This morning I opened a ticket with our server provider because our server was down, and even though it would come back up after a reboot it would go down again within a few minutes. They claim this is because the server was under attack and running out of memory, I've provided their evidence below. I manually blocked the IP address in question in CSF immediately after rebooting the server again and it fixed the problem. The question is, shouldn't CSF have banned this IP address automatically for the attack?
---
Your server is immediately running out of memory, because someone is attacking you.
Here's output from the network sniffer:
root@xxxxxxx:~# tcpdump -i eth0 -n not tcp port 22
11:49:33.765294 IP 216.32.181.186.17040 > 69.64.46.210.25: Flags [.], seq 345432:346892, ack 1673, win 256, length 1460
11:49:33.765417 IP 216.32.181.186.17040 > 69.64.46.210.25: Flags [.], seq 346892:348352, ack 1673, win 256, length 1460
11:49:33.765541 IP 216.32.181.186.17040 > 69.64.46.210.25: Flags [.], seq 348352:349812, ack 1673, win 256, length 1460
11:49:33.765663 IP 216.32.181.186.17040 > 69.64.46.210.25: Flags [.], seq 349812:351272, ack 1673, win 256, length 1460
11:49:33.765786 IP 216.32.181.186.17040 > 69.64.46.210.25: Flags [.], seq 351272:352732, ack 1673, win 256, length 1460
11:49:33.765909 IP 216.32.181.186.17040 > 69.64.46.210.25: Flags [.], seq 352732:354192, ack 1673, win 256, length 1460
11:49:33.766032 IP 216.32.181.186.17040 > 69.64.46.210.25: Flags [.], seq 354192:355652, ack 1673, win 256, length 1460
11:49:33.766155 IP 216.32.181.186.17040 > 69.64.46.210.25: Flags [.], seq 355652:357112, ack 1673, win 256, length 1460
11:49:33.766203 IP 216.32.181.186.17040 > 69.64.46.210.25: Flags [P.], seq 357112:357741, ack 1673, win 256, length 629
11:49:33.774497 IP 216.32.181.186.17040 > 69.64.46.210.25: Flags [.], seq 357741:359201, ack 1673, win 256, length 1460
11:49:33.774618 IP 216.32.181.186.17040 > 69.64.46.210.25: Flags [.], seq 359201:360661, ack 1673, win 256, length 1460
11:49:33.774742 IP 216.32.181.186.17040 > 69.64.46.210.25: Flags [.], seq 360661:362121, ack 1673, win 256, length 1460
11:49:33.774864 IP 216.32.181.186.17040 > 69.64.46.210.25: Flags [.], seq 362121:363581, ack 1673, win 256, length 1460
11:49:33.774987 IP 216.32.181.186.17040 > 69.64.46.210.25: Flags [.], seq 363581:365041, ack 1673, win 256, length 1460
11:49:33.775110 IP 216.32.181.186.17040 > 69.64.46.210.25: Flags [.], seq 365041:366501, ack 1673, win 256, length 1460
11:49:33.775233 IP 216.32.181.186.17040 > 69.64.46.210.25: Flags [.], seq 366501:367961, ack 1673, win 256, length 1460
11:49:33.775366 IP 216.32.181.186.17040 > 69.64.46.210.25: Flags [.], seq 367961:369421, ack 1673, win 256, length 1460
11:49:33.775404 IP 216.32.181.186.17040 > 69.64.46.210.25: Flags [P.], seq 369421:370050, ack 1673, win 256, length 629
11:49:33.775599 IP 216.32.181.186.17040 > 69.64.46.210.25: Flags [.], seq 370050:371510, ack 1673, win 256, length 1460
11:49:33.775720 IP 216.32.181.186.17040 > 69.64.46.210.25: Flags [.], seq 371510:372970, ack 1673, win 256, length 1460
11:49:33.775845 IP 216.32.181.186.17040 > 69.64.46.210.25: Flags [.], seq 372970:374430, ack 1673, win 256, length 1460
11:49:33.775967 IP 216.32.181.186.17040 > 69.64.46.210.25: Flags [.], seq 374430:375890, ack 1673, win 256, length 1460
11:49:33.776089 IP 216.32.181.186.17040 > 69.64.46.210.25: Flags [.], seq 375890:377350, ack 1673, win 256, length 1460
11:49:33.776213 IP 216.32.181.186.17040 > 69.64.46.210.25: Flags [.], seq 377350:378810, ack 1673, win 256, length 1460
11:49:33.776337 IP 216.32.181.186.17040 > 69.64.46.210.25: Flags [.], seq 378810:380270, ack 1673, win 256, length 1460
[snipped ... there were hundreds (maybe thousands) more entries like this.]
Unblocked attack?
Re: Unblocked attack?
Ask your data center to set your server under a physical firewall, most data centers do this for free for a term of 24 hours.
Sergio
Sergio
Re: Unblocked attack?
Not sure what good that will do... As I said, blocking that IP seems to have solved the problem. I'm just surprised I had to do it manually as I'd have expected that CSF would have blocked the IP on it's own after seeing so many connection attempts from it.