Korean IP Address Attempting Denial of Service
UK Grid informed us that they were seeing a massive spike in traffic to one particular host of ours. A quick peek at our traffic graphs confirmed their suspicions: bunny.shell was receiving many thousands of times more traffic than usual (though only peaking at about 30% of the capacity that this virtual host can cope with). Kudos to Patrick at UK Grid who called us within just a few minutes of the attack starting.
Inspecting the host, we noticed one suspicious process running. The traffic targetting the host was to random UDP ports all with a single source address. Given the possibly compromised nature of the virtual machine, weighed against the likely effects to customers who might use the service, we decided to take a snapshot and kill the instance.
We later learned that the DoS attack continued, despite the target address now being completely unresponsive. UK Grid blocked traffic to the targetted IP address, and contacted Tiscali who blocked UDP from the attacker's address to the target.
What is bunny.shell?
Customers who colocate a server with Faelix which includes a hardware management card can connect that card to an internal management network, rather than expose the card to Internet-based attacks. bunny.shell is one layer of protection that Faelix offers: customers must first log in to a shell server connected to the management LAN before they can reach their server management card (these cards are in turn protected by a customer-set password, though the card itself may only talk an unencrypted protocol like telnet).
As not all ssh clients support private key authentication, bunny.shell grants access on username/password pairs. Unfortunately the trade-off between installing fail2ban (risking a customer locking themselves out of a seldom-used account just when they need it most: to reboot a dead server) and not installing it (risking brute force attacks) has gone against us tonight. In addition to user education and password strength enforcement, Faelix plans to revise this policy and will deploy fail2ban on bunny.shell too.