Measure Network Bandwidth Per Process

2 thoughts on - Measure Network Bandwidth Per Process

Hi,

Checking in again if anyone can pitch in for my earlier email to this mailing list. Thanks in Advance.

Best Regards,

Kaushal

# > We have a strange series of events going on in the past while…. Brief
# > history here, looking for input from the community – especially some of
# > the security folks on here.
# >
# > We provide web hosting services – one of our hosting boxes was found a
# > while back with root kits installed, un patched software and lots of
# > other “goodies”. With some staff changes in place (don’t think I need
# > to elaborate on that) we are trying to clean up several issues including
# > this particular server. A new server was provisioned, patched, and
# > deployed. User data was moved over and now the same issue is coming
# > back….
# > The problem is that a user on this box appears to be launching high
# > traffic DOS attacks from it towards other sites. These are UDP based
# > floods that move around from time to time – most of these attacks only
# > last a few minutes.
#
# Counting outbound udp bytes and packets can help spot anomalies.
# Something like this would help but may be unwieldy if you have thousands
# of users on a single box:
#
# WANIF=eth0
# userlist=”userA userB user…”
# for i in ${userlist}
# do
# iptables -N ${i}_UDP
# iptables -I OUTPUT -m owner -o ${WANIF} -p udp –uid-owner ${i} -j ${i}_UDP
# done
#
# Then look at counters with:
# iptables -nvL OUTPUT | grep _UDP | sort…….
#
#
# I wouldn’t leave this in place full-time for thousands of accounts
# though without attempting to measure the impact on network performance.
#
# > I’ve done tcpdumps within seconds of the attack starting and to date
# > been unable to find the source of this attack (we know the server,
# > just not sure which customer it is on the server that’s been
# > compromised). Several hours of scanning for php, cgi, pl type files
# > have been wasted and come up nowhere…
# >
# > It’s been suggested to dump IDS in front of this box and I know I’ll
# > get some feedback positive and negative in that aspect.
# >
# > What tools/practices do others use to resolve this issue? It’s a
# > CentOS 5.4 box running latest Plesk control panel.
# >
# > Typically we have found it easy to track down the offending script or
# > program – this time hasn’t been easy at all…

Kaushal Shriyan says:

April 18, 2019 at 12:34 pm

Hi,

Checking in again if anyone can pitch in for my earlier email to this mailing list. Thanks in Advance.

Best Regards,

Kaushal
Johnny Hughes says:

April 21, 2019 at 5:43 pm

# > We have a strange series of events going on in the past while…. Brief
# > history here, looking for input from the community – especially some of
# > the security folks on here.
# >
# > We provide web hosting services – one of our hosting boxes was found a
# > while back with root kits installed, un patched software and lots of
# > other “goodies”. With some staff changes in place (don’t think I need
# > to elaborate on that) we are trying to clean up several issues including
# > this particular server. A new server was provisioned, patched, and
# > deployed. User data was moved over and now the same issue is coming
# > back….
# > The problem is that a user on this box appears to be launching high
# > traffic DOS attacks from it towards other sites. These are UDP based
# > floods that move around from time to time – most of these attacks only
# > last a few minutes.
#
# Counting outbound udp bytes and packets can help spot anomalies.
# Something like this would help but may be unwieldy if you have thousands
# of users on a single box:
#
# WANIF=eth0
# userlist=”userA userB user…”
# for i in ${userlist}
# do
# iptables -N ${i}_UDP
# iptables -I OUTPUT -m owner -o ${WANIF} -p udp –uid-owner ${i} -j ${i}_UDP
# done
#
# Then look at counters with:
# iptables -nvL OUTPUT | grep _UDP | sort…….
#
#
# I wouldn’t leave this in place full-time for thousands of accounts
# though without attempting to measure the impact on network performance.
#
# > I’ve done tcpdumps within seconds of the attack starting and to date
# > been unable to find the source of this attack (we know the server,
# > just not sure which customer it is on the server that’s been
# > compromised). Several hours of scanning for php, cgi, pl type files
# > have been wasted and come up nowhere…
# >
# > It’s been suggested to dump IDS in front of this box and I know I’ll
# > get some feedback positive and negative in that aspect.
# >
# > What tools/practices do others use to resolve this issue? It’s a
# > CentOS 5.4 box running latest Plesk control panel.
# >
# > Typically we have found it easy to track down the offending script or
# > program – this time hasn’t been easy at all…

Measure Network Bandwidth Per Process

2 thoughts on - Measure Network Bandwidth Per Process

Recommended

Recent Posts

Recent Comments

Archives

Categories

Meta