9

Yesterday our Digital Ocean server encountered something that looked like an attack. The outbound traffic suddenly increased to 700Mbps, while the inbound traffic stayed at about 0.1Mbps, and didn't increase even once. The traffic lasted for several minutes until Digital Ocean cut our server off the network assuming we're performing a DoS (which is reasonable).

I have two assumptions: either someone hacked into our server (after the attack I realised my colleague had enabled SSH login with password) or there's some kind of an attack that I don't know about.

Can anyone clear this situation up for me? If there indeed is a kind of DoS which traffic looks like that, please educate me.

Krzysztof Kraszewski
  • 193

3 Answers3

20

One likely possibility is an amplification attack. If you are running an open recursive DNS resolver (there are other protocols you can do this with though), for example, you can receive a very small UDP packet that has a spoofed IP address. Your server then generates a large response and sends it to the victim, thinking that it's a legitimate request.

Another possibility is that someone was exfiltrating data off your network. If someone got into your server and was offloading every byte they could find, it would look like that as well.

There's no way to know which one it was without doing an investigation, and hoping that whatever did happen left evidence. If it's the latter (exfiltration) then they probably cleared their tracks as best they could.

Mark Henderson
  • 69,480
10

I agree with the possibility of an amplification attack. The simplest way to handle this is to use DigitalOcean's free cloud firewall.

Only allow SSH, HTTP,and HTTPS inbound. If possible, only allow SSH from your trusted IPs.

You can do this using the firewall on your VM, DO's solution is just easier.

Mike M
  • 1,142
5

You should ask Digital Ocean. They don't shut off servers just for high outbound traffic: that would shut down most servers. For example, a webserver hosting something popular.

Rather, they shut down your server because the nature of your traffic looked malicious. As such, they probably have some idea what it was.

Otherwise you'll have to investigate yourself. Perhaps if the host is still running it's still attempting to send traffic which is being dropped by Digital Ocean. In that case you'd be able to observe it with a packet dump. Or you may be able to find clues in the system logs. It could be any of a million things unfortunately, so speculating on the underlying cause absent such an investigation is futile.

Phil Frost
  • 667