We are managing a dedicated server with Hetzner. Our setup includes a public server (Nginx reverse proxy) connected to around 10 upstream servers.
Recently, our server was compromised through an application vulnerability, leading to a DDoS attack on other IPs. We received an alert about our servers being involved in a DDoS attack, prompting us to investigate. Despite taking several steps, we've been unable to pinpoint the root cause or effectively prevent the DDoS attack from occurring again.
Here's what we've done so far:
-Implemented Zabbix for infrastructure monitoring, focusing on outgoing packets and monitoring network traffic for the past 7 days.Network traffic of past 7 days
-Enabled firewalls between upstream servers.
-Set up ELK to monitor logs from the Nginx reverse proxy, as all outgoing and incoming traffic goes through it. However, no suspicious activities were found in the Mikrotik logs.mikrotic logs
-Restricted outgoing and incoming traffic on our firewall (Mikrotik). Currently, only SSH-22, DNS-53, HTTP-80, HTTPS-443, and a few other application ports are enabled.
We are still unable to prevent it despite these precautions. and thats the email we are received.enter image description here
