I need a little help guys

[Kaptan647]

Recently some one was attacking my servers. It was a weird attack. He was using a protocol i have never seen before. and he was spoofing his ip. The weird thins is when i used tcpdump for logs it shows different ips but all the ips had same feature. "19:27:52.297061 IP (tos 0x0, ttl 53, id 766, offset 0, flags [DF], proto unknown (84), length 60)" this log must be different for every ip but for some reason it was same and ips were different. Some how he was sending interrupt signals to use my cpu. So my question is any one know any thing about TTP protocol (Transaction Transport Protocol) ?I couldn't find any information about this protocol.

 

[Derp]

shows different ips but all the ips had same feature. "19:27:52.297061 IP (tos 0x0, ttl 53, id 766, offset 0, flags [DF], proto unknown (84), length 60)

If that's the case, the attacker is using a specified Attack Method.

I think he's targeting one(or more) of the services you are running in your machine (Not talking about teamspeak or web-server).

Check where the traffic is coming from, and what port it's targeting, Then check if any service you run listens for incoming connections to that port.

 

[Asphyxia]

Do you use JUNIPER firewalls by chance or does your host? http://www.experts-exchange.com/Hardware/Networking_Hardware/Firewalls/Q_28654202.html
If they do, that could be the issue. They might be targeting your server, in the process fucking with the firewall of your server(s).
Would need to know more info: what services you have running (versions also), what OS and what provider you are using.

 

[Kaptan647]

If that's the case, the attacker is using a specified Attack Method.

I think he's targeting one(or more) of the services you are running in your machine (Not talking about teamspeak or web-server).

Check where the traffic is coming from, and what port it's targeting, Then check if any service you run listens for incoming connections to that port.

i have alreaddy checked it

Do you use JUNIPER firewalls by chance or does your host? http://www.experts-exchange.com/Hardware/Networking_Hardware/Firewalls/Q_28654202.html
If they do, that could be the issue. They might be targeting your server, in the process fucking with the firewall of your server(s).
Would need to know more info: what services you have running (versions also), what OS and what provider you are using.

No i dont use Juniper firewall.I am using centos my provider is this http://www.dgn.net.tr/ . It is a datacenter located in Turkey.

 

[ehthe]

Some how he was sending interrupt signals to use my cpu.

WTF

 

[Kaptan647]

WTF

IRQ was using all my cpu

 

[ehthe]

You mean your network card was receiving so much shit it hogged your cpu with interrupts
That is not the same thing at all.

 

[Kaptan647]

You mean your network card was receiving so much shit it hogged your cpu with interrupts
That is not the same thing at all.

Maybe i am not sure. All i know is even when i blocked ips with firewall my cpu was %90-98 for 30 mins and i had 10 ksoftirqd procsess