OVH Community, your new community space.

ESXi server is transferring 11MB/s for a week now.


TomOVH
16/01/2014, 11h35
Hello,

Apologies for our delay. The new anti ddos mailing list is antiddos@ovh.net
OmegaIII
15/01/2014, 21h11
Citation Envoyé par buddy
Hi, an other information found on the french forum : http://www.freebsd.org/security/advi...14:02.ntpd.asc ( i know that's for free bsd but maybe you should adapt it )
Thanks a mil buddy! Seems like a good idea.

I also found that we can activate the firewall ourselves. So I blocked all ip's for incoming. The DoS attack now isn't visible anymore.
Let's wait if it has any other impact.

Because even if the rule says to block all ip's, our admins can still access the Vsphere.
buddy
15/01/2014, 18h42
Citation Envoyé par buddy
The support team may answer you to identify clearly the attack so check your email address and please keep us up-to-date.
Hi, an other information found on the french forum : http://www.freebsd.org/security/advi...14:02.ntpd.asc ( i know that's for free bsd but maybe you should adapt it )
buddy
15/01/2014, 08h16
The support team may answer you to identify clearly the attack so check your email address and please keep us up-to-date.
OmegaIII
15/01/2014, 06h44
Citation Envoyé par buddy
Hi,

if think it's an attack on the ntp.

Mail the support team (anti-ddos / anti_attack ) ( with the log )
ddos@ml.ovh.net

maybe you should "subscribe" before
ddos-subscribe@ml.ovh.net
Thank you buddy.
I've sent a mail to the DDoS mailing list.

The subscribe mail address didn't work though.

I hope it'll get resolved now.
buddy
14/01/2014, 21h59
Hi,

if think it's an attack on the ntp.

Mail the support team (anti-ddos / anti_attack ) ( with the log )
ddos@ml.ovh.net

maybe you should "subscribe" before
ddos-subscribe@ml.ovh.net
OmegaIII
14/01/2014, 20h26
Our ESXi server ks398819 is transferring 11MB/s for a week now even if no VM's are active. The server is showing this in it's Network Graph, and MRTG confirms this in the OVH manager.

We allready disabled all VM's and put ESXi in maintenance mode, without releaf.
tcdump - i vmnic0 shows a ton of NTPv2 packets.

http://i.imgur.com/ijjgvZo.png MRTG
I have a 1.3GB log from 1,5 hours tcpdump if needed., when the server was in maintenance mode and was doing nothing...

A little excert:

16:10:06.698450 IP ks398819 > 75-95-4-10.day.clearwire-dns.net: ICMP ks398819 udp port ntp unreachable, length 36
16:10:06.698612 IP truncated-ip - 386 bytes missing! 75-95-4-10.day.clearwire-dns.net.ntp > ks398819.ntp: NTPv2, Reserved, length 440
16:10:06.698628 IP ks398819 > 75-95-4-10.day.clearwire-dns.net: ICMP ks398819 udp port ntp unreachable, length 36
16:10:06.698641 IP truncated-ip - 386 bytes missing! 75-95-4-10.day.clearwire-dns.net.ntp > ks398819.ntp: NTPv2, Reserved, length 440
16:10:06.698655 IP truncated-ip - 386 bytes missing! 75-95-4-10.day.clearwire-dns.net.ntp > ks398819.ntp: NTPv2, Reserved, length 440
16:10:06.698675 IP ks398819 > 75-95-4-10.day.clearwire-dns.net: ICMP ks398819 udp port ntp unreachable, length 36
16:10:06.698682 IP ks398819 > 75-95-4-10.day.clearwire-dns.net: ICMP ks398819 udp port ntp unreachable, length 36
16:10:06.698852 IP truncated-ip - 386 bytes missing! 75-95-4-10.day.clearwire-dns.net.ntp > ks398819.ntp: NTPv2, Reserved, length 440
16:10:06.698861 IP ks398819 > 75-95-4-10.day.clearwire-dns.net: ICMP ks398819 udp port ntp unreachable, length 36
16:10:06.698868 IP truncated-ip - 386 bytes missing! 75-95-4-10.day.clearwire-dns.net.ntp > ks398819.ntp: NTPv2, Reserved, length 440
16:10:06.698875 IP ks398819 > 75-95-4-10.day.clearwire-dns.net: ICMP ks398819 udp port ntp unreachable, length 36
16:10:06.698882 IP truncated-ip - 386 bytes missing! 75-95-4-10.day.clearwire-dns.net.ntp > ks398819.ntp: NTPv2, Reserved, length 440
16:10:06.698891 IP ks398819 > 75-95-4-10.day.clearwire-dns.net: ICMP ks398819 udp port ntp unreachable, length 36
16:10:06.698898 IP static.40.83.4.46.clients.your-server.de.ntp > ks398819.ntp: NTPv2, Reserved, length 8
16:10:06.698906 IP ks398819 > static.40.83.4.46.clients.your-server.de: ICMP ks398819 udp port ntp unreachable, length 36
16:10:06.699118 IP truncated-ip - 386 bytes missing! 75-95-4-10.day.clearwire-dns.net.ntp > ks398819.ntp: NTPv2, Reserved, length 440
16:10:06.699134 IP ks398819 > 75-95-4-10.day.clearwire-dns.net: ICMP ks398819 udp port ntp unreachable, length 36
16:10:06.699147 IP truncated-ip - 386 bytes missing! 75-95-4-10.day.clearwire-dns.net.ntp > ks398819.ntp: NTPv2, Reserved, length 440
16:10:06.699161 IP ks398819 > 75-95-4-10.day.clearwire-dns.net: ICMP ks398819 udp port ntp unreachable, length 36
16:10:06.699180 IP truncated-ip - 386 bytes missing! 75-95-4-10.day.clearwire-dns.net.ntp > ks398819.ntp: NTPv2, Reserved, length 440
16:10:06.699188 IP ks398819 > 75-95-4-10.day.clearwire-dns.net: ICMP ks398819 udp port ntp unreachable, length 36
16:10:06.699362 IP truncated-ip - 386 bytes missing! 75-95-4-10.day.clearwire-dns.net.ntp > ks398819.ntp: NTPv2, Reserved, length 440
16:10:06.699371 IP truncated-ip - 386 bytes missing! 75-95-4-10.day.clearwire-dns.net.ntp > ks398819.ntp: NTPv2, Reserved, length 440
16:10:06.699378 IP truncated-ip - 386 bytes missing! 75-95-4-10.day.clearwire-dns.net.ntp > ks398819.ntp: NTPv2, Reserved, length 440
16:10:06.699395 IP ks398819 > 75-95-4-10.day.clearwire-dns.net: ICMP ks398819 udp port ntp unreachable, length 36
16:10:06.699403 IP ks398819 > 75-95-4-10.day.clearwire-dns.net: ICMP ks398819 udp port ntp unreachable, length 36
16:10:06.699409 IP ks398819 > 75-95-4-10.day.clearwire-dns.net: ICMP ks398819 udp port ntp unreachable, length 36
16:10:06.699649 IP truncated-ip - 386 bytes missing! 75-95-4-10.day.clearwire-dns.net.ntp > ks398819.ntp: NTPv2, Reserved, length 440
16:10:06.699665 IP truncated-ip - 386 bytes missing! 75-95-4-10.day.clearwire-dns.net.ntp > ks398819.ntp: NTPv2, Reserved, length 440
16:10:06.699679 IP ks398819 > 75-95-4-10.day.clearwire-dns.net: ICMP ks398819 udp port ntp unreachable, length 36
16:10:06.699691 IP truncated-ip - 386 bytes missing! 75-95-4-10.day.clearwire-dns.net.ntp > ks398819.ntp: NTPv2, Reserved, length 440
16:10:06.699712 IP ks398819 > 75-95-4-10.day.clearwire-dns.net: ICMP ks398819 udp port ntp unreachable, length 36
16:10:06.699719 IP ks398819 > 75-95-4-10.day.clearwire-dns.net: ICMP ks398819 udp port ntp unreachable, length 36
16:10:06.699901 IP truncated-ip - 386 bytes missing! 75-95-4-10.day.clearwire-dns.net.ntp > ks398819.ntp: NTPv2, Reserved, length 440
16:10:06.699916 IP truncated-ip - 386 bytes missing! 75-95-4-10.day.clearwire-dns.net.ntp > ks398819.ntp: NTPv2, Reserved, length 440
16:10:06.699930 IP ks398819 > 75-95-4-10.day.clearwire-dns.net: ICMP ks398819 udp port ntp unreachable, length 36
16:10:06.699943 IP ks398819 > 75-95-4-10.day.clearwire-dns.net: ICMP ks398819 udp port ntp unreachable, length 36

Can anyone from OVH take a look at why this is happening all of a sudden?