[Fiware-lab-federation-nodes] Suspicious network traffic from "burkhard-krome"

[José Ignacio Carretero]

Hi,

We've dealt with this kind of problems many times. Most time the user is
simply unaware that their VMs are compromised.

The way we've been proceeding all this time is
1st. Studying a little more in depth the kind of traffic: TCP/UDP. The
ports, if the connections are stablished or there are many new connections.
2nd. Stopping / Pausing the VMs
3rd. Communicate the problem to the user (a simple keystone command
might help to know how to contact the user) and ask him for immediate
action or permissions in order to take some action.
4rd. Filtering

Some times, we've asked the user to build another VM and we've added the
old disk so they can save data.
Some times the user did ask us to dig into the problem in their VM.

--- About the 1st one:

Here are some common cases I've met (all of them very traffic consuming):
# DoS to some DNS ---> Too many DNS requests to somewhere. Many UDP
packages to somewhere. Very high traffic against one server.
# SSH attacks (brute force) ---> Too many ssh sessions against many hosts.
# Port scanning ---> too many tcp connections against many hosts and
many ports
# Proxies ---> A lot of traffic. Simply a lot of traffic coming to/from
somewhere in the same connection. This could be legit traffic or not, I
usually slow down the pace of these connections and ask the user to
check... These kind of traffic usually comes from/to China, Africa,
south America, United States,

This is more or less my Story... If you want we could talk a little bit
more in depth about this case.

Regards,
José Ignacio.

El 01/03/16 a las 13:25, Jan Kundrát escribió:
> Dear colleagues,
> our IDS department has detected suspicious network patterns related to
> a VM owned by user_id burkhard-krome (tenant_id
> 77480c33ee364afc9a6379b83e8dadc0).
>
> We're seeing sustained packet rates of about 140k packets/s, with more
> than 3TB of data transferred since Friday. The pattern appears to be
> consistent with a DoS traffic.
>
> In the meanwhile, we have paused both VMs that the user was running
> here in Prague. What is the recommended form of notification to the
> user? What is the procedure for blocking their access to the nodes?
> What are the next steps that we should take?
>
> With kind regards,
> Jan
> _______________________________________________
> Fiware-lab-federation-nodes mailing list
> Fiware-lab-federation-nodes at lists.fiware.org
> https://lists.fiware.org/listinfo/fiware-lab-federation-nodes


________________________________

Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario, puede contener información privilegiada o confidencial y es para uso exclusivo de la persona o entidad de destino. Si no es usted. el destinatario indicado, queda notificado de que la lectura, utilización, divulgación y/o copia sin autorización puede estar prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos que nos lo comunique inmediatamente por esta misma vía y proceda a su destrucción.

The information contained in this transmission is privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this transmission in error, do not read it. Please immediately reply to the sender that you have received this communication in error and then delete it.

Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário, pode conter informação privilegiada ou confidencial e é para uso exclusivo da pessoa ou entidade de destino. Se não é vossa senhoria o destinatário indicado, fica notificado de que a leitura, utilização, divulgação e/ou cópia sem autorização pode estar proibida em virtude da legislação vigente. Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique imediatamente por esta mesma via e proceda a sua destruição