Scott Posted February 20, 2013 Report Share Posted February 20, 2013 This morning we were forced to block some traffic from our fresco server due to an outbound UDP flood. We are still investigating this issue and will post more details when we have them. Quote Link to comment Share on other sites More sharing options...
Michael D. Posted February 20, 2013 Report Share Posted February 20, 2013 We identified the data and it was coming from a previously compromised account that had been 'cleaned' by the customer and re-activated. Although they removed most of the malicious files, they did not get them all and left one script that was exceedingly malicious. This file, essentially, makes their account on our server part of a bot net - part of a system that makes outbound attacks to other computers such as the one we faced on the Jasmine server last night. Instead of being the target, we were a source of the data due to this account. Our upstream provider (Handy Networks) null routed the primary IP of the server to stop the outbound traffic and we thank them for taking this action. We do not like being the targets of DDoS attacks and, as such, obviously do not like taking part in them as a result of an insecure client account. The account has been packaged and terminated completely and will not be re-enabled. Here is a graph showing the outbound data (the green is outbound):http://www.screen-shot.net/outbound-traffic-ddos.png Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.