2

This is part of a mail that I received

The IP 69.89.6.235 is attacking our server at 94.23.204.191 and 87.98.168.239.80 with UDP flood.

I have a newsletter scripts that I use to send newsletter to a lot of emails on my site (with IP 69.89.6.235). The email database that I have has a lot of mails that are not active but I still send to all of them. Could this be the possible cause of the UDP flood?

What are the other possible causes?

yankitwizzy
  • 163
  • 1
  • 2
  • 9

3 Answers3

2

Mostly there is no "cause" for floods and the source IP address is likely to be faked. Make sure your system is not the source for UDP packets to these destination addresses, everything else is not your business.

the-wabbit
  • 40,737
  • 13
  • 111
  • 174
  • How do I check if my system is the source of the UDP packets? – yankitwizzy May 30 '11 at 14:05
  • As this seems to be a linux system just use `tcpdump -v -n host 94.23.204.191 or host 87.98.168.239.80` and check if it generates any output. If it doesn't, your system is not sending any packets (especially no udp packets) to any of the two mentioned systems. – the-wabbit May 30 '11 at 19:29
  • [root@onehub entrepreneursecosystem.org]# tcpdump -v -n host 94.23.204.191 tcpdump: WARNING: arptype 65535 not supported by libpcap - falling back to cooked socket tcpdump: listening on venet0, link-type LINUX_SLL (Linux cooked), capture size 96 bytes This is what I got when I ran the command. Please what does it mean? – yankitwizzy May 31 '11 at 09:05
  • If you didn't get any more over an extended period of time (some minutes or maybe some hours) that means that no traffic is passing from your host to 94.23.204.191 over the interface venet0. If it is your only connecting interface (you can check using `ifconfig` and looking after other interface names aside from `venet0` and `lo`), chances are good that your host is not the source of the flood packets. – the-wabbit May 31 '11 at 09:50
1

No, sending email uses tcp and cannot be the cause for a UDP flood.

Use a sniffer like Wireshark or simply tcpdump to see if UDP traffic is really being sent. If so, you have probably been hacked and should reinstall the system.

If not, someone may be forging the source address, or the attack may be inactive at the moment. In any case, check your server for signs of infection (strange processes, etc...)

b0fh
  • 3,313
  • 1
  • 21
  • 32
0

Someone is probably not happy with your spammy behavior. Stop sending e-mails to inactive addresses and allow the receivers to unsubscribe from your newsletter.

ZippyV
  • 213
  • 1
  • 6