DDos filter

[mrlolled]

21:34:55.333838 IP 108.119.118.3.30096 > 31.186.250.210.10011: Flags [.], ack 4213094209, win 58281, payload 0
21:34:55.333838 IP 71.207.196.86.18545 > 31.186.250.210.10011: Flags [.], ack 4213094209, win 58281, payload 0
21:34:55.333845 IP 141.21.9.52.58943 > 31.186.250.210.10011: Flags [.], ack 689933859, win 52604, payload 0
21:34:55.333848 IP 31.186.250.210.10011 > 147.6.246.105.35724: Flags [R], seq 4213094209, win 0, payload 0
21:34:55.333884 IP 31.186.250.210.10011 > 71.207.196.86.18545: Flags [R], seq 4213094209, win 0, payload 0
21:34:55.333896 IP 31.186.250.210.10011 > 108.119.118.3.30096: Flags [R], seq 4213094209, win 0, payload 0
21:34:55.333907 IP 31.186.250.210.10011 > 141.21.9.52.58943: Flags [R], seq 689933859, win 0, payload 0
21:34:55.333921 IP 44.146.128.232.51218 > 31.186.250.210.10011: Flags [.], ack 4213094209, win 58281, payload 0
21:34:55.333932 IP 174.43.146.158.1490 > 31.186.250.210.10011: Flags [.], ack 4213094209, win 58281, payload 0
21:34:55.333935 IP 122.167.151.153.59687 > 31.186.250.210.10011: Flags [.], ack 689933859, win 52604, payload 0
21:34:55.333978 IP 31.186.250.210.10011 > 44.146.128.232.51218: Flags [R], seq 4213094209, win 0, payload 0
21:34:55.334010 IP 77.208.207.87.7906 > 31.186.250.210.10011: Flags [.], ack 4213094209, win 58281, payload 0
21:34:55.334012 IP 211.179.254.78.24878 > 31.186.250.210.10011: Flags [.], ack 4213094209, win 58281, payload 0
21:34:55.334022 IP 145.111.245.42.20487 > 31.186.250.210.10011: Flags [.], ack 689933859, win 52604, payload 0
21:34:55.334023 IP 31.186.250.210.10011 > 174.43.146.158.1490: Flags [R], seq 4213094209, win 0, payload 0
21:34:55.334028 IP 133.170.151.222.51519 > 31.186.250.210.10011: Flags [.], ack 4213094209, win 58281, payload 0
21:34:55.334030 IP 31.186.250.210.10011 > 122.167.151.153.59687: Flags [R], seq 689933859, win 0, payload 0
21:34:55.334080 IP 31.186.250.210.10011 > 77.208.207.87.7906: Flags [R], seq 4213094209, win 0, payload 0
21:34:55.334083 IP 106.153.142.214.60733 > 31.186.250.210.10011: Flags [.], ack 4213094209, win 58281, payload 0
21:34:55.334089 IP 206.202.50.91.63313 > 31.186.250.210.10011: Flags [.], ack 4213094209, win 58281, payload 0
21:34:55.334098 IP 31.186.250.210.10011 > 211.179.254.78.24878: Flags [R], seq 4213094209, win 0, payload 0
21:34:55.334109 IP 31.186.250.210.10011 > 145.111.245.42.20487: Flags [R], seq 689933859, win 0, payload 0
21:34:55.334121 IP 31.186.250.210.10011 > 133.170.151.222.51519: Flags [R], seq 4213094209, win 0, payload 0
21:34:55.334134 IP 163.209.22.247.4957 > 31.186.250.210.10011: Flags [.], ack 4213094209, win 58281, payload 0
21:34:55.334137 IP 31.186.250.210.10011 > 106.153.142.214.60733: Flags [R], seq 4213094209, win 0, payload 0
21:34:55.334157 IP 31.186.250.210.10011 > 206.202.50.91.63313: Flags [R], seq 4213094209, win 0, payload 0
21:34:55.334166 IP 70.101.143.229.10391 > 31.186.250.210.10011: Flags [.], ack 689933859, win 52604, payload 0
21:34:55.334177 IP 31.186.250.210.10011 > 163.209.22.247.4957: Flags [R], seq 4213094209, win 0, payload 0
21:34:55.334182 IP 184.10.230.13.32893 > 31.186.250.210.10011: Flags [.], ack 689933859, win 52604, payload 0
21:34:55.334230 IP 69.150.32.173.60034 > 31.186.250.210.10011: Flags [.], ack 4213094209, win 58281, payload 0
21:34:55.334234 IP 31.186.250.210.10011 > 70.101.143.229.10391: Flags [R], seq 689933859, win 0, payload 0
21:34:55.334267 IP 31.186.250.210.10011 > 184.10.230.13.32893: Flags [R], seq 689933859, win 0, payload 0
21:34:55.334279 IP 39.181.112.144.23869 > 31.186.250.210.10011: Flags [.], ack 4213094209, win 58281, payload 0
21:34:55.334286 IP 31.186.250.210.10011 > 69.150.32.173.60034: Flags [R], seq 4213094209, win 0, payload 0
21:34:55.334289 IP 13.105.16.99.31089 > 31.186.250.210.10011: Flags [.], ack 4213094209, win 58281, payload 0
21:34:55.334289 IP 118.89.32.150.9518 > 31.186.250.210.10011: Flags [.], ack 689933859, win 52604, payload 0
21:34:55.334322 IP 31.186.250.210.10011 > 39.181.112.144.23869: Flags [R], seq 4213094209, win 0, payload 0
21:34:55.334331 IP 31.186.250.210.10011 > 13.105.16.99.31089: Flags [R], seq 4213094209, win 0, payload 0
21:34:55.334335 IP 142.109.98.81.39280 > 31.186.250.210.10011: Flags [.], ack 4213094209, win 58281, payload 0
21:34:55.334338 IP 109.169.217.118.6424 > 31.186.250.210.10011: Flags [.], ack 4213094209, win 58281, payload 0
21:34:55.334343 IP 135.103.178.181.35750 > 31.186.250.210.10011: Flags [.], ack 689933859, win 52604, payload 0
21:34:55.334344 IP 158.196.205.133.35803 > 31.186.250.210.10011: Flags [.], ack 4213094209, win 58281, payload 0
21:34:55.334347 IP 31.186.250.210.10011 > 118.89.32.150.9518: Flags [R], seq 689933859, win 0, payload 0
21:34:55.334372 IP 184.188.156.166.51605 > 31.186.250.210.10011: Flags [.], ack 4213094209, win 58281, payload 0
21:34:55.334385 IP 173.252.141.194.55022 > 31.186.250.210.10011: Flags [.], ack 4213094209, win 58281, payload 0
21:34:55.334389 IP 31.186.250.210.10011 > 142.109.98.81.39280: Flags [R], seq 4213094209, win 0, payload 0
21:34:55.334432 IP 31.186.250.210.10011 > 109.169.217.118.6424: Flags [R], seq 4213094209, win 0, payload 0
21:34:55.334439 IP 31.186.250.210.10011 > 135.103.178.181.35750: Flags [R], seq 689933859, win 0, payload 0
21:34:55.334440 IP 1.181.223.55.11270 > 31.186.250.210.10011: Flags [.], ack 4213094209, win 58281, payload 0
21:34:55.334444 IP 161.247.224.19.31051 > 31.186.250.210.10011: Flags [.], ack 4213094209, win 58281, payload 0
21:34:55.334446 IP 31.186.250.210.10011 > 158.196.205.133.35803: Flags [R], seq 4213094209, win 0, payload 0
21:34:55.334450 IP 111.57.243.236.46911 > 31.186.250.210.10011: Flags [.], ack 689933859, win 52604, payload 0
21:34:55.334450 IP 173.166.130.1.3309 > 31.186.250.210.10011: Flags [.], ack 4213094209, win 58281, payload 0
21:34:55.334451 IP 31.186.250.210.10011 > 184.188.156.166.51605: Flags [R], seq 4213094209, win 0, payload 0
21:34:55.334456 IP 31.186.250.210.10011 > 173.252.141.194.55022: Flags [R], seq 4213094209, win 0, payload 0
21:34:55.334483 IP 31.186.250.210.10011 > 1.181.223.55.11270: Flags [R], seq 4213094209, win 0, payload 0
21:34:55.334498 IP 31.186.250.210.10011 > 161.247.224.19.31051: Flags [R], seq 4213094209, win 0, payload 0
21:34:55.334516 IP 31.186.250.210.10011 > 111.57.243.236.46911: Flags [R], seq 689933859, win 0, payload 0
21:34:55.334532 IP 31.186.250.210.10011 > 173.166.130.1.3309: Flags [R], seq 4213094209, win 0, payload 0
21:34:55.334542 IP 104.46.1.68.54523 > 31.186.250.210.10011: Flags [.], ack 4213094209, win 58281, payload 0
21:34:55.334542 IP 111.69.108.72.59248 > 31.186.250.210.10011: Flags [.], ack 689933859, win 52604, payload 0
21:34:55.334567 IP 87.153.252.226.31888 > 31.186.250.210.10011: Flags [.], ack 689933859, win 52604, payload 0
21:34:55.334588 IP 31.186.250.210.10011 > 104.46.1.68.54523: Flags [R], seq 4213094209, win 0, payload 0
21:34:55.334597 IP 31.186.250.210.10011 > 111.69.108.72.59248: Flags [R], seq 689933859, win 0, payload 0
21:34:55.334614 IP 31.186.250.210.10011 > 87.153.252.226.31888: Flags [R], seq 689933859, win 0, payload 0
21:34:55.334627 IP 197.2.67.157.57529 > 31.186.250.210.10011: Flags [.], ack 4213094209, win 58281, payload 0
21:34:55.334637 IP 223.225.78.232.18677 > 31.186.250.210.10011: Flags [.], ack 689933859, win 52604, payload 0
21:34:55.334656 IP 72.51.121.235.15799 > 31.186.250.210.10011: Flags [.], ack 4213094209, win 58281, payload 0
21:34:55.334671 IP 31.75.44.187.23297 > 31.186.250.210.10011: Flags [.], ack 4213094209, win 58281, payload 0
21:34:55.334671 IP 31.186.250.210.10011 > 197.2.67.157.57529: Flags [R], seq 4213094209, win 0, payload 0
21:34:55.334685 IP 31.186.250.210.10011 > 223.225.78.232.18677: Flags [R], seq 689933859, win 0, payload 0
21:34:55.334704 IP 72.58.162.120.18645 > 31.186.250.210.10011: Flags [.], ack 4213094209, win 58281, payload 0
21:34:55.334716 IP 126.32.45.75.49190 > 31.186.250.210.10011: Flags [.], ack 4213094209, win 58281, payload 0
21:34:55.334716 IP 92.211.16.98.52149 > 31.186.250.210.10011: Flags [.], ack 4213094209, win 58281, payload 0
21:34:55.334721 IP 99.82.232.35.13276 > 31.186.250.210.10011: Flags [.], ack 4213094209, win 58281, payload 0
21:34:55.334724 IP 31.186.250.210.10011 > 72.51.121.235.15799: Flags [R], seq 4213094209, win 0, payload 0
21:34:55.334727 IP 75.28.32.101.27125 > 31.186.250.210.10011: Flags [.], ack 4213094209, win 58281, payload 0
21:34:55.334733 IP 31.186.250.210.10011 > 31.75.44.187.23297: Flags [R], seq 4213094209, win 0, payload 0
21:34:55.334754 IP 88.17.17.157.15543 > 31.186.250.210.10011: Flags [.], ack 4213094209, win 58281, payload 0
21:34:55.334777 IP 60.3.215.21.55166 > 31.186.250.210.10011: Flags [.], ack 4213094209, win 58281, payload 0
21:34:55.334789 IP 143.138.179.36.54377 > 31.186.250.210.10011: Flags [.], ack 4213094209, win 58281, payload 0
21:34:55.334807 IP 31.186.250.210.10011 > 72.58.162.120.18645: Flags [R], seq 4213094209, win 0, payload 0
21:34:55.334813 IP 31.186.250.210.10011 > 126.32.45.75.49190: Flags [R], seq 4213094209, win 0, payload 0
21:34:55.334815 IP 31.186.250.210.10011 > 92.211.16.98.52149: Flags [R], seq 4213094209, win 0, payload 0
21:34:55.334817 IP 31.186.250.210.10011 > 99.82.232.35.13276: Flags [R], seq 4213094209, win 0, payload 0
21:34:55.334824 IP 31.186.250.210.10011 > 75.28.32.101.27125: Flags [R], seq 4213094209, win 0, payload 0
21:34:55.334836 IP 31.186.250.210.10011 > 88.17.17.157.15543: Flags [R], seq 4213094209, win 0, payload 0
21:34:55.334842 IP 108.192.180.126.63310 > 31.186.250.210.10011: Flags [.], ack 4213094209, win 58281, payload 0
21:34:55.334845 IP 31.186.250.210.10011 > 60.3.215.21.55166: Flags [R], seq 4213094209, win 0, payload 0
21:34:55.334850 IP 31.186.250.210.10011 > 143.138.179.36.54377: Flags [R], seq 4213094209, win 0, payload 0
21:34:55.334869 IP 27.228.70.222.28867 > 31.186.250.210.10011: Flags [.], ack 4213094209, win 58281, payload 0
21:34:55.334886 IP 193.133.176.112.23967 > 31.186.250.210.10011: Flags [.], ack 4213094209, win 58281, payload 0
21:34:55.334891 IP 31.186.250.210.10011 > 108.192.180.126.63310: Flags [R], seq 4213094209, win 0, payload 0
21:34:55.334896 IP 203.72.107.70.45370 > 31.186.250.210.10011: Flags [.], ack 4213094209, win 58281, payload 0
21:34:55.334907 IP 31.186.250.210.10011 > 27.228.70.222.28867: Flags [R], seq 4213094209, win 0, payload 0
21:34:55.334931 IP 103.15.189.123.65267 > 31.186.250.210.10011: Flags [.], ack 4213094209, win 58281, payload 0
21:34:55.334950 IP 31.186.250.210.10011 > 193.133.176.112.23967: Flags [R], seq 4213094209, win 0, payload 0
21:34:55.334963 IP 31.186.250.210.10011 > 203.72.107.70.45370: Flags [R], seq 4213094209, win 0, payload 0
21:34:55.335021 IP 42.72.164.34.19216 > 31.186.250.210.10011: Flags [.], ack 4213094209, win 58281, payload 0
21:34:55.335033 IP 117.213.182.71.43058 > 31.186.250.210.10011: Flags [.], ack 4213094209, win 58281, payload 0

100 packets captured


im getting this type of attack. can we block it please?

[Edge100x]

It looks like those have a couple of different, identical ack and window values. You may be able to block based on these attributes using your Firewall page, if the attacker continues to use the same ones. You could also potentially block based on the port, if you know something isn't running on that port. Or, configure your OS to respond differently to invalid TCP-ACK packets.

If you want us to try to assist directly, you'd need to open a support request.

[mrlolled]

Those are the query ports once i block the 10011 port everything will shutdown. Is there any toutrial for the nfo firewall. and my 20 rules are full already cant add more.

[Vanderburg]

Are you sure you need all 20 rules? You should only add rules that are to match specific attacks you're actually seeing. We don't recommend simply adding as many rules from the preconfigured list as possible.

[Edge100x]

We commonly see customers adding random rules from our example list, as Vanderburg suggested, and filling up their default 20 rules that way. We strongly recommend against doing this. There are hundreds of different DDoS attacks and we are able to handle most of them for customers automatically; you should save your firewall rules to handle targeted attacks that get through, or for different security reasons (such as restricting external access to services like SSH or RDP overall).

[mcastellanos1992]

It looks like those have a couple of different, identical ack and window values. You may be able to block based on these attributes using your Firewall page, if the attacker continues to use the same ones. You could also potentially block based on the port, if you know something isn't running on that port. Or, configure your OS to respond differently to invalid TCP-ACK packets.

If you want us to try to assist directly, you'd need to open a support request.

Sir is it possible to contact someone in your support team to help me setting up the correct security in my VPS? like close open ports, virus scan, things like that, im afraid about that DDoS because in my last experience someone break into my VPS server (somehow) and launched an DDoS attack, then people thought it was me.

[Edge100x]

Our support team is very easy to contact, and we can help you with bandwidth, hardware, billing, and the like, but for help with software configurations, the forum here is the best place to go.

If you are seeing attacks being launched from your VDS, then you should consider backing up your files and then wiping it as a first course of action, to make sure that is clean. Then, copy files back, reinstalling only the latest versions of each software package, and making sure to avoid known-insecure packages such as XAMPP. Change all of your passwords, as well.