24 Jul
2022
24 Jul
'22
12:22 p.m.
On Sun, Jul 24, 2022 at 01:05:55PM +0100, Ian Bowden via BitFolk Users wrote:
My VPS is receiving 250 connections per second from an
IP 51.81.86.37. This
started yesterday evening. I've no idea who is doing it or why.
The logfiles are filling up as fast as I can delete them, but my website
keeps falling over as all the disk space has been filled.
Sample from syslog:
Jul 24 12:39:52 buddhismwithoutboundaries named[629]: client
51.81.86.37#44122 (.): query (cache) './ANY/IN' denied
Jul 24 12:39:52 buddhismwithoutboundaries named[629]: client
51.81.86.37#44122 (.): query (cache) './ANY/IN' denied
Jul 24 12:39:52 buddhismwithoutboundaries named[629]: client
51.81.86.37#17043 (.): query (cache) './ANY/IN' denied
Jul 24 12:39:52 buddhismwithoutboundaries named[629]: client
51.81.86.37#17043 (.): query (cache) './ANY/IN' denied
Jul 24 12:39:52 buddhismwithoutboundaries named[629]: client
51.81.86.37#17043 (.): query (cache) './ANY/IN' denied
Jul 24 12:39:52 buddhismwithoutboundaries named[629]: client
51.81.86.37#17043 (.): query (cache) './ANY/IN' denied
The IP belongs to a cloud hosting service, OVH. I've written an email to
abuse(a)ovh.ca, but I don't hold out much hope of them sorting it out.
Does anyone have a suggestion for how I should proceed?
Ian.
At least for now, I'd suggest blocking (dropping) that IP address
with some firewall rules. I believe that iptables has been superseded
by bpfilter, but I've never used the latter. In case the iptables
interface still works, I'd do something like:
# iptables --append INPUT --source 51.81.86.37 --match tcp --dport 53 --jump DROP
# iptables --append INPUT --source 51.81.86.37 --match udp --dport 53 --jump DROP
This will block any traffic to the DNS port from that IP address.
Hugo.
--
Hugo Mills | The English language has the mot juste for every
hugo@... carfax.org.uk | occasion.
http://carfax.org.uk/ |
PGP: E2AB1DE4 |