设为首页收藏本站

ZMX - IT技术交流论坛 - 无限Perfect,追求梦想 - itzmx.com

 找回密码
 注册论坛

QQ登录

只需一步,快速开始

新浪微博账号登陆

只需一步,快速开始

用百度帐号登录

只需两步,快速登录

搜索
查看: 94|回复: 0

如何通过流量数据包判断vps机器是否对外发起ddos,FLOOD-tcp硬件防火墙误报申诉

[复制链接]
 成长值: 96

签到天数: 4657 天

[LV.Master]伴坛终老

发表于 2024/9/25 22:14 | 显示全部楼层 |阅读模式 |Google Chrome 129.0.0.0|Windows 10
天涯海角搜一下: 百度 谷歌 360 搜狗 有道 雅虎 必应 即刻
如何通过流量数据包判断vps机器是否对外发起ddos,FLOOD-tcp硬件防火墙误报申诉

服务商一份报告例子
FLOOD-tcp.1-eno1 detected! VPS is limited. Metric: 359312

VM: vm865164.u174709.kvm.centos-7-amd64-r2
MAC: ea:37:72:c2:15:c3

ea:37:72:c2:15:c3 > 00:1f:ce:00:00:1c, ethertype IPv4 (0x0800), length 54: 46.29.161.6.6961 > 111.60.201.57.52065: Flags [R.], seq 0, ack 4169257719, win 0, length 0
ea:37:72:c2:15:c3 > 00:1f:ce:00:00:1c, ethertype IPv4 (0x0800), length 54: 46.29.161.6.6961 > 111.192.227.244.56329: Flags [R.], seq 0, ack 2358622955, win 0, length 0
ea:37:72:c2:15:c3 > 00:1f:ce:00:00:1c, ethertype IPv4 (0x0800), length 54: 46.29.161.6.6961 > 61.140.126.129.57763: Flags [R.], seq 0, ack 565215881, win 0, length 0
ea:37:72:c2:15:c3 > 00:1f:ce:00:00:1c, ethertype IPv4 (0x0800), length 54: 46.29.161.6.6961 > 118.112.184.102.49996: Flags [R.], seq 0, ack 1181678155, win 0, length 0
ea:37:72:c2:15:c3 > 00:1f:ce:00:00:1c, ethertype IPv4 (0x0800), length 54: 46.29.161.6.6961 > 112.49.107.42.6669: Flags [R.], seq 0, ack 990172527, win 0, length 0
ea:37:72:c2:15:c3 > 00:1f:ce:00:00:1c, ethertype IPv4 (0x0800), length 54: 46.29.161.6.6961 > 59.148.76.229.3727: Flags [R.], seq 0, ack 1923696257, win 0, length 0
ea:37:72:c2:15:c3 > 00:1f:ce:00:00:1c, ethertype IPv4 (0x0800), length 54: 46.29.161.6.6961 > 223.93.191.238.54927: Flags [R.], seq 0, ack 1116817382, win 0, length 0
ea:37:72:c2:15:c3 > 00:1f:ce:00:00:1c, ethertype IPv4 (0x0800), length 54: 46.29.161.6.6961 > 39.129.166.173.32833: Flags [R.], seq 0, ack 3813951025, win 0, length 0
ea:37:72:c2:15:c3 > 00:1f:ce:00:00:1c, ethertype IPv4 (0x0800), length 54: 46.29.161.6.6961 > 112.21.206.189.10918: Flags [R.], seq 0, ack 1309987123, win 0, length 0
ea:37:72:c2:15:c3 > 00:1f:ce:00:00:1c, ethertype IPv4 (0x0800), length 54: 46.29.161.6.6961 > 180.107.237.236.16834: Flags [R.], seq 0, ack 3225591478, win 0, length 0
ea:37:72:c2:15:c3 > 00:1f:ce:00:00:1c, ethertype IPv4 (0x0800), length 54: 46.29.161.6.6961 > 78.163.170.202.46424: Flags [R.], seq 0, ack 4237280895, win 0, length 0
ea:37:72:c2:15:c3 > 00:1f:ce:00:00:1c, ethertype IPv4 (0x0800), length 54: 46.29.161.6.6961 > 14.10.98.129.51010: Flags [R.], seq 0, ack 2553403103, win 0, length 0
ea:37:72:c2:15:c3 > 00:1f:ce:00:00:1c, ethertype IPv4 (0x0800), length 54: 46.29.161.6.6961 > 180.105.97.221.24897: Flags [R.], seq 0, ack 1306532100, win 0, length 0
ea:37:72:c2:15:c3 > 00:1f:ce:00:00:1c, ethertype IPv4 (0x0800), length 54: 46.29.161.6.6961 > 113.249.165.116.28169: Flags [R.], seq 0, ack 683232306, win 0, length 0
ea:37:72:c2:15:c3 > 00:1f:ce:00:00:1c, ethertype IPv4 (0x0800), length 54: 46.29.161.6.6961 > 119.117.152.102.16109: Flags [R.], seq 0, ack 1473050767, win 0, length 0
ea:37:72:c2:15:c3 > 00:1f:ce:00:00:1c, ethertype IPv4 (0x0800), length 54: 46.29.161.6.6961 > 42.224.185.197.13918: Flags [R.], seq 0, ack 2265870740, win 0, length 0
ea:37:72:c2:15:c3 > 00:1f:ce:00:00:1c, ethertype IPv4 (0x0800), length 54: 46.29.161.6.6961 > 60.246.36.122.16349: Flags [R.], seq 0, ack 461522938, win 0, length 0
ea:37:72:c2:15:c3 > 00:1f:ce:00:00:1c, ethertype IPv4 (0x0800), length 54: 46.29.161.6.6961 > 121.239.56.68.60339: Flags [R.], seq 0, ack 2827223350, win 0, length 0
ea:37:72:c2:15:c3 > 00:1f:ce:00:00:1c, ethertype IPv4 (0x0800), length 54: 46.29.161.6.6961 > 112.195.133.15.45427: Flags [R.], seq 0, ack 4047631036, win 0, length 0
ea:37:72:c2:15:c3 > 00:1f:ce:00:00:1c, ethertype IPv4 (0x0800), length 54: 46.29.161.6.6961 > 114.100.47.232.53907: Flags [R.], seq 0, ack 1665628791, win 0, length 0
ea:37:72:c2:15:c3 > 00:1f:ce:00:00:1c, ethertype IPv4 (0x0800), length 54: 46.29.161.6.8080 > 157.49.105.130.49323: Flags [R.], seq 0, ack 422270617, win 0, length 0
ea:37:72:c2:15:c3 > 00:1f:ce:00:00:1c, ethertype IPv4 (0x0800), length 54: 46.29.161.6.6961 > 150.203.66.1.61694: Flags [R.], seq 0, ack 2006289295, win 0, length 0
ea:37:72:c2:15:c3 > 00:1f:ce:00:00:1c, ethertype IPv4 (0x0800), length 54: 46.29.161.6.6961 > 118.46.213.90.59739: Flags [R.], seq 0, ack 1624059636, win 0, length 0
ea:37:72:c2:15:c3 > 00:1f:ce:00:00:1c, ethertype IPv4 (0x0800), length 54: 46.29.161.6.6961 > 120.84.12.90.45073: Flags [R.], seq 0, ack 258512235, win 0, length 0
ea:37:72:c2:15:c3 > 00:1f:ce:00:00:1c, ethertype IPv4 (0x0800), length 54: 46.29.161.6.6961 > 223.19.213.254.1348: Flags [R.], seq 0, ack 1975231674, win 0, length 0



可以看看指向端口是不是80
如果是你对外攻击,你会产生一大堆随机端口指向一个目标为固定端口的ip
如果是你被攻击,那么会有一大堆ip随机端口指向你的80端口,比如如果显示为自己服务器ip的80端口这很明显是误报。。。你不可能从80端口把数据发给其他人


直接让AI写一份证明
以下是一份证明的样本,可以用来说明你的服务器近期被硬件防火墙误报攻击:

---

尊敬的网络安全团队,

我是 [你的名字],负责管理 [你的服务器名称],即 [IP 地址]。最近我们收到硬件防火墙的警告,提示可能存在对外攻击行为,具体信息如下:

事件名称 : FL00D-tcp.1-eno1 detected
触发时间 : [具体时间]
硬件防火墙警告 : VPS is limited. Metric: 350257

根据硬件防火墙的日志,警告显示多条连接信息,特征如下:

服务器IP发起到固定IP和端口的连接:
- 服务器IP:80 > 172.69.195.166:20826
- 服务器IP:80 > 172.68.130.143:62846
- 服务器IP:80 > 141.101.104.68:47310
- 服务器IP:80 > 108.162.221.18:10778
- 服务器IP:80 > 162.158.210.163:15272
- 服务器IP:80 > 172.71.182.63:47138

...

我们对上述行为进行了深入分析,结论如下:

1. **服务器未进行对外攻击**:如果服务器进行了对外攻击,会表现为大量随机端口指向某一个固定端口的IP。然而日志显示的情况并不符合此特征,相反,多数连接均为服务器IP的80端口与多个外部IP之间的通信。

2. **服务器可能受到外部攻击**:多条连接显示了外部多个IP的随机端口指向服务器的80端口,这更符合受到外部攻击(如DDoS攻击)的特征。

3. **误报可能性**:上述表现极有可能是防火墙的误报。在防火墙检测到的连接中,并没有典型的对外攻击特征。实际数据传输行为说明,这些更多是正常的HTTP请求响应。

4.**使用Cloudflare**:我们服务器当前正在使用Cloudflare作为CDN(内容分发网络),因此,所有访问IP均来自Cloudflare的IP池(https://www.cloudflare.com/zh-cn/ips/)。这些IP地址都是Cloudflare分配的,并不是任何异常的ip地址。


基于以上分析,我们认为目前的警告属于误报。请求网络安全团队重新评估此次警告,并尽快解除对服务器的限制,以便恢复正常的业务运行。

非常感谢贵团队对网络安全的持续关注。如需要更多信息或进一步的配合,欢迎随时联系。

祝好,

[你的名字]  
[联系信息]  
[日期]

---

你可以根据具体情况和需要,修改此证明内容。希望对你有帮助。


VPS is limited. Metric: 359312
是不是限制35W连接数?

欢迎光临IT技术交流论坛:http://bbs.itzmx.com/
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 注册论坛 新浪微博账号登陆用百度帐号登录

本版积分规则

手机版|Archiver|Mail me|网站地图|IT技术交流论坛 ( 闽ICP备13013206号-7 )

GMT+8, 2024/10/4 07:37 , Processed in 0.097973 second(s), 19 queries , MemCache On.

Powered by itzmx! X3.4

© 2011- sakura

快速回复 返回顶部 返回列表