Question

SSH hack attempts on Anchor IP

I’m currently browsing the logs on an Ubuntu 16.04 instance. It’s using a floating IP for http/s access. The logs are getting filled with random connections attempts on 443/sshd which is expected. But what I don’t understand is why many of these attempts are showing that the destination IP is the Anchor IP for my Floating Address. From what I understand, the Anchor should only be accessible within the datacenter. Is this indicative of attacks from a neighbor VPS, and if so, how would I alert Digital Ocean Admins, so they could locate the source and inform, or potentially shutdown the owner? The source addresses appear to be coming from all over the world, but I assume those are spoofed. Thanks.

Subscribe
Share

Submit an answer
You can type!ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Accepted Answer

Floating IP’s are actually tied to the anchor IP. All traffic to the floating IP goes through the anchor IP address which is tied to your eth0 interface. Any traffic coming through the floating IP would show up to the destination anchor IP address.Traffic to the droplet’s main IP address will show up with the main IP’s address.

This comment has been deleted