DoS?need help understand what happened

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
Sonmi
Posts: 4
Joined: Wed Oct 16, 2019 3:51 pm

DoS?need help understand what happened

Post by Sonmi » Wed Oct 16, 2019 4:07 pm

Hello
Help me understand what it is?
I was hacked?
the logs are full of it.
You do not have the required permissions to view the files attached to this post.

ozone
Posts: 57
Joined: Thu Sep 19, 2019 7:18 pm

Re: DoS?need help understand what happened

Post by ozone » Wed Oct 16, 2019 8:25 pm

My first question would be:

do I know the originating ip's owners???

If so, it might not be malicious, but simply mis-configured.

....

Sonmi
Posts: 4
Joined: Wed Oct 16, 2019 3:51 pm

Re: DoS?need help understand what happened

Post by Sonmi » Thu Oct 17, 2019 12:06 pm

No
all addresses are unknown

Sonmi
Posts: 4
Joined: Wed Oct 16, 2019 3:51 pm

Re: DoS?need help understand what happened

Post by Sonmi » Thu Oct 17, 2019 12:08 pm

here are some strange logs

00:04:28.418 The connection with the client (IP address 104.131.216.170, Port number 54404) has been disconnected.
2019-10-17 00:04:28.620 On the TCP Listener (Port 443), a Client (IP address 104.131.216.170, Host name "min-extra-safe-301-usny-prod.binaryedge.ninja", Port number 54880) has connected.
2019-10-17 00:04:28.620 For the client (IP address: 104.131.216.170, host name: "min-extra-safe-301-usny-prod.binaryedge.ninja", port number: 54880), connection "CID-462" has been created.
2019-10-17 00:04:28.661 On the TCP Listener (Port 443), a Client (IP address 104.131.216.170, Host name "min-extra-safe-301-usny-prod.binaryedge.ninja", Port number 54932) has connected.
2019-10-17 00:04:28.661 For the client (IP address: 104.131.216.170, host name: "min-extra-safe-301-usny-prod.binaryedge.ninja", port number: 54932), connection "CID-463" has been created.
2019-10-17 00:04:28.671 Connection "CID-463" has been terminated.
2019-10-17 00:04:28.671 The connection with the client (IP address 104.131.216.170, Port number 54932) has been disconnected.
2019-10-17 00:04:28.722 SSL communication for connection "CID-462" has been started. The encryption algorithm name is "RC4-MD5".
2019-10-17 00:04:28.732 On the TCP Listener (Port 443), a Client (IP address 104.131.216.170, Host name "min-extra-safe-301-usny-prod.binaryedge.ninja", Port number 55028) has connected.
2019-10-17 00:04:28.732 For the client (IP address: 104.131.216.170, host name: "min-extra-safe-301-usny-prod.binaryedge.ninja", port number: 55028), connection "CID-464" has been created.
2019-10-17 00:04:28.732 Connection "CID-464" has been terminated.
2019-10-17 00:04:28.732 The connection with the client (IP address 104.131.216.170, Port number 55028) has been disconnected.
2019-10-17 00:04:28.732 On the TCP Listener (Port 443), a Client (IP address 104.131.216.170, Host name "min-extra-safe-301-usny-prod.binaryedge.ninja", Port number 55066) has connected.
2019-10-17 00:04:28.732 For the client (IP address: 104.131.216.170, host name: "min-extra-safe-301-usny-prod.binaryedge.ninja", port number: 55066), connection "CID-465" has been created.
2019-10-17 00:04:28.732 Connection "CID-465" has been terminated.
2019-10-17 00:04:28.732 The connection with the client (IP address 104.131.216.170, Port number 55066) has been disconnected.
2019-10-17 00:04:28.742 On the TCP Listener (Port 443), a Client (IP address 104.131.216.170, Host name "min-extra-safe-301-usny-prod.binaryedge.ninja", Port number 55078) has connected.
2019-10-17 00:04:28.742 For the client (IP address: 104.131.216.170, host name: "min-extra-safe-301-usny-prod.binaryedge.ninja", port number: 55078), connection "CID-466" has been created.
2019-10-17 00:04:28.742 Connection "CID-466" has been terminated.
2019-10-17 00:04:28.742 The connection with the client (IP address 104.131.216.170, Port number 55078) has been disconnected.
2019-10-17 00:04:28.772 On the TCP Listener (Port 443), a Client (IP address 104.131.216.170, Host name "min-extra-safe-301-usny-prod.binaryedge.ninja", Port number 55128) has connected.
2019-10-17 00:04:28.772 For the client (IP address: 104.131.216.170, host name: "min-extra-safe-301-usny-prod.binaryedge.ninja", port number: 55128), connection "CID-467" has been created.
2019-10-17 00:04:28.772 Connection "CID-467" has been terminated.
2019-10-17 00:04:28.772 The connection with the client (IP address 104.131.216.170, Port number 55128) has been disconnected.
2019-10-17 00:04:28.803 On the TCP Listener (Port 443), a Client (IP address 104.131.216.170, Host name "min-extra-safe-301-usny-prod.binaryedge.ninja", Port number 55200) has connected.
2019-10-17 00:04:28.803 For the client (IP address: 104.131.216.170, host name: "min-extra-safe-301-usny-prod.binaryedge.ninja", port number: 55200), connection "CID-468" has been created.
2019-10-17 00:04:28.803 Connection "CID-468" has been terminated.
2019-10-17 00:04:28.803 The connection with the client (IP address 104.131.216.170, Port number 55200) has been disconnected.
2019-10-17 00:04:28.834 On the TCP Listener (Port 443), a Client (IP address 104.131.216.170, Host name "min-extra-safe-301-usny-prod.binaryedge.ninja", Port number 55268) has connected.
2019-10-17 00:04:28.834 For the client (IP address: 104.131.216.170, host name: "min-extra-safe-301-usny-prod.binaryedge.ninja", port number: 55268), connection "CID-469" has been created.
2019-10-17 00:04:28.834 On the TCP Listener (Port 443), a Client (IP address 104.131.216.170, Host name "min-extra-safe-301-usny-prod.binaryedge.ninja", Port number 55270) has connected.
2019-10-17 00:04:28.834 For the client (IP address: 104.131.216.170, host name: "min-extra-safe-301-usny-prod.binaryedge.ninja", port number: 55270), connection "CID-470" has been created.
2019-10-17 00:04:28.834 Connection "CID-469" has been terminated.
2019-10-17 00:04:28.834 The connection with the client (IP address 104.131.216.170, Port number 55268) has been disconnected.
2019-10-17 00:04:28.844 On the TCP Listener (Port 443), a Client (IP address 104.131.216.170, Host name "min-extra-safe-301-usny-prod.binaryedge.ninja", Port number 55274) has connected.
2019-10-17 00:04:28.844 For the client (IP address: 104.131.216.170, host name: "min-extra-safe-301-usny-prod.binaryedge.ninja", port number: 55274), connection "CID-471" has been created.
2019-10-17 00:04:28.844 Connection "CID-470" has been terminated.
2019-10-17 00:04:28.844 The connection with the client (IP address 104.131.216.170, Port number 55270) has been disconnected.
2019-10-17 00:04:28.844 Connection "CID-471" has been terminated.
2019-10-17 00:04:28.844 The connection with the client (IP address 104.131.216.170, Port number 55274) has been disconnected.
2019-10-17 00:04:28.844 On the TCP Listener (Port 443), a Client (IP address 104.131.216.170, Host name "min-extra-safe-301-usny-prod.binaryedge.ninja", Port number 55290) has connected.
2019-10-17 00:04:28.844 For the client (IP address: 104.131.216.170, host name: "min-extra-safe-301-usny-prod.binaryedge.ninja", port number: 55290), connection "CID-472" has been created.
2019-10-17 00:04:28.854 A DoS attack on the TCP Listener (port 443) has been detected. The connecting source IP address is 104.131.216.170, port number is 55314. This connection will be forcefully disconnected now.
2019-10-17 00:04:28.864 A DoS attack on the TCP Listener (port 443) has been detected. The connecting source IP address is 104.131.216.170, port number is 55312. This connection will be forcefully disconnected now.
2019-10-17 00:04:28.864 A DoS attack on the TCP Listener (port 443) has been detected. The connecting source IP address is 104.131.216.170, port number is 55320. This connection will be forcefully disconnected now.
2019-10-17 00:04:28.864 Connection "CID-472" has been terminated.
2019-10-17 00:04:28.864 The connection with the client (IP address 104.131.216.170, Port number 55290) has been disconnected.
2019-10-17 00:04:28.884 A DoS attack on the TCP Listener (port 443) has been detected. The connecting source IP address is 104.131.216.170, port number is 55346. This connection will be forcefully disconnected now.
2019-10-17 00:04:28.884 A DoS attack on the TCP Listener (port 443) has been detected. The connecting source IP address is 104.131.216.170, port number is 55350. This connection will be forcefully disconnected now.
2019-10-17 00:04:28.914 A DoS attack on the TCP Listener (port 443) has been detected. The connecting source IP address is 104.131.216.170, port number is 55382. This connection will be forcefully disconnected now.
2019-10-17 00:04:28.965 A DoS attack on the TCP Listener (port 443) has been detected. The connecting source IP address is 104.131.216.170, port number is 55478. This connection will be forcefully disconnected now.
2019-10-17 00:04:28.965 A DoS attack on the TCP Listener (port 443) has been detected. The connecting source IP address is 104.131.216.170, port number is 55482. This connection will be forcefully disconnected now.
2019-10-17 00:04:28.965 A DoS attack on the TCP Listener (port 443) has been detected. The connecting source IP address is 104.131.216.170, port number is 55484. This connection will be forcefully disconnected now.
2019-10-17 00:04:28.975 A DoS attack on the TCP Listener (port 443) has been detected. The connecting source IP address is 104.131.216.170, port number is 55480. This connection will be forcefully disconnected now.
2019-10-17 00:04:28.975 A DoS attack on the TCP Listener (port 443) has been detected. The connecting source IP address is 104.131.216.170, port number is 55488. This connection will be forcefully disconnected now.
2019-10-17 00:04:28.975 A DoS attack on the TCP Listener (port 443) has been detected. The connecting source IP address is 104.131.216.170, port number is 55504. This connection will be forcefully disconnected now.
2019-10-17 00:04:28.975 A DoS attack on the TCP Listener (port 443) has been detected. The connecting source IP address is 104.131.216.170, port numbe

ozone
Posts: 57
Joined: Thu Sep 19, 2019 7:18 pm

Re: DoS?need help understand what happened

Post by ozone » Thu Oct 17, 2019 6:23 pm

If the source is "unknown", it is indeed possible that someone (or a bot) is trying to bruteforce his/her way into your vpn.

The fact that you are listening on tcp/443 is also more likely to be probed as when you would use a completely random port.
But that may be a conscious decision on your part, because 443 can hardly be blocked by providers and governments without crippling the entire web-experience.
But it does mean that it is one of the ports (like 22, 23,80, 8080 etc ) loved by probers to see if they can get in easily.

Personally, I therefore prefer a randomly chosen port (and disable all others).

If you absolutely need it on tcp/443, I would suggest to do at least the following:
-Create an AdminIP.txt file filled with the ip adresses that may "manage" the vpnserver.
-Disable the web-interface exposed on your tcp/443 port, which is by default visible (but not accessible without pw). It shows the hacker <what> is behind this open port. ("bool DisableJsonRpcWebApi" true in vpnserver.config)

The good thing is, SE sees the probing in your case, and enables DDOS blocking for that ip.


The next step would be to do some hardening in your router/fw/internet-gw.
Depending on the device, it is possible to stealth forwarded ports (for certain scantypes, port is really still open for vpn), limit port-access to certain ip or dns(-ranges), and do some advanced blacklisting for offenders. The idea is that the offending party is likely not even going to reach the SE server.
But this is all really way-beyond the scope of this forum.

Sonmi
Posts: 4
Joined: Wed Oct 16, 2019 3:51 pm

Re: DoS?need help understand what happened

Post by Sonmi » Fri Oct 18, 2019 4:01 pm

thanks for your reply

Post Reply