Community discussions

MUM Europe 2020
 
popcorrin
Member Candidate
Member Candidate
Topic Author
Posts: 189
Joined: Wed Mar 11, 2009 12:55 am

Need help deciphering logs, potential attack?

Fri Jan 04, 2013 9:38 pm

About a week ago, I lost connectivity at my core. My core router became virtually inaccessible. I could only log on remotely for a couple of seconds before I would get kicked. Once I got onsite, it was still the same way. I could log in for just a couple of seconds before I would get booted.
I could not create a support file. The only tidbits of info I retrieved is that the cpu was at 100% and I took a screenshot of the log.
I also noticed the wan port of my RB1100 was totally saturated, even though the traffic was going nowhere.

I rebooted the RB1100 and as soon as it came back up the same thing happened. I unplugged the wan port and the router was accessible again. I replugged the wan port and the issue would happen again. I took my ip off the wan port and my router then stayed functional. When I torched the wan port, I saw that the bulk of the traffic was coming from quite a few different ip's but I did not get a screenshot.

I rebooted the router once again along with the fiber converter that's in between my RB1100 and the fiber connection from my isp.

When it came back up the last time, things were back to normal.

I attached the screenshot of my log and the only thing it shows is a BFD error? Does that tell a person anything?

Is there a way to tell if the traffic was from an attack? Could a faulty network component cause the issue I was having. My isp said they did see my traffic spike through their network when the issue happened so it wasn't some false reading that I was getting.
You do not have the required permissions to view the files attached to this post.
 
User avatar
tomaskir
Trainer
Trainer
Posts: 1122
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: Need help deciphering logs, potential attack?

Fri Jan 04, 2013 10:18 pm

It sounds like you got DDoS'ed hard.

The BFD problems were due to the CPU going 100% constantly and not being able to keep up with BFD updates, and the OSPF peer went down as well because of the BFD fails. But the BFD failed only because of the DDoS.
Unimus - configuration management, automation and backup solution
Mass Config Push, network-wide RouterOS upgrades, and more!
 
popcorrin
Member Candidate
Member Candidate
Topic Author
Posts: 189
Joined: Wed Mar 11, 2009 12:55 am

Re: Need help deciphering logs, potential attack?

Sat Jan 05, 2013 8:28 am

It sounds like you got DDoS'ed hard.

The BFD problems were due to the CPU going 100% constantly and not being able to keep up with BFD updates, and the OSPF peer went down as well because of the BFD fails. But the BFD failed only because of the DDoS.
It was maxing out the gigabit port on my router. Didn't realize a DDOS attack could generate that kind of traffic.

Dang, what are some steps a person can take to combat a DDOS attack?
 
User avatar
tomaskir
Trainer
Trainer
Posts: 1122
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: Need help deciphering logs, potential attack?

Sat Jan 05, 2013 9:53 am

Not much really. You can get a more powerfull router to deal with the DDoS CPU wise, so your router doesnt actually die under attack. (which would prevent BDF and OSPF flapping as well)

But if the attack was maxing your upstream connectivity, it would still have a negative impact on your customers. Sadly, there is not much you can do. DDoS attacks have took down even the most major sites recently (LulzSec took down quite a few US gov sites even)
Unimus - configuration management, automation and backup solution
Mass Config Push, network-wide RouterOS upgrades, and more!
 
coffeecoco
Member Candidate
Member Candidate
Posts: 175
Joined: Wed Oct 12, 2005 1:17 pm

Re: Need help deciphering logs, potential attack?

Sat Jan 05, 2013 11:58 am

It sounds like you got DDoS'ed hard.

The BFD problems were due to the CPU going 100% constantly and not being able to keep up with BFD updates, and the OSPF peer went down as well because of the BFD fails. But the BFD failed only because of the DDoS.
It was maxing out the gigabit port on my router. Didn't realize a DDOS attack could generate that kind of traffic.

Dang, what are some steps a person can take to combat a DDOS attack?
hah well congrats :P I remember my first ddos attack oh those were the days :)

synfloods are difficult, if there spoofed which appears to be half open connections from thousands of thousands
there designed to consume your resources, look up the forums on some synflood filter rules, BUT BEWARE, creating these rules them selfs to drop the packets IT SELF will use up cpu resources.

so the idea is to for eg, if your natting try lower the connection tracking connections lower, obviously this can effect services, think carefully about that it .

if your routing well, if you keep getting these your gona have to get a more powerful box, or some kind of
clever BGP / ospf load balancing, over to another router, so that when a link is saturated make it shift over to a different cost link/router, or perhaps VRRP.

You can keep your network live if you can spread the "CPU" resources though multiple routers

As for the throughput, if you think you have enough resources you can try filter it, but you cant stop incoming traffic
unless you have further control of the upstream router and filter it also there.

End all its very difficult to stop, Try take note if the attacker was DST the IP of the ROUTER it self OR a Customer?
DDOS attacks are very commonly within the IRC community, perhaps you have a customer who chats on IRC, with a bit of a smart mouth, and someone tought him a lession.

Or the attacker knew your shit cant handle his wrath and he targeted the core router...

Also it might be time to start putting some kinda priority on your routing protocols.. thats if the Router can handle the resources.

Who is online

Users browsing this forum: Bing [Bot], CyB3RMX and 110 guests