Olej писал(а): ↑15 фев 2020, 04:45
На VDS сервер форума было жёсткая DDoS атака, начало около 22:16 14.02.2020г., плотность потока запросов до 338 Mbit/s.
И форум был отключен от сети хостером.
Интересно... От хостера, в ответ на ругань и в подтверждение DDoS атаки получен протокол сетевых обменов снятый Wireshark.
Интересно потому, что далеко не всегда такой материал можно посмотреть (по принципу: что же это за падаль? откуда IP?).
Код: Выделить всё
olej@ACER:~/2020_WORK/rus.linux.net.hist$ /sbin/tcpdump -r host_185.178.47.95_202002142016.pcap
reading from file host_185.178.47.95_202002142016.pcap, link-type EN10MB (Ethernet)
22:16:07.753761 IP 83.69.2.180 > linux-ru.ru: udp
22:16:07.753485 IP mx.base3.it.domain > linux-ru.ru.32073: 11588| 29/0/0 RRSIG, RRSIG, RRSIG, RRSIG, RRSIG, RRSIG, DNSKEY[|domain]
22:16:07.753487 IP mx.base3.it > linux-ru.ru: udp
22:16:07.753490 IP mx.base3.it > linux-ru.ru: udp
22:16:07.753490 IP cdc.cloudsi.fr.ldap > linux-ru.ru.9714: UDP, bad length 2816 > 1472
22:16:07.753492 IP cdc.cloudsi.fr > linux-ru.ru: udp
22:16:07.753537 IP 129.232.200.10.domain > linux-ru.ru.5407: 41514| 25/0/0 RRSIG, SOA, AAAA 2600:1f18:46d5:1100:4526:5944:91c8:a5b, TXT "adobe-idp-site-verification="c5bd8e9e38c19e39bab26f49615f8fef78d1865faa2ce8bfe0c941b0b1d5bd29"", TXT "@" "3600" "IN" "TXT" "adobe-idp-site-verification="c5bd8e9e38c19e39bab26f49615f8fef78d1865faa2ce8bfe0c941b0b1d5bd29"", RRSIG, RRSIG, RRSIG, RRSIG, RRSIG, RRSIG[|domain]
22:16:07.753588 IP 204.237.182.206.ldap > linux-ru.ru.60241: UDP, bad length 2919 > 1472
22:16:07.753606 IP ec2-13-127-150-186.ap-south-1.compute.amazonaws.com.ldap > linux-ru.ru.42654: UDP, bad length 3044 > 1328
22:16:07.753608 IP ec2-13-127-150-186.ap-south-1.compute.amazonaws.com > linux-ru.ru: udp
22:16:07.753608 IP ec2-13-127-150-186.ap-south-1.compute.amazonaws.com > linux-ru.ru: udp
22:16:07.753611 IP 204.237.182.206 > linux-ru.ru: udp
22:16:07.753614 IP v22019082015895770.supersrv.de.ldap > linux-ru.ru.13964: UDP, bad length 3089 > 1472
22:16:07.753617 IP v22019082015895770.supersrv.de > linux-ru.ru: udp
22:16:07.753618 IP v22019082015895770.supersrv.de > linux-ru.ru: udp
22:16:07.753623 IP 91-185-52-250-irk.cust.dsi.ru.domain > linux-ru.ru.30166: 33530| 27/0/0 MX mx2.peacecorps.iphmx.com. 20, MX mx1.peacecorps.iphmx.com. 10, DNSKEY, DNSKEY, DNSKEY, RRSIG, RRSIG, RRSIG[|domain]
22:16:07.753639 IP pc0251.suceava.rdsnet.ro.domain > linux-ru.ru.41435: 42664| 28/0/0 A 52.202.206.232, DNSKEY, RRSIG, DNSKEY, RRSIG, RRSIG, RRSIG, RRSIG, RRSIG[|domain]
22:16:07.753640 IP pc0251.suceava.rdsnet.ro > linux-ru.ru: udp
22:16:07.753641 IP pc0251.suceava.rdsnet.ro > linux-ru.ru: udp
^[[B22:16:07.753667 IP 100.42.229.130 > linux-ru.ru: udp
22:16:07.753696 IP 109.204.233.35.bc.googleusercontent.com > linux-ru.ru: udp
22:16:07.753698 IP 109.204.233.35.bc.googleusercontent.com > linux-ru.ru: udp
22:16:07.753717 IP 129.232.200.10 > linux-ru.ru: udp
22:16:07.753727 IP ip117.jeloin.se.ldap > linux-ru.ru.45077: UDP, bad length 3026 > 1472
22:16:07.753729 IP ip117.jeloin.se > linux-ru.ru: udp
22:16:07.753730 IP ip117.jeloin.se > linux-ru.ru: udp
22:16:07.753729 IP 91-185-52-250-irk.cust.dsi.ru > linux-ru.ru: udp
22:16:07.753737 IP dhclient-94.100.148.163.flashcable.ch.domain > linux-ru.ru.25538: 21582 14/1/1 AAAA 2600:1f18:46d5:1100:4526:5944:91c8:a5b, TXT "MS=ms93096948", TXT "google-site-verification=gIEZUYY9g2-1blybvLN_bniEoxie4FWclulHw6DvZUU", TXT "70hsPSk6sIjXz6uh9q2YU/hnsCdOQ03YzYXRibP8NwtyW2G6wVLNZNtsF2rRhG4r0gEP40lS9ats/EvBWhs9zA==", TXT "adobe-idp-site-verification=c5bd8e9e38c19e39bab26f49615f8fef78d1865faa2ce8bfe0c941b0b1d5bd29", TXT "adobe-idp-site-verification="c5bd8e9e38c19e39bab26f49615f8fef78d1865faa2ce8bfe0c941b0b1d5bd29"", TXT "v=spf1 mx ip4:65.205.231.173 ip4:65.205.231.174 ip4:65.205.231.175 ip4:65.205.231.176 ip4:68.232.140.78 include:customers.clickdimensions.com include:amazonses.com exists:%{i}.spf.PeaceCorps.iphmx.com ~all", TXT "@" "3600" "IN" "TXT" "adobe-idp-site-verification="c5bd8e9e38c19e39bab26f49615f8fef78d1865faa2ce8bfe0c941b0b1d5bd29"", NS ns0.PEACECORPS.GOV., DNSKEY, DNSKEY, DNSKEY, DNSKEY[|domain]
22:16:07.753737 IP ns1.lpt.uct.cl.ldap > linux-ru.ru.51069: UDP, bad length 2938 > 1472
22:16:07.753739 IP dhclient-94.100.148.163.flashcable.ch > linux-ru.ru: udp
22:16:07.753756 IP static.77.25.203.116.clients.your-server.de.ldap > linux-ru.ru.43530: UDP, bad length 2950 > 1472
22:16:07.753760 IP 109x195x147x206.static-customer.ufa.ertelecom.ru.domain > linux-ru.ru.22049: 24191| 24/0/0 RRSIG, TXT "adobe-idp-site-verification=c5bd8e9e38c19e39bab26f49615f8fef78d1865faa2ce8bfe0c941b0b1d5bd29", TXT "adobe-idp-site-verification="c5bd8e9e38c19e39bab26f49615f8fef78d1865faa2ce8bfe0c941b0b1d5bd29"", RRSIG, RRSIG, RRSIG, RRSIG, RRSIG, RRSIG[|domain]
22:16:07.753783 IP 129.232.200.10 > linux-ru.ru: udp
22:16:07.753799 IP 91-185-52-250-irk.cust.dsi.ru > linux-ru.ru: udp
22:16:07.753803 IP 185.137.234.126.ldap > linux-ru.ru.9714: UDP, bad length 3082 > 1472
22:16:07.753812 IP static.77.25.203.116.clients.your-server.de > linux-ru.ru: udp
22:16:07.753814 IP 192.162.102.247.ldap > linux-ru.ru.30648: UDP, bad length 3010 > 1472
22:16:07.753815 IP 112.216.51.154.ldap > linux-ru.ru.54008: UDP, bad length 2635 > 1472
22:16:07.753820 IP 192.162.102.247 > linux-ru.ru: udp
22:16:07.753821 IP 192.162.102.247 > linux-ru.ru: udp
22:16:07.753823 IP 185.137.234.126 > linux-ru.ru: udp
22:16:07.753824 IP 185.137.234.126 > linux-ru.ru: udp
22:16:07.753845 IP host-183-107-139-37.sevstar.net.domain > linux-ru.ru.36584: 21582 26/1/0 TXT "v=spf1 mx ip4:65.205.231.173 ip4:65.205.231.174 ip4:65.205.231.175 ip4:65.205.231.176 ip4:68.232.140.78 include:customers.clickdimensions.com include:amazonses.com exists:%{i}.spf.PeaceCorps.iphmx.com ~all", TXT "70hsPSk6sIjXz6uh9q2YU/hnsCdOQ03YzYXRibP8NwtyW2G6wVLNZNtsF2rRhG4r0gEP40lS9ats/EvBWhs9zA==", TXT "google-site-verification=gIEZUYY9g2-1blybvLN_bniEoxie4FWclulHw6DvZUU", TXT "MS=ms93096948", TXT "@" "3600" "IN" "TXT" "adobe-idp-site-verification="c5bd8e9e38c19e39bab26f49615f8fef78d1865faa2ce8bfe0c941b0b1d5bd29"", RRSIG, RRSIG, RRSIG, RRSIG, RRSIG, RRSIG[|domain]
...
Дальше, думаю, хватит...
Любопытно, откуда эта падаль?
Некоторые IP:
... С.-Петербург:
Код: Выделить всё
olej@ACER:~$ whois 185.137.234.126
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf
% Note: this output has been filtered.
% To receive output for a database update, use the "-B" flag.
% Information related to '185.137.234.0 - 185.137.234.255'
% Abuse contact for '185.137.234.0 - 185.137.234.255' is 'abuse@selectel.ru'
inetnum: 185.137.234.0 - 185.137.234.255
netname: SELECTEL-NET
descr: Selectel Network
status: ASSIGNED PA
country: RU
admin-c: TL5407-RIPE
admin-c: KS9134-RIPE
admin-c: CMH-RIPE
tech-c: SA32710-RIPE
mnt-by: MNT-SELECTEL
created: 2019-05-13T16:47:32Z
last-modified: 2019-05-13T16:47:32Z
source: RIPE
role: SELECTEL-NOC
address: Russia, Saint-Petersburg, Cvetochnaya st. 21
admin-c: CMH-RIPE
admin-c: KS9134-RIPE
tech-c: CMH-RIPE
tech-c: KS9134-RIPE
nic-hdl: SA32710-RIPE
mnt-by: mnt-selectel
created: 2015-01-19T15:40:16Z
last-modified: 2019-04-15T10:47:55Z
source: RIPE # Filtered
person: Cyrill Malevanov
address: Selectel Ltd
address: Cvetochnaya st. 21
address: 190000, Saint-Petersburg
address: Russia
phone: +78126778036
fax-no: +78126778036
nic-hdl: CMH-RIPE
mnt-by: mnt-selectel
created: 2005-10-24T12:00:08Z
last-modified: 2015-01-19T15:37:28Z
source: RIPE # Filtered
person: Kirill Sizov
address: 190000, Russia, Saint-Petersburg, Tsvetochnaya 21A
phone: +78126778036
org: ORG-SL223-RIPE
nic-hdl: KS9134-RIPE
mnt-by: MNT-SELECTEL
created: 2017-04-17T17:07:36Z
last-modified: 2017-04-17T17:07:36Z
source: RIPE # Filtered
person: Tatyana Litvinova
address: 190000, Russia, Saint-Petersburg, Tsvetochnaya 21A
phone: +78126778036
nic-hdl: TL5407-RIPE
mnt-by: MNT-SELECTEL
created: 2018-02-01T13:19:15Z
last-modified: 2018-02-01T13:19:15Z
source: RIPE
% Information related to '185.137.232.0/22AS49505'
route: 185.137.232.0/22
descr: Selectel Route Object
origin: AS49505
mnt-by: MNT-SELECTEL
created: 2018-10-08T12:40:40Z
last-modified: 2018-10-08T12:40:40Z
source: RIPE
% This query was served by the RIPE Database Query Service version 1.96 (BLAARKOP)
... Сербия:
Код: Выделить всё
olej@ACER:~$ whois 185.102.238.214
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf
% Note: this output has been filtered.
% To receive output for a database update, use the "-B" flag.
% Information related to '185.102.236.0 - 185.102.239.255'
% Abuse contact for '185.102.236.0 - 185.102.239.255' is 'abuse@astratelekom.com'
inetnum: 185.102.236.0 - 185.102.239.255
netname: RS-ASTRATELEKOM-20150602
country: RS
org: ORG-ATDB1-RIPE
admin-c: SP15019-RIPE
tech-c: AA29726-RIPE
status: ALLOCATED PA
mnt-by: RIPE-NCC-HM-MNT
mnt-by: rs-astratelekom-1-mnt
mnt-routes: rs-astratelekom-1-mnt
created: 2015-06-02T16:55:37Z
last-modified: 2019-09-16T09:51:14Z
source: RIPE
organisation: ORG-ATDB1-RIPE
org-name: ASTRA TELEKOM DOO BEOGRAD
org-type: LIR
address: Milentija Popovica 9 - Sava Centar
address: 11070
address: Belgrade
address: SERBIA
admin-c: SP15019-RIPE
tech-c: AA29726-RIPE
abuse-c: AR33487-RIPE
mnt-ref: rs-astratelekom-1-mnt
mnt-ref: RIPE-NCC-HM-MNT
mnt-by: RIPE-NCC-HM-MNT
mnt-by: rs-astratelekom-1-mnt
created: 2015-09-14T07:46:56Z
last-modified: 2019-08-27T07:52:04Z
source: RIPE # Filtered
phone: +381114422009
person: Admin AstraTelekom
address: Milentija Popovica 9 - Sava Centar
address: 11070
address: Belgrade
address: SERBIA
phone: +381608230125
nic-hdl: AA29726-RIPE
mnt-by: rs-astratelekom-1-mnt
created: 2015-09-14T07:46:54Z
last-modified: 2019-09-11T10:30:52Z
source: RIPE
person: Miroslav Sudar
address: Milentija Popovica 9 - Sava Centar
address: 11070
address: Belgrade
address: SERBIA
phone: +381608230125
nic-hdl: SP15019-RIPE
mnt-by: rs-astratelekom-1-mnt
created: 2015-09-14T07:46:54Z
last-modified: 2019-09-11T10:29:15Z
source: RIPE
% Information related to '185.102.236.0/22AS203877'
route: 185.102.236.0/22
origin: AS203877
mnt-by: rs-astratelekom-1-mnt
created: 2019-09-16T14:51:37Z
last-modified: 2019-09-16T14:51:37Z
source: RIPE
% This query was served by the RIPE Database Query Service version 1.96 (ANGUS)