-1

I have a vps, and have several site on it, usually these sites are rarely being visited except myself, thus i am shocked by one fact that is i visit the vps provider's portal and find i have used a huge amount of bandwidth that such a small site would never used.

so i run ntop and reset all statistics then refresh the ntop web portal through 3000 port and find the diagram is really shocking, that DNS traffic occupies nearly 99 percent of all traffics, and the DNS traffic is nearly 100MB in several minutes, you could see this fact through the picture i uploaded

Horrible DNS Traffic happened in 5 minutes on a personal VPS

My Question is as follows: 1. Why there is so huge DNS traffic on my VPS? 2. Is my VPS hacked by someone that my VPS is configured as a core of dns traffic?

Edit 1 @RSchulze why you said the reason is because of mis configuration of dns software such as named? which kind of mis configuration could result in such huge dns traffic? btw, i don't configure named manually, i configure it using kloxo, which is a Host management software and it's author just sucided for hack attack against kloxo:( i still think my server maybe hacked:( maybe i should learn wireshark and capture some packages in order to know the origin and target of this DNS traffic

Edit 2 After i kill the named process, there is seldom DNS traffic now:) but why there is still some DNS related traffic, but they are all received traffic, no send traffic:) does that mean my VPS send some DNS request to other hosts?

enter image description here

giantforest
  • 239
  • 1
  • 4
  • 15
  • 1
    Without any information it's hard to tell but very probably it's a DNS amplification attack. Research it. – faker Oct 11 '13 at 15:06
  • which kind of information do you need, @faker, if you ask, i would add the information you need to my question:) – giantforest Oct 11 '13 at 15:08
  • 1
    Since the graph doesn't say which direction the traffic is flowing I'd assume you are either the target of a DoS, or your server is being used as part of a larger DoS (if your DNS server responds to DNS queries from the internet). google "DNS Amplification Attacks" – RSchulze Oct 11 '13 at 15:09
  • i am not sure, maybe my server is hacked, but how to find the clues whether i am really hacked, and whether the hacker have made some backdoors on my VPS, how to check this? – giantforest Oct 11 '13 at 15:31
  • 1
    Based on the information provided it is very unlikely you were "hacked". It looks more like abuse of misconfigured services (DNS). – RSchulze Oct 11 '13 at 16:02
  • @RSchulze please see Edit 1:) i have replied to you in the original quesion:) – giantforest Oct 11 '13 at 17:04
  • Funny, just last week was this question ( http://serverfault.com/questions/544136/how-can-i-isolate-the-source-of-outgoing-bandwidth-usage-on-vps-server ) about a VPS using Kloxo with enormous DNS traffic problems. – TessellatingHeckler Oct 11 '13 at 17:09
  • "it's author just sucided for hack attack against kloxo" - 1. This happened 4 years ago. 2. This is irrelevant to the question. 3. There were many factors at play, not just the problems with kloxo/hyperVM. 4. Don't appropriate someone else's tragedy to make your point about your question. – joeqwerty Oct 11 '13 at 17:22
  • [Administration panels are off topic](http://serverfault.com/help/on-topic). [Even the presence of an administration panel on a system,](http://meta.serverfault.com/q/6538/118258) because they [take over the systems in strange and non-standard ways, making it difficult or even impossible for actual system administrators to manage the servers normally](http://meta.serverfault.com/a/3924/118258), and tend to indicate low-quality questions from *users* with insufficient knowledge for this site. – HopelessN00b Apr 09 '15 at 18:59

2 Answers2

2

DNS relay attack in progress, i bet.

Check:

http://slashdot.org/story/06/03/16/1658209/ddos-attacks-via-dns-recursion

for the details and an example, or

http://blog.cloudflare.com/deep-inside-a-dns-amplification-ddos-attack (which has a good example to show you what is going on).

Basically your DNS server gets requests from a fake IP address and sends large responses there. The goal is to overlaod the target. Misconfigured DNS server in the source.

TomTom
  • 51,649
  • 7
  • 54
  • 136
1

Another, less likely, attack vector is data exfiltration via DNS. This works by querying a particular [attacker owned] domain, where the attacker is able to craft the responses depending on the host being queried. Data can be exfiltrated in the DNS query payload, and C&C information can be returned in the response.

Like I say, this is a less likely attack vector, but it's a nifty way of getting data out of an environment that doesn't allow HTTP(S) outbound, but does allow DNS.

Good luck in finding the answer...

Simon Catlin
  • 5,232
  • 3
  • 17
  • 20