u7e Posted January 3, 2016 Share Posted January 3, 2016 Hi, I am really a newbie when it comes to security, I have an instance hosted on Amazon, it only have LDAP Server installed, Apache server hosting phpLDAPadmin, and one more instance (Client) that connect to this instance to authenticate using LDAP. I was conducting a load test on the Client, after a while got following email from amazon regarding the LDAP server It has come to our attention that Denial of Service (DoS) attacks were launched from your instance to IP(s) xxx.xxx.xxx.xxx via TCP port(s) 53. Please investigate your instance(s) and reply detailing the corrective measures you will be taking to address this activity I am trying to know what happened exactly, to be able to resolve this problem. I have checked the auth.log and founf alot of break-in attempts but none of them where successful, the only accepted Thanks In advance, u7e Quote Link to comment Share on other sites More sharing options...
Mr-Protocol Posted January 4, 2016 Share Posted January 4, 2016 What do you mean by "Load Test"? That is probably what triggered it if I had to guess. Quote Link to comment Share on other sites More sharing options...
u7e Posted January 4, 2016 Author Share Posted January 4, 2016 I mean by load test, running a ~1000 concurrent request requesting a URL on web app hosted on tomcat. I don't think the load test trigger it, as the I was testing a web app on the client machine and the complain is pointing to the LDAP server Thanks Quote Link to comment Share on other sites More sharing options...
cooper Posted January 4, 2016 Share Posted January 4, 2016 If tomcat does authentication against this LDAP server it could result in a fair bit of traffic which might be interpreted as a DDoS. I would suggest you look at the logfile for the LDAP server and see if you can determine what traffic that thing was producing. You may have misconfigured it such that someone is reflecting off of it in an effort to boost the traffic volume. You should be able to quickly see this based on the source and destination IPs. If you don't recognise either it wasn't your load test doing stuff. If it was you can just email Amazon the logs and an explanation that you were doing a load test resulting in the traffic described in the logs. If they conclude something is still amiss they should be more clear on just what the issue was that triggered their alert. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.