Security Corner

Apr 9 2013   1:44AM GMT

Could my client’s server be part of the Spamhaus DDoS attack?

Ken Harthun Ken Harthun Profile: Ken Harthun

In the wake of what is reported to be the largest DDoS attack ever–actually a DNS amplification attack–I received a message on behalf of one of my clients that indicated his server has been shut down because of an outbound DoS attack originating from it. How it got infected, and with what, I don’t know, but something is surely amiss. I wonder if his server could be part of that massive attack. Here’s a redacted excerpt from the notice I received:

Your <redacted> Server was found to be part of a network of compromised machines
leading a Distributed Denial-of-Service Attack (DDoS Attack) against other servers.

IMPORTANT: In order to prevent further criminal activity from your <redacted> Server,
we have suspended access pending an investigation and resolution.

The logs they sent me show UDP packets indicating that this could be part of a DNS amplification attack. Take a look:

Please see the firewall logs below for details:
1365103763.526228 IP > UDP, length 1
1365103763.526232 IP > UDP, length 1
1365103763.526234 IP > UDP, length 1
1365103763.526236 IP > UDP, length 1

That’s all I know for now. I have to contact the provider, open a window of time to gain access, and secure the server. I’ll keep you posted.

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: