walker Posted April 6, 2011 Posted April 6, 2011 Hello, First off, please excuse my complete inexperience in these matters. Everything I know, (not being that much) is self taught so there are large gaps. I own and collocate a dedicated server in the UK. Mainly I use the server for VOIP and a few game servers. Recently, the server has been under what is best described as a very small DOS attack. Its not quite blocking up the connection entirely, but it is causing intermittent lag spikes and occasionally complete loss of connection. With nothing running on the server at all, there is a constant .20-.30% network usage with spikes of up to 2.50% (this is on a 100Mbps connection) To find out what this mystery network usage could be, I installed the Microsoft's Network Monitor 3.4 and I found several culprits. Below is an image from the network monitor. As you can see from the image above, the following IPs are sending about 200~ each per second. 208.43.236.122/6 21.34.158.1 89.238.144.11 Some of the requests are using the HTTP protocol and seem to be targeting Call of Duty server ports (28960/5) I have no use for HTTP on my server, so the first thing I did was to try and block port 80 through the windows firewall. This had no affect Then I tried to block the individual IPs through the windows firewall, but again with no success. They still showed up in the network monitor even though they were supposedly blocked by the firewall. However, to block an IP through the windows firewall, I selected the option for "All Programs" even though in the Network Monitor, there is nothing in the "Process Name" column. Could this be the reason that it is not working? (link to the guide I used to block the IP: https://support.gearhost.com/KB/a520/block-ip-address-with-windows-firewall-2008.aspx ) I also tried banning the IPs through IPSec but again to no avail. (link to the guide I used: http://forums.webhostautomation.com/showthread.php?t=2906&page=1 ) I apologise for the long post! I wanted to make sure there was a much information as possible, and I am at my wits end with this problem! Any help would be greatly appreciated! Walker Quote
ICTCity Posted April 6, 2011 Posted April 6, 2011 I need more informations: 1) what is runing on your server? Which programs can be contacted from the internet? 2) can you post the output of "netstat -an |find /i "listening" "? 3) When you say that "blocking port 80 has no effect" I think it's because the connection COMES from port 80. You just have windows firewall or others systems to protect your server? Quote -------------------------------------------------------- Tu peux aussi crire en franais. Du kannst auch auf Deutsch schreiben. Puoi scrivere anche in italiano. --------------------------------------------------------
walker Posted April 6, 2011 Author Posted April 6, 2011 Thank you for your reply. Please find some answers below! 1) The server normally runs a few game servers, like Call of Duty 1 & 4. I also run a control Panel called TCADMIN that controls the game servers and some voice servers like TeamSpeak 3. *please note* when i refer to discovering the constant .20-.30% network usage, this is when I had shut down all game and voice servers including TCadmin. The only applicaction running on the server that communicates with the internet would have been RD. 2) I cannot do this right now as the server is in use. I will get these results for you later tonight. 3) I am just using the windows firewall. Thank you for your time so far! Walker Quote
ICTCity Posted April 6, 2011 Posted April 6, 2011 I still need the netstat output, anyway for now I can tell you one other thing you can do: Open Windows Firewall (start > run > wf.msc) Create a new INBOUND rule > CUSTOM > All Programs > Under protocol and ports let everything as is and click next > in scope select these IP addresses on the second text box (REMOTE IP) > Block the connection and then you're finish. Now under MONITORING > Firewall you should be able to see the blocking rule. Let me know. Quote -------------------------------------------------------- Tu peux aussi crire en franais. Du kannst auch auf Deutsch schreiben. Puoi scrivere anche in italiano. --------------------------------------------------------
walker Posted April 7, 2011 Author Posted April 7, 2011 Hello, I was hoping to get these results to you sooner, however my ISP disconnected me last night so I could not do anything! Here are the results you asked for C:\Users\Administrator>netstat -an |find /i "listening" TCP 0.0.0.0:135 0.0.0.0:0 LISTENING TCP 0.0.0.0:445 0.0.0.0:0 LISTENING TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING TCP 0.0.0.0:5800 0.0.0.0:0 LISTENING TCP 0.0.0.0:5900 0.0.0.0:0 LISTENING TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING TCP 0.0.0.0:49154 0.0.0.0:0 LISTENING TCP 0.0.0.0:49155 0.0.0.0:0 LISTENING TCP 0.0.0.0:49156 0.0.0.0:0 LISTENING TCP 0.0.0.0:49158 0.0.0.0:0 LISTENING TCP 92.48.91.202:139 0.0.0.0:0 LISTENING TCP [::]:135 [::]:0 LISTENING TCP [::]:445 [::]:0 LISTENING TCP [::]:3389 [::]:0 LISTENING TCP [::]:49152 [::]:0 LISTENING TCP [::]:49153 [::]:0 LISTENING TCP [::]:49154 [::]:0 LISTENING TCP [::]:49155 [::]:0 LISTENING TCP [::]:49156 [::]:0 LISTENING TCP [::]:49158 [::]:0 LISTENING I will follow the next set of instructions you provided for the firewall now and get back to you soon. Walker Quote
walker Posted April 7, 2011 Author Posted April 7, 2011 Hi, I followed your instructions, and I could see the Blocking rule in the MONITORING window however I could still see the IPs connecting through the Network Monitor and the network usage was unaffected. Thanks once again for taking the time to help, it is very much appreciated. Walker Quote
ICTCity Posted April 8, 2011 Posted April 8, 2011 Ok let's try in a different way. Open "Local Security Settings" http://technet.microsoft.com/en-us/library/cc775651%28WS.10%29.aspx Right click on "IP Security Policies on Local pc" and select "Manage IP Filter lists". On the first tab, click ADD, type a name and again click add. Click next and enter a description, Next and as SOURCE address select "A specific IP". Type the IP you want to block and click next. Under "destination" you can let ANY IP ADDRESS and click next until finish (you can select the HTTP protocol in the last screen, but it's not mandatory, you can block that IP completely, it's up to you!). Let me know if this help you. Anyway, is that correct you have enabled RDP/vnc on internet? (port 3389 and 5800+5900 opened) Quote -------------------------------------------------------- Tu peux aussi crire en franais. Du kannst auch auf Deutsch schreiben. Puoi scrivere anche in italiano. --------------------------------------------------------
walker Posted April 9, 2011 Author Posted April 9, 2011 I will try out your next set on instructions on monday night as i am away this weekend. However, in regards to your last question, i enabled RD through the default set up on the firewall. I did not set any custom ports for RD to use, and i am not using VNC. Regards, Walker Quote
ICTCity Posted April 9, 2011 Posted April 9, 2011 Mhhhh MAYBE your server has been compromised... Because on your server there's VNC which is listening. My next suggestion is to go here: http://HTTP://www.logmein.com/ and install it on your server. Once you're sure it works, remove remote desktop connection and vnc, change the password of logmein again. Now in settings you can setup that you receive an e-mail everytime someone try to connect. Let me know. Quote -------------------------------------------------------- Tu peux aussi crire en franais. Du kannst auch auf Deutsch schreiben. Puoi scrivere anche in italiano. --------------------------------------------------------
Recommended Posts