On Wed, November 4, 2015 4:22 am, Andrew Holway wrote: > Hi, > > One of our AWS machines was used in an DOS attack last night and I am > looking for possible attack vectors. Is it AWS as in Amazon Web Services? > AWS tells me it was sending UDP port > 0 > traffic to a cloudflare address. Ironic, cloudflare is known as you can not get abused who hides behind them (therefore some people just block all traffic to/from them), and now they are becoming the victims of the same. I would recommend to block traffic to cloudflare address blocks on the level of routing tables (google that) - may help you in a future. > > This instance had an incorrectly configured AWS security group exposing > all > ports. > > The server in question is a Centos 7 based FreeIPA server, OpenVPN > concentrator and DNS server. > > With a brief inspection before the instance was stopped no evidence of > intrusion could be detected in the obvious places As far as I know (someone correct me) regular user can send UDP packets (regular user can not do UDP port scan but that is purely as root access is necessary to _read_ raw socket, i.e. read response, sending is doable). That is for this particular incident I wouldn't suspect root compromise right away. Check which users were connected (run processes rather) at a time in question, and check the activity. psacct (if enabled) is your friend. > and the machine is > protected by standard SELinux policies. Hm, I personally am a bit sceptical about SELinux. Its protection (of vulnerable system) IMHO is grossly overestimated. It helps some, but I'd rather have kernel without SELinux (not possible already, of course, the tons of SELinux code _is_ already in the kernel, with all potential bugs...) Somebody already suggested nice tool (rootkit hunter). I would mention http://www.chkrootkit.org/. I also would add to forensics (especially if you didn't reboot yet) comparison of what you get internally (like open ports, and whole tree of files on machine with file checksums) and externally (like external port scan after you turned off machine firewall) with list of files after you mount machine's drive(s) on sane box. Good luck on forensics! Valeri > > On this machine Firewalld is currently configured with a single zone with > masquerade enabled > > firewalld config. > public (default, active) > interfaces: eth0 > sources: > services: dhcpv6-client dns http https kerberos kpasswd ldap ldaps ntp > openvpn ssh > ports: 81/tcp > masquerade: yes > forward-ports: > icmp-blocks: > rich rules: > > Thanks, > > Andrew > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos > ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++