ext_if proto tcp to any port $system_ports flags S/SA keep state \

 

[gkontos]

No problem.

a) The firewall that's really bad I though it was maybe even a small firewall or something. Have any possibility you guide me to a firewall installation?

From what you described, you just compiled and new KERNEL with ipfirewall() in a permissive state with no rules whatsoever. Also, pf.conf is irrelevant to ipfirewall.

b) Why do you think my server is compromised? Have something I can do about it?

Because of this:

[*]root     yago_sys       7792  28 tcp4   37.187.73.33:65022    37.187.73.33:24633
[*]root     yago_sys       7792  29 tcp4   37.187.73.33:17051    200.117.41.101:60542
[*]root     yago_sys       7792  30 tcp4   37.187.73.33:17051    201.210.225.118:52420
[*]root     yago_sys       7792  31 tcp4   37.187.73.33:17051    87.221.59.66:1236
[*]root     yago_sys       7792  32 tcp4   37.187.73.33:17051    200.117.41.101:49534
[*]root     yago_sys       7792  33 tcp4   37.187.73.33:17051    201.210.225.118:52391
[*]root     yago_sys       7792  34 tcp4   37.187.73.33:17051    77.229.11.184:49774
[*]root     yago_sys       7792  35 tcp4   37.187.73.33:17051    181.168.115.56:53141
[*]root     yago_sys       7792  36 tcp4   37.187.73.33:17051    181.192.14.237:14602
[*]root     yago_sys       7792  37 tcp4   37.187.73.33:17051    200.117.41.101:60658
[*]root     yago_sys       7792  38 tcp4   37.187.73.33:17051    181.192.14.237:14634
[*]root     yago_sys       7792  39 tcp4   37.187.73.33:17051    200.117.41.101:49368
[*]root     yago_sys       7792  40 tcp4   37.187.73.33:17051    89.115.49.35:55590
[*]root     yago_sys       7792  41 tcp4   37.187.73.33:17051    217.217.16.74:52424
[*]root     yago_sys       7792  42 tcp4   37.187.73.33:17051    89.115.49.35:50939
[*]root     yago_sys       7792  45 tcp4   37.187.73.33:17051    83.53.161.214:49969
[*]root     yago_sys       7792  46 tcp4   37.187.73.33:17051    84.123.80.19:60211
[*]root     yago_sys       7792  48 tcp4   37.187.73.33:17051    84.123.80.19:60218
[*]root     yago_sys       7792  49 tcp4   37.187.73.33:17051    83.53.161.214:50000

You could try running tcpdump() and capture some packets to see what type of traffic is being exchanged.

I'm looking to put this PF on my server what do you think about it? Its good? Have something I can do to make it better?

The firewall will not protect you if your web application can be exploited. My guess is that the intruder got her way in using a vulnerability in your application. Of course, I don't know for how long the server has been in production and how often you do update your software. Is your application running any scripts with root privileges?

The best thing for you right now is to backup all the important data, shutdown the server (your host will eventually shut it down) and seek professional help in order to reinstall your system, audit your applications and create a proper security strategy.

I am not trying to mock you here but it is obvious that you don't have the necessary skills in order to run this by yourself.

 

[yagokurt]

From what you described, you just compiled and new KERNEL with ipfirewall() in a permissive state with no rules whatsoever. Also, pf.conf is irrelevant to ipfirewall.

Sure thanks for explain that. And what you think about this pf.conf that I post before? Is that even good?

Because of this:

[*]root     yago_sys       7792  28 tcp4   37.187.73.33:65022    37.187.73.33:24633
...
[*]root     yago_sys       7792  49 tcp4   37.187.73.33:17051    83.53.161.214:50000

You could try running tcpdump() and capture some packets to see what type of traffic is being exchanged.

The firewall will not protect you if your web application can be exploited. My guess is that the intruder got her way in using a vulnerability in your application. Of course, I don't know for how long the server has been in production and how often you do update your software. Is your application running any scripts with root privileges?

The best thing for you right now is to backup all the important data, shutdown the server (your host will eventually shut it down) and seek professional help in order to reinstall your system, audit your applications and create a proper security strategy.

I am not trying to mock you here but it is obvious that you don't have the necessary skills in order to run this by yourself.

I didn't understand why it could maybe be a problem. It is showing that I have persons connected to the system no? I make a couple updates but not big deal, and if I'm not wrong the system don't need root privileges to run.

And yes I can understand if they can exploit my system I'm not safe, but to defend my self right now from those "attacks" have something I can do?

PS: Even with my system offline I still getting this high data transfer.

 

[gkontos]

I didn't understand why it could maybe be a problem. It is showing that I have persons connected to the system no? I make a couple updates but not big deal, and if I'm not wrong the system don't need root privileges to run.

That is part of the general problem that I tried to describe earlier, when I said that you don't have the necessary skills in order to run this by yourself.
You don't understand that having so many processes running with root privileges on those ports, in an ESTABLISHED state, means that your server is compromised.
You insist on trying to "fix" this using a firewall and you fail to realize that the problem is in a higher layer.