New VPS Client tried UDP flooding - What would you do? - Knowledgebase

Portal Home > Knowledgebase > Articles Database > New VPS Client tried UDP flooding - What would you do?

New VPS Client tried UDP flooding - What would you do?

Posted by iwebadmin, 09-07-2012, 01:02 PM
Hey guys, I just got a new signup for the cheapest OpenVZ package we have. Customer paid with Paypal and everything was setup. No more then 5 minutes later I get an alert email about a network flood from the NOC about my server is UDP flooding port 80. I jump on the computer and log onto the server, I couldn't connect to SoluzVM, putty session was so slow, it took me about two minutes just to get the PID of the script running and kill it. It's an interesting script and deadly in the wrong hands obviously. I'm just curious to see on what you guys would do if a new customer did this on your server?
Posted by tecsys, 09-07-2012, 01:47 PM
Are you pretty sure the client initiated it ? Also, any ips or traces in the logs ? This was a fraud signup probably from an hacked paypal .
Posted by iwebadmin, 09-07-2012, 02:02 PM
Who else would have uploaded the a directory named 'Dank' with a number of scripts in it? I made a backup of the script and zipped it up to further look at it. After a bit of investigating it shows in the 'history' of them kicking off the script. I sent out an email alerting them of this but no reply back yet. Here is the content of the README file from it:
Posted by TmzHosting, 09-07-2012, 03:03 PM
When he registered did he have to go through any Fraud steps? Most of the time these clients are fraud. - Daniel
Posted by iwebadmin, 09-07-2012, 03:23 PM
I'm using Maxmind. It's didn't seem to catch anything though.
Posted by Coolraul, 09-07-2012, 04:34 PM
This is normal. There are many who will sign up pass all fraud checks and use your services for this stuff. To answer your original question you have proof of them abusing and causing problems for others on your servers and likely for whoever they were targeting so .. you terminate them for abuse. Don't worry they may threaten you and may even post here but if you are sure of your proof then in the best case they didn't secure their system. A lack of response is a good indicator that they are aware of what they are doing. You may or may not get a dispute / reversal .. its just the price of doing business if they get through your fraud screening.
Posted by Martin-D, 09-07-2012, 04:46 PM
As a general rule, if we have a customer sign up and within a matter of hours this kind of activity is going on we will terminate the account and issue a refund. No time for that kind of crap - our time is better spent dealing with customers who are honest.
Posted by Evixo, 09-07-2012, 04:57 PM
This, just terminate and refund. You don't need these clients on your server.
Posted by Johnny Cache, 09-07-2012, 05:46 PM
Personally, I have VERY little patience for this practice. I haven't come across it with any of my SolusVM nodes - I also don't offer any containers at shared hosting costs - I'm too paranoid about my business, and my nodes, becoming a moving target for abusers. As for us - the client agrees, prior to signing up, that they are not entitled to refunds or OpenVZ container backups if malicious and potentially damaging materials are discovered during an audit, and found to have been configured by the account holder. It would be a much happier ending for the client who forgot to disable anonymous FTP logins and got screwed by a kiddie. That stuff happens to practically everyone at least once along the way - in those cases, I do a quick reload, and scare off the script kiddies. Way more fun than filling out RBL removal forms. One of the businesses I provide administration for, sent a ticket up to me, for an audit of two of the cheapest OpenVZ containers they provide, and using the HyperVM UI. Their user had ordered both VMs that morning. Hadn't even been 4 hours and the freakin' things had been optimized for spammers. My IP block reputations are far more important to me than making an extra $10/month. Last edited by Johnny Cache; 09-07-2012 at 05:51 PM.
Posted by PCS-Chris, 09-07-2012, 08:07 PM
I'd cancel the service and refund the payment. If you don't refund you will only end up with a chargeback a few weeks/months down the line. We've had thing like this go on for weeks before e.g. someone always buys a 256MB and a 384MB VPS with similar names and uses them for abuse. Each and every time the IP + billing information checks out, bizarre.
Posted by iwebadmin, 09-11-2012, 12:49 PM
Thanks everyone for your valuable input. I've gone a head and refunded the funds and terminated the account.