SSH hack attempts on Anchor IP

Posted May 26, 2020 754 views

I’m currently browsing the logs on an Ubuntu 16.04 instance. It’s using a floating IP for http/s access. The logs are getting filled with random connections attempts on 443/sshd which is expected. But what I don’t understand is why many of these attempts are showing that the destination IP is the Anchor IP for my Floating Address. From what I understand, the Anchor should only be accessible within the datacenter. Is this indicative of attacks from a neighbor VPS, and if so, how would I alert Digital Ocean Admins, so they could locate the source and inform, or potentially shutdown the owner? The source addresses appear to be coming from all over the world, but I assume those are spoofed. Thanks.

edited by MattIPv4

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Submit an Answer
2 answers

Floating IP’s are actually tied to the anchor IP. All traffic to the floating IP goes through the anchor IP address which is tied to your eth0 interface. Any traffic coming through the floating IP would show up to the destination anchor IP address.Traffic to the droplet’s main IP address will show up with the main IP’s address.