Jump to content

How to investigate ddos that was launched from my machine ?


u7e
 Share

Recommended Posts

Hi,

I am really a newbie when it comes to security,

I have an instance hosted on Amazon, it only have LDAP Server installed, Apache server hosting phpLDAPadmin, and one more instance (Client) that connect to this instance to authenticate using LDAP.

I was conducting a load test on the Client, after a while got following email from amazon regarding the LDAP server

It has come to our attention that Denial of Service (DoS) attacks were launched from your instance to IP(s) xxx.xxx.xxx.xxx via TCP port(s) 53. Please investigate your instance(s) and reply detailing the corrective measures you will be taking to address this activity

I am trying to know what happened exactly, to be able to resolve this problem. I have checked the auth.log and founf alot of break-in attempts but none of them where successful, the only accepted

Thanks In advance,

u7e

Link to comment
Share on other sites

I mean by load test, running a ~1000 concurrent request requesting a URL on web app hosted on tomcat.

I don't think the load test trigger it, as the I was testing a web app on the client machine and the complain is pointing to the LDAP server

Thanks

Link to comment
Share on other sites

If tomcat does authentication against this LDAP server it could result in a fair bit of traffic which might be interpreted as a DDoS. I would suggest you look at the logfile for the LDAP server and see if you can determine what traffic that thing was producing. You may have misconfigured it such that someone is reflecting off of it in an effort to boost the traffic volume. You should be able to quickly see this based on the source and destination IPs. If you don't recognise either it wasn't your load test doing stuff. If it was you can just email Amazon the logs and an explanation that you were doing a load test resulting in the traffic described in the logs. If they conclude something is still amiss they should be more clear on just what the issue was that triggered their alert.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...