[SOLVED] Too much pings per second

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
plagoutte
Posts: 5
Joined: Wed Aug 16, 2017 9:11 am

[SOLVED] Too much pings per second

Postby plagoutte » Wed Apr 18, 2018 5:40 pm

Hello world,

I'm hosting a Zimbra Collaboration server on my virtual server. Today, my host send me an email to tell me that my server reached 90 000 pings per second, so it was stopped.
Here the stacktrace of connections :

Code: Select all

ipv4     2 tcp      6 431865 ESTABLISHED src=149.91.82.16 dst=149.91.82.16 sport=44696 dport=389 src=149.91.82.16 dst=149.91.82.16 sport=389 dport=44696 [ASSURED] mark=0 secmark=0 use=2
ipv4     2 tcp      6 431997 ESTABLISHED src=149.91.82.16 dst=149.91.82.16 sport=45740 dport=389 src=149.91.82.16 dst=149.91.82.16 sport=389 dport=45740 [ASSURED] mark=0 secmark=0 use=2
ipv4     2 udp      17 177 src=183.134.59.19 dst=149.91.82.16 sport=28563 dport=11211 src=149.91.82.16 dst=183.134.59.19 sport=11211 dport=28563 [ASSURED] mark=0 secmark=0 use=2
ipv4     2 tcp      6 430921 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=48328 dport=23232 src=127.0.0.1 dst=127.0.0.1 sport=23232 dport=48328 [ASSURED] mark=0 secmark=0 use=2
ipv4     2 tcp      6 431991 ESTABLISHED src=149.91.82.16 dst=149.91.82.16 sport=44698 dport=389 src=149.91.82.16 dst=149.91.82.16 sport=389 dport=44698 [ASSURED] mark=0 secmark=0 use=2
ipv4     2 udp      17 17 src=149.91.82.16 dst=149.91.82.16 sport=59368 dport=514 [UNREPLIED] src=149.91.82.16 dst=149.91.82.16 sport=514 dport=59368 mark=0 secmark=0 use=2
ipv4     2 udp      17 177 src=183.134.59.19 dst=149.91.82.16 sport=48087 dport=11211 src=149.91.82.16 dst=183.134.59.19 sport=11211 dport=48087 [ASSURED] mark=0 secmark=0 use=2
ipv4     2 udp      17 179 src=183.134.59.19 dst=149.91.82.16 sport=42442 dport=11211 src=149.91.82.16 dst=183.134.59.19 sport=11211 dport=42442 [ASSURED] mark=0 secmark=0 use=2
ipv4     2 tcp      6 431997 ESTABLISHED src=149.91.82.16 dst=149.91.82.16 sport=50570 dport=389 src=149.91.82.16 dst=149.91.82.16 sport=389 dport=50570 [ASSURED] mark=0 secmark=0 use=2
ipv4     2 tcp      6 431997 ESTABLISHED src=149.91.82.16 dst=149.91.82.16 sport=44578 dport=389 src=149.91.82.16 dst=149.91.82.16 sport=389 dport=44578 [ASSURED] mark=0 secmark=0 use=2
ipv4     2 tcp      6 431997 ESTABLISHED src=149.91.82.16 dst=149.91.82.16 sport=44576 dport=389 src=149.91.82.16 dst=149.91.82.16 sport=389 dport=44576 [ASSURED] mark=0 secmark=0 use=2
ipv4     2 tcp      6 431997 ESTABLISHED src=149.91.82.16 dst=149.91.82.16 sport=44232 dport=389 src=149.91.82.16 dst=149.91.82.16 sport=389 dport=44232 [ASSURED] mark=0 secmark=0 use=2
ipv4     2 tcp      6 431999 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=48326 dport=23232 src=127.0.0.1 dst=127.0.0.1 sport=23232 dport=48326 [ASSURED] mark=0 secmark=0 use=2
ipv4     2 udp      17 179 src=183.134.59.19 dst=149.91.82.16 sport=28437 dport=11211 src=149.91.82.16 dst=183.134.59.19 sport=11211 dport=28437 [ASSURED] mark=0 secmark=0 use=2
ipv4     2 tcp      6 431997 ESTABLISHED src=149.91.82.16 dst=149.91.82.16 sport=45750 dport=389 src=149.91.82.16 dst=149.91.82.16 sport=389 dport=45750 [ASSURED] mark=0 secmark=0 use=2
ipv4     2 tcp      6 431940 ESTABLISHED src=149.91.82.16 dst=149.91.82.16 sport=47212 dport=11211 src=149.91.82.16 dst=149.91.82.16 sport=11211 dport=47212 [ASSURED] mark=0 secmark=0 use=2
ipv4     2 tcp      6 431035 ESTABLISHED src=149.91.82.16 dst=149.91.82.16 sport=47214 dport=11211 src=149.91.82.16 dst=149.91.82.16 sport=11211 dport=47214 [ASSURED] mark=0 secmark=0 use=2
ipv4     2 tcp      6 431997 ESTABLISHED src=149.91.82.16 dst=149.91.82.16 sport=35112 dport=389 src=149.91.82.16 dst=149.91.82.16 sport=389 dport=35112 [ASSURED] mark=0 secmark=0 use=2
ipv4     2 tcp      6 427026 ESTABLISHED src=149.91.82.16 dst=149.91.82.16 sport=47210 dport=11211 src=149.91.82.16 dst=149.91.82.16 sport=11211 dport=47210 [ASSURED] mark=0 secmark=0 use=2
ipv4     2 udp      17 177 src=183.134.59.19 dst=149.91.82.16 sport=57074 dport=11211 src=149.91.82.16 dst=183.134.59.19 sport=11211 dport=57074 [ASSURED] mark=0 secmark=0 use=2
ipv4     2 tcp      6 27 TIME_WAIT src=58.218.198.136 dst=149.91.82.16 sport=13471 dport=22 src=149.91.82.16 dst=58.218.198.136 sport=22 dport=13471 [ASSURED] mark=0 secmark=0 use=2
ipv4     2 udp      17 177 src=183.134.59.19 dst=149.91.82.16 sport=13549 dport=11211 src=149.91.82.16 dst=183.134.59.19 sport=11211 dport=13549 [ASSURED] mark=0 secmark=0 use=2
ipv4     2 tcp      6 431997 ESTABLISHED src=149.91.82.16 dst=149.91.82.16 sport=44220 dport=389 src=149.91.82.16 dst=149.91.82.16 sport=389 dport=44220 [ASSURED] mark=0 secmark=0 use=2
ipv4     2 tcp      6 431997 ESTABLISHED src=149.91.82.16 dst=149.91.82.16 sport=45738 dport=389 src=149.91.82.16 dst=149.91.82.16 sport=389 dport=45738 [ASSURED] mark=0 secmark=0 use=2
ipv4     2 tcp      6 430411 ESTABLISHED src=149.91.82.16 dst=149.91.82.16 sport=47208 dport=11211 src=149.91.82.16 dst=149.91.82.16 sport=11211 dport=47208 [ASSURED] mark=0 secmark=0 use=2
ipv4     2 udp      17 177 src=183.134.59.19 dst=149.91.82.16 sport=60007 dport=11211 src=149.91.82.16 dst=183.134.59.19 sport=11211 dport=60007 [ASSURED] mark=0 secmark=0 use=2
ipv4     2 tcp      6 431986 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=41178 dport=7306 src=127.0.0.1 dst=127.0.0.1 sport=7306 dport=41178 [ASSURED] mark=0 secmark=0 use=2
ipv4     2 tcp      6 75 TIME_WAIT src=58.218.198.136 dst=149.91.82.16 sport=47737 dport=22 src=149.91.82.16 dst=58.218.198.136 sport=22 dport=47737 [ASSURED] mark=0 secmark=0 use=2
ipv4     2 udp      17 178 src=183.134.59.19 dst=149.91.82.16 sport=43507 dport=11211 src=149.91.82.16 dst=183.134.59.19 sport=11211 dport=43507 [ASSURED] mark=0 secmark=0 use=2
ipv4     2 tcp      6 93 TIME_WAIT src=127.0.0.1 dst=127.0.0.1 sport=49604 dport=7171 src=127.0.0.1 dst=127.0.0.1 sport=7171 dport=49604 [ASSURED] mark=0 secmark=0 use=2
ipv4     2 udp      17 27 src=183.134.59.19 dst=149.91.82.16 sport=13607 dport=11211 [UNREPLIED] src=149.91.82.16 dst=183.134.59.19 sport=11211 dport=13607 mark=0 secmark=0 use=2
ipv4     2 tcp      6 299 ESTABLISHED src=58.218.198.136 dst=149.91.82.16 sport=37532 dport=22 src=149.91.82.16 dst=58.218.198.136 sport=22 dport=37532 [ASSURED] mark=0 secmark=0 use=2
ipv4     2 tcp      6 431997 ESTABLISHED src=149.91.82.16 dst=149.91.82.16 sport=44596 dport=389 src=149.91.82.16 dst=149.91.82.16 sport=389 dport=44596 [ASSURED] mark=0 secmark=0 use=2
ipv4     2 udp      17 178 src=183.134.59.19 dst=149.91.82.16 sport=33 dport=11211 src=149.91.82.16 dst=183.134.59.19 sport=11211 dport=33 [ASSURED] mark=0 secmark=0 use=2
ipv4     2 tcp      6 431997 ESTABLISHED src=149.91.82.16 dst=149.91.82.16 sport=44594 dport=389 src=149.91.82.16 dst=149.91.82.16 sport=389 dport=44594 [ASSURED] mark=0 secmark=0 use=2
ipv4     2 icmp     1 16 src=69.162.124.237 dst=149.91.82.16 type=8 code=0 id=8224 src=149.91.82.16 dst=69.162.124.237 type=0 code=0 id=8224 mark=0 secmark=0 use=2

I noticed that destination ports 11211 and 389 often appear in this stacktrace, and they correspond to LDAP and iCal. Also, source and destination adress are the same, so these connections are local.

Do you know how to reduce these connections in order to keep my server started ? Thank you in advance.
Best regards
Last edited by plagoutte on Sat May 05, 2018 8:38 pm, edited 1 time in total.


plagoutte
Posts: 5
Joined: Wed Aug 16, 2017 9:11 am

Re: Too much pings per second

Postby plagoutte » Sat Apr 21, 2018 2:09 pm

Hello,

Let me give you another information. Below, two pictures : one lists the local TCP connexions (lo) on my server without Zimbra started and the other with Zimbra started.

Image
Image

Thank you in advance, I really need your help
User avatar
L. Mark Stone
Elite member
Elite member
Posts: 1862
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine
ZCS/ZD Version: 8.8.8 Patch 6 Network Edition
Contact:

Re: Too much pings per second

Postby L. Mark Stone » Sat Apr 21, 2018 9:33 pm

You've left your memcached port open to the Internet it seems?

https://wiki.zimbra.com/wiki/Blocking_Memcached_Attack

Please configure your firewall to allow public Internet access only to those ports on Zimbra that provide public-facing services (External Acccess). You can see the list here:
https://wiki.zimbra.com/wiki/Ports

Hope that helps,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
Zeta Alliance http://www.zetalliance.org/
plagoutte
Posts: 5
Joined: Wed Aug 16, 2017 9:11 am

Re: Too much pings per second

Postby plagoutte » Wed Apr 25, 2018 4:35 pm

Hello,

Thank you very much for your reply, I fixed it. I will see in a few days if my server stopped again and I will give you the result.

Thank you for your help !
plagoutte
Posts: 5
Joined: Wed Aug 16, 2017 9:11 am

Re: Too much pings per second

Postby plagoutte » Sat May 05, 2018 8:37 pm

Hello,

Finally, blocking LDAP port works ! I think my server was stopped because of a LDAP bruteforce attack.
As you can see, the network traffic and CPU load are lower than before :
Image

Thank you very much !
Have a nice weekend,

Best regards

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 29 guests