0

noob here.

My droplet has experienced an outgoing DOS attack, as informed by Digital Ocean and networking has been disabled.

This has happened twice in the last two days. Previous droplet also was compromised in the similar manner and networking was disabled.

Would appreciate any help in discerning what caused such a spike in outbound network traffic. Specifically, I'm looking for ways to check the history of the network traffic on my Ubuntu based VPS.

I came acrooss many tools like iftop and some other like it. But I cannot use them as networking has been disabled on the droplet. How to go about figuring out what caused the attack? What command lines tools can I use for the same? And what signs to look for when searching for suspicious activities? Any log files I should check?

srijanshukla
  • 101
  • 3
  • 2
    What externally accessible services are you running on the droplet? I interpret "Outgoing DoS" to mean your server is generating outbound traffic (probably as part of a larger attack), which usually suggests a mis-configured, DoS-friendly service running on your system such as DNS or NTP. – USD Matt Apr 20 '17 at 10:08
  • Sorry I am not aware of any such 'externally accessible services'. Could you guide me through what are these DoS friendly service? The droplet was running a rails application, in development mode. That's all. – srijanshukla Apr 20 '17 at 10:29
  • 1
    I was suspicious that you may have something like a DNS resolver accessible to the Internet. I normally wouldn't expect something like a rails applicable to create DoS traffic. Unfortunately it's difficult to know without seeing the network traffic while it's happening. Do Digital Ocean not provide any record of the traffic they saw which caused them to disable the droplet? Does your rails app log access requests showing an unusual spike in requests? – USD Matt Apr 20 '17 at 10:33
  • I checked my rails application log. Nothing suspicious there. Digital Ocean just sent a mail stating that there is an outbound traffic exceeding 1679.12 Mb/s. I have asked for more information regarding the traffic. – srijanshukla Apr 20 '17 at 10:48
  • Something in your code or droplet might make it easy for attackers to break into your system and use it for DDoS attacks. You need to make sure your code and system are secure, and then start with from scratch with a system that is secure. – Tero Kilkanen Apr 20 '17 at 12:24
  • In addition to the above, DigitalOcean has a community page about the topic: https://www.digitalocean.com/community/questions/my-droplet-has-been-compromised-and-is-sending-an-outgoing-flood-or-ddos-what-do-i-do. – David B. Apr 21 '17 at 07:57

0 Answers0