Задать вопрос
bizzi
@bizzi
junior php web developer

С моего сервера идет large flood of traffic, как искать проблему?

Всем привет! Имеется следующая ситуация.
У меня на Digital Ocean размещено веб - приложение, оно отсылает письма на мейл и делает push - уведомления на телефоны по некоторым событиям. Пока что тестируется. Сегодня вижу от Digital Ocean вот такое письмо:
Hi there,

We are sorry to report that we have detected what appears to be a large flood of traffic from one or more of your servers that is disrupting the normal traffic flow for other users.

To prevent this traffic from causing further disruption, we have disabled the networking interface on the server or servers involved. In order to correct the issue, here is the direct link to the console of the affected droplet https://cloud.digitalocean.com/droplets/7365678/console

Please take action at your earliest convenience in order to investigate and resolve the situation. Once this is done, if you determine the program was malicious, please also determine how this software came to be installed on your droplet and prevent it from being installed again in the future. As soon as this is done let us know and we will investigate re-enabling your networking.

If you need any guidance on how to find and resolve this issue, we recommend reviewing this:

https://www.digitalocean.com/community/tutorials/h...

Please understand that this is a very serious issue as it negatively impacts our platform and your server. If you have any questions just let us know.

Thank you,
DigitalOcean Support

Боюсь что проблема в том, что это мои пуши в очередях могли забить трафик.
Саппорт прислал tcpdump, вот кусок из него:
Frame 1: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) on interface 0
Interface id: 0
Encapsulation type: Ethernet (1)
Arrival Time: Nov 16, 2015 06:07:08.481477000 UTC
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1447654028.481477000 seconds
[Time delta from previous captured frame: 0.000000000 seconds]
[Time delta from previous displayed frame: 0.000000000 seconds]
[Time since reference or first frame: 0.000000000 seconds]
Frame Number: 1
Frame Length: 66 bytes (528 bits)
Capture Length: 66 bytes (528 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ip:tcp]
Ethernet II, Src: 84:b5:9c:fa:10:30 (84:b5:9c:fa:10:30), Dst: 04:01:70:64:92:01 (04:01:70:64:92:01)
Destination: 04:01:70:64:92:01 (04:01:70:64:92:01)
Address: 04:01:70:64:92:01 (04:01:70:64:92:01)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: 84:b5:9c:fa:10:30 (84:b5:9c:fa:10:30)
Address: 84:b5:9c:fa:10:30 (84:b5:9c:fa:10:30)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IP (0x0800)
Internet Protocol Version 4, Src: 43.229.53.21 (43.229.53.21), Dst: 188.166.15.31 (188.166.15.31)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
Total Length: 52
Identification: 0x2078 (8312)
Flags: 0x02 (Don't Fragment)
0... .... = Reserved bit: Not set
.1.. .... = Don't fragment: Set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 54
Protocol: TCP (6)
Header checksum: 0xf78c [validation disabled]
[Good: False]
[Bad: False]
Source: 43.229.53.21 (43.229.53.21)
Destination: 188.166.15.31 (188.166.15.31)
[Source GeoIP: Unknown]
[Destination GeoIP: Unknown]
Transmission Control Protocol, Src Port: 11413 (11413), Dst Port: 22 (22), Seq: 1, Ack: 1, Len: 0
Source port: 11413 (11413)
Destination port: 22 (22)
[Stream index: 0]
Sequence number: 1 (relative sequence number)
Acknowledgment number: 1 (relative ack number)
Header length: 32 bytes
Flags: 0x010 (ACK)
000. .... .... = Reserved: Not set
...0 .... .... = Nonce: Not set
.... 0... .... = Congestion Window Reduced (CWR): Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgment: Set
.... .... 0... = Push: Not set
.... .... .0.. = Reset: Not set
.... .... ..0. = Syn: Not set
.... .... ...0 = Fin: Not set
Window size value: 229
[Calculated window size: 229]
[Window size scaling factor: -1 (unknown)]
Checksum: 0x460c [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps
No-Operation (NOP)
Type: 1
0... .... = Copy on fragmentation: No
.00. .... = Class: Control (0)
...0 0001 = Number: No-Operation (NOP) (1)
No-Operation (NOP)
Type: 1
0... .... = Copy on fragmentation: No
.00. .... = Class: Control (0)
...0 0001 = Number: No-Operation (NOP) (1)
Timestamps: TSval 12594167, TSecr 572535019
Kind: Timestamp (8)
Length: 10
Timestamp value: 12594167
Timestamp echo reply: 572535019

0000 04 01 70 64 92 01 84 b5 9c fa 10 30 08 00 45 00 ..pd.......0..E.
0010 00 34 20 78 40 00 36 06 f7 8c 2b e5 35 15 bc a6 .4 x@.6...+.5...
0020 0f 1f 2c 95 00 16 e5 ab 0b fa dd 65 87 93 80 10 ..,........e....
0030 00 e5 46 0c 00 00 01 01 08 0a 00 c0 2b f7 22 20 ..F.........+.\"
0040 30 eb 0.

И вот таких Frame 19 штук.
Понять я тут вообще ничего не могу к сожалению, поэтому уповаю на Вашу помощь
  • Вопрос задан
  • 477 просмотров
Подписаться 1 Оценить Комментировать
Пригласить эксперта
Ответы на вопрос 1
martin74ua
@martin74ua Куратор тега Linux
Linux administrator
в одном вопросе не получилось, второй зададим.

Ваши пуши в общем то не причем скорее всего. В том дампе что вы привели - dst port 22. У вас ssh сканер на дроплете не завелся случайно?

ЗЫ. Совет из предыдущего вопроса в силе ;)
Ответ написан
Комментировать
Ваш ответ на вопрос

Войдите, чтобы написать ответ

Похожие вопросы