Please confirm this is a ddos attack [Logs]

Nille · 02-09-2014, 07:51 PM

Someone have attacked my Css server which is running on my dedicated server at home.

I got a picture of the logs, and in my eyes it looks like a ddos.

[Image: pwOW0V1.png]

The port i use for the server is 27015.

SyntaX · 02-09-2014, 10:32 PM

Confirmed from here sir.

Ligeti · 02-10-2014, 01:00 AM

In wireshark:
src ip target ip protocol src port>target port

So ... something on 192.168.2.104 is sending all that trafic randomly, this looks similar to
nmap -sS 192.168.1.x but random targets...

So is it DDoS? I don't think so...

[edit] But I am still not sure, could you please share the cap file with us? (in case you still have it)...

Thanks

The Real Slim Shady · 02-10-2014, 02:53 AM

(02-10-2014, 01:00 AM)Ligeti Wrote: In wireshark:
src ip target ip protocol src port>target port

So ... something on 192.168.2.104 is sending all that trafic randomly, this looks similar to
nmap -sS 192.168.1.x but random targets...

So is it DDoS? I don't think so...

[edit] But I am still not sure, could you please share the cap file with us? (in case you still have it)...

Thanks

You're right... I dont think he's being ddos'd directly. The source ip and source port of the transmissions are of his server... the destination are all external. they're also all different. its not a targetted attack on someone so i would rule out being used as slave to DDoS.

There is definitely something suspicious. I dont know anything about a CSS server though so I cant say much about it, but perhaps someone has compromised it? or its misconfigured in some way? that many consecutive rst packets seems to be odd though. something is clearly not right

Ligeti · 02-10-2014, 03:21 AM

Thank you Geoff... I would really love to know more about this case, but seems that Nille is busy now to answer our quetions.

I can create the same senario using only hping by the way! But I don't see the point... Did it affect the network's performance significantly? (did I spell that right) lol

The Real Slim Shady · 02-10-2014, 04:37 AM

(02-10-2014, 03:21 AM)Ligeti Wrote: Thank you Geoff... I would really love to know more about this case, but seems that Nille is busy now to answer our quetions.

I can create the same senario using only hping by the way! But I don't see the point... Did it affect the network's performance significantly? (did I spell that right) lol

LOL im slightly impressed. I dont think ive ever heard anyone else reference hping before. its a useful little tool i rank up there with netcat and nmap but that type of hacking is generally out of the scope of the "hacker" communities like this lol.

Nille · 02-10-2014, 12:02 PM

Sure i can share the file with you guys..

But it's a 1GB :/

https://dl.dropboxusercontent.com/u/2640...dos.pcapng

Ligeti · 02-10-2014, 08:11 PM

@Geoff thanks for the "slight" compliment Smile

@Nille it's OK :Not-Amused: *joking*

Thanks for sharing anyway Smile