My server is attacking other servers

Question

I've been reached by OVH multiple times regarding a dedicated server which I bought from them, and they're saying that the server is attacking other hosts on their network. The first time, the server was an open proxy due to a misconfiguration (I've enabled the proxy with Apache and didn't restrict it), so I've reinstalled the server and resolved the issue (that's what I thought).

And now it's the second time I've been reached by them saying that the server is attacking other nodes again, and here are the logs that they've provided me with:

Attack detail : 1Mpps/537Mbps
dateTime                   srcIp:srcPort           dstIp:dstPort           protocol flags     packets      bytes reason               
2022.10.31 02:34:14 CET    XX.XX.XX.XX:41980    XXX.XXX.XXX.XXX:80       UDP      ---         16384    1048576 ATTACK:UDP           
2022.10.31 02:34:14 CET    XX.XX.XX.XX:34408    XXX.XXX.XXX.XXX:80       UDP      ---         16384    1048576 ATTACK:UDP           
2022.10.31 02:34:14 CET    XX.XX.XX.XX:34408    XXX.XXX.XXX.XXX:80       UDP      ---         16384    1048576 ATTACK:UDP           
2022.10.31 02:34:14 CET    XX.XX.XX.XX:34408    XXX.XXX.XXX.XXX:80       UDP      ---         16384    1048576 ATTACK:UDP           
2022.10.31 02:34:14 CET    XX.XX.XX.XX:41980    XXX.XXX.XXX.XXX:80       UDP      ---         16384    1048576 ATTACK:UDP           
2022.10.31 02:34:14 CET    XX.XX.XX.XX:41980    XXX.XXX.XXX.XXX:80       UDP      ---         16384    1048576 ATTACK:UDP           
2022.10.31 02:34:14 CET    XX.XX.XX.XX:41980    XXX.XXX.XXX.XXX:80       UDP      ---         16384    1048576 ATTACK:UDP           
2022.10.31 02:34:14 CET    XX.XX.XX.XX:41980    XXX.XXX.XXX.XXX:80       UDP      ---         16384    1048576 ATTACK:UDP           
2022.10.31 02:34:14 CET    XX.XX.XX.XX:41980    XXX.XXX.XXX.XXX:80       UDP      ---         16384    1048576 ATTACK:UDP           
2022.10.31 02:34:14 CET    XX.XX.XX.XX:41980    XXX.XXX.XXX.XXX:80       UDP      ---         16384    1048576 ATTACK:UDP           
2022.10.31 02:34:14 CET    XX.XX.XX.XX:41980    XXX.XXX.XXX.XXX:80       UDP      ---         16384    1048576 ATTACK:UDP           
2022.10.31 02:34:14 CET    XX.XX.XX.XX:34408    XXX.XXX.XXX.XXX:80       UDP      ---         16384    1048576 ATTACK:UDP           
2022.10.31 02:34:14 CET    XX.XX.XX.XX:41980    XXX.XXX.XXX.XXX:80       UDP      ---         16384    1048576 ATTACK:UDP           
2022.10.31 02:34:14 CET    XX.XX.XX.XX:34408    XXX.XXX.XXX.XXX:80       UDP      ---         16384    1048576 ATTACK:UDP           
2022.10.31 02:34:14 CET    XX.XX.XX.XX:34408    XXX.XXX.XXX.XXX:80       UDP      ---         16384    1048576 ATTACK:UDP           
2022.10.31 02:34:14 CET    XX.XX.XX.XX:41980    XXX.XXX.XXX.XXX:80       UDP      ---         16384    1048576 ATTACK:UDP           
2022.10.31 02:34:14 CET    XX.XX.XX.XX:41980    XXX.XXX.XXX.XXX:80       UDP      ---         16384    1048576 ATTACK:UDP           
2022.10.31 02:34:14 CET    XX.XX.XX.XX:41980    XXX.XXX.XXX.XXX:80       UDP      ---         16384    1048576 ATTACK:UDP           
2022.10.31 02:34:14 CET    XX.XX.XX.XX:41980    XXX.XXX.XXX.XXX:80       UDP      ---         16384    1048576 ATTACK:UDP           
2022.10.31 02:34:14 CET    XX.XX.XX.XX:34408    XXX.XXX.XXX.XXX:80       UDP      ---         16384    1048576 ATTACK:UDP          

As you can see this time, the attacks that the server is generating are UDP based, unlike the last time when they were TCP. And this time the proxy isn't even enabled, so what I'm doing wrong?

For the detail of the configuration (of the last installation), I have chosen Debian 11 in the templates that OVH provides as my OS. And I didn't install anything out of the ordinary in it besides apache2 and MariaDB.

I've followed the following tutorials:

• https://www.digitalocean.com/community/tutorials/initial-server-setup-with-debian-10

• https://www.digitalocean.com/community/tutorials/how-to-run-multiple-php-versions-on-one-server-using-apache-and-php-fpm-on-debian-10

For the UDP running services, you can find below the result of netstat command:

user@host:~$ sudo netstat -nputwl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      1271/mariadbd
tcp        0      0 0.0.0.0:89              0.0.0.0:*               LISTEN      1197/sshd: /usr/sbi
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      1683/exim4
tcp6       0      0 :::89                   :::*                    LISTEN      1197/sshd: /usr/sbi
tcp6       0      0 ::1:25                  :::*                    LISTEN      1683/exim4
udp        0      0 0.0.0.0:68              0.0.0.0:*                           643/dhclient
udp        0      0 127.0.0.1:323           0.0.0.0:*                           1174/chronyd
udp6       0      0 ::1:323                 :::*                                1174/chronyd
user@host:~$ sudo netstat -n --udp --listen
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
udp        0      0 0.0.0.0:68              0.0.0.0:*
udp        0      0 127.0.0.1:323           0.0.0.0:*
udp6       0      0 ::1:323                 :::*

And when I've started nethogs, I've found plenty of unknown connections (this is just the first 10 seconds of running because the connections just kept coming):

    PID USER     PROGRAM                                                                                                                         DEV        SENT      RECEIVED
      ? root     XX.XX.XX.XX:80-AA.AA.AA.AA:44980                                                                                                         0.000       3.636 KB/sec
      ? root     XX.XX.XX.XX:443-BB.BB.BB.BB:55541                                                                                                        0.063       0.077 KB/sec
      ? root     XX.XX.XX.XX:32492-CC.CC.CC.CC:40709                                                                                                      0.000       0.012 KB/sec
      ? root     XX.XX.XX.XX:13576-DD.DD.DD.DD:41831                                                                                                      0.000       0.012 KB/sec
      ? root     XX.XX.XX.XX:31990-DD.DD.DD.DD:40709                                                                                                      0.000       0.012 KB/sec
      ? root     XX.XX.XX.XX:50403-DD.DD.DD.DD:16234                                                                                                      0.000       0.012 KB/sec
      ? root     XX.XX.XX.XX:50925-CC.CC.CC.CC:16234                                                                                                      0.000       0.012 KB/sec
      ? root     XX.XX.XX.XX:14046-CC.CC.CC.CC:41831                                                                                                      0.000       0.000 KB/sec
      ? root     XX.XX.XX.XX:50402-DD.DD.DD.DD:16234                                                                                                      0.000       0.000 KB/sec
      ? root     XX.XX.XX.XX:32491-CC.CC.CC.CC:40709                                                                                                      0.000       0.000 KB/sec
      ? root     XX.XX.XX.XX:31989-DD.DD.DD.DD:40709                                                                                                      0.000       0.000 KB/sec
      ? root     XX.XX.XX.XX:13575-DD.DD.DD.DD:41831                                                                                                      0.000       0.000 KB/sec
      ? root     XX.XX.XX.XX:50924-CC.CC.CC.CC:16234                                                                                                      0.000       0.000 KB/sec
      ? root     XX.XX.XX.XX:50401-DD.DD.DD.DD:16234                                                                                                      0.000       0.000 KB/sec
      ? root     XX.XX.XX.XX:14045-CC.CC.CC.CC:41831                                                                                                      0.000       0.000 KB/sec
      ? root     XX.XX.XX.XX:32490-CC.CC.CC.CC:40709                                                                                                      0.000       0.000 KB/sec
      ? root     XX.XX.XX.XX:31988-DD.DD.DD.DD:40709                                                                                                      0.000       0.000 KB/sec
      ? root     XX.XX.XX.XX:50923-CC.CC.CC.CC:16234                                                                                                      0.000       0.000 KB/sec
      ? root     XX.XX.XX.XX:13574-DD.DD.DD.DD:41831                                                                                                      0.000       0.000 KB/sec
      ? root     XX.XX.XX.XX:111-EE.EE.EE.EE:8088                                                                                                         0.000       0.000 KB/sec
      ? root     XX.XX.XX.XX:31987-DD.DD.DD.DD:40709                                                                                                      0.000       0.000 KB/sec
      ? root     XX.XX.XX.XX:14044-CC.CC.CC.CC:41831                                                                                                      0.000       0.000 KB/sec
      ? root     XX.XX.XX.XX:32489-CC.CC.CC.CC:40709                                                                                                      0.000       0.000 KB/sec
      ? root     XX.XX.XX.XX:50400-DD.DD.DD.DD:16234                                                                                                      0.000       0.000 KB/sec
      ? root     XX.XX.XX.XX:13573-DD.DD.DD.DD:41831                                                                                                      0.000       0.000 KB/sec

Answer 1

Attack is relative, can they quantify what the "attack" is? Sending errant packets does not constitute an attack. The packet count and payload size is consistent. Since you own the server instance, you could do a packet dump of the data leaving your server with wire shark, and it would not take long to narrow down what is generating it. Using something like nethogs would dig it out very fast as well, as it would show the PID of the offending process.

sudo apt install nethogs

Then just run "nethogs" in a terminal and watch....