Question
Why has my droplet networking been disabled?
- Posted on August 2, 2017
- DigitalOceanMiscellaneousSecurity
Asked by auroa
First I get an email from DigitalOcean thanking me for reporting my own droplet to them?
Thank you for your submission. A member of the Trust & Safety team will review the details as soon as possible. If appropriate, the information will be forwarded to the associated customer in its entirety.
If there is additional information you'd like to provide, please respond to this email. If you did not provide logs, we would - at a minimum - require an IP address and timestamp (with associated time zone) to identify the correct server where the activity originated. We will contact you with any follow-up questions, should they arise.
Please note that as an unmanaged cloud hosting provider, we do not create, administer, or have direct access to our customers' virtual servers. We, therefore, cannot make direct changes to any programs or websites hosted there.
Additionally, our privacy policy does not allow us, under any circumstances, to share information about the customer with third parties.
Regards,
DigitalOcean
Message makes no sense, I start to think someone has access to my digitalocean account and is reporting my own droplets to shut me down… I panic. Message digital ocean, get a reply after 12+ hours the following:
The traffic we noticed was a SYN flood (http://en.wikipedia.org/wiki/Syn_flood) being launched from your Droplet against a remote server at 60.191.143.212 - not any form of legitimate traffic. This could not have been from a remote system, as there was no inbound traffic (from your client) during this incident.
Now they claim someone hacked into my droplet and performed a DDOS attack. I have been with digitalocean for more than 4 years, and this is the first time something like this happens.
I am upset of how bad their first email was, forcing me to spend an entire day in paranoia over what is going on, trying to migrate code and redeploy. Secondly, the second email reveals nothing useful.
There is nothing hosted on the IP that they say someone DDOSed. Likely someone hacked into my droplet, but something doesn’t sound right. Just doesn’t make sense.
Either way, my question and concern is, do I get the blame for any of this DDOS attack? Should I keep doing business here? Does my standing as a DO customer change because of this incident?
There are other people reporting that there is abuse of the “droplet report system”.
Is DO going to do anything about this? This day because of all this mess, I lost $500+ I am not expecting to be compensated by DO, but I can’t afford having my droplets shut down for no reason.
Their support system is very slow, especially for critical issues like this.
Anyone can chip in?
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
Want to learn more? Join the DigitalOcean Community!
Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.
@auroa @hansen
When it comes to management, DigitalOcean is a self-managed provider (which is often referred to as un-managed). We do not have access to a customers’ Droplet(s), which prevents us from logging in or executing commands. We do have monitoring in place to detect issues, such as the one your Droplet was flagged for, though that’s network level.
On our end, we manage:
…
The customer would be responsible for day to day management of their Droplets, which includes:
…
We do our best to provide guidance (though support ticket), though we’re not a replacement for a sysadmin.
It’s much like if you set up a home server on a spare desktop or laptop. You’d be responsible for the server and all that comes with managing a server. If that server was hacked and used to send a flood or used to DDoS another IP or host, they too would cut the connection as they wouldn’t have access to your server to do anything.
While we do our best to provide the best support possible, when it comes to issues like these, we have to consider the network and the effect on it. If you’re Droplet was hacked and is sending out a level of traffic that affects the network, we have to take action otherwise we jeopardize the network as a whole.
When networking is cut, you still have access to console and can troubleshoot any issues from there. In general, if the server has been hacked, we normally advise setting up a new Droplet and working to migrate data, though you’d need to make sure cleanup is performed to ensure you’re not moving any data that caused the hack over to the new Droplet, otherwise it’s very likely the same thing could happen again.
…
Please keep in mind, this isn’t specific to DigitalOcean. I’ve worked with close to 1,000 providers over the last 15 years. The common term for this would be null route, meaning the provider simply nullifies any and all traffic. It’s actually not uncommon and could happen with any provider if your VPS, Shared hosting account, or even Dedicated Server is being used to flood the network.
I can’t comment on your account specifically as this is a public forum / community and any account specific details would need to stay in the ticket regarding the issue. I would definitely welcome you to follow up, ask for details, provide any logs that you can gather from Console, and ask for help.
When it comes to things like this, we deal with them daily. We’re not, however, refusing to work with you or help as best we can, though we are limited in what we have access to and resolving a hack or issue such as this would be something you’d need to be willing to handle as it’s one of the tasks that comes with managing a server.
Hi @auroa
There’s a lot we, the community, cannot answer or see, since we’re just users too.
First off, if DigitalOcean says that your droplet has been used in conjunction with something, then it’s probably true. They are looking at their network logs and can see activity from your droplet. You should then thoroughly examine your droplet for any signs of intrusion - make a copy of every log (
/var/log/) and investigate. It’s easy to manipulate logs if the intruder got access to your droplet withrootaccess, so if you don’t find any evidence then it doesn’t mean nothing occurred.To your question about blame. Yes, it’s your responsibility to secure your server, so someone else doesn’t use it for something bad. If you should keep doing business with DigitalOcean, well, that’s your decision. I don’t know if DigitalOcean keeps track, that’s for DigitalOcean to answer.
What do you mean about “other people reporting” - can you link to those?
What do you think DigitalOcean should be doing? I understand you want a bit more clearer information, I agree, but besides that, I don’t see what they can do differently.
And if you’re losing $500/day, then you should consider a high availability system using multiple servers, different regions, different providers. Then it doesn’t matter if one of them closes down. I don’t earn that amount on most of servers, but I have two clients, which runs with this setup, since downtime for them would be very costly.
DigitalOcean has been slow with support lately, but they’re working on a new Cloud Support system, where tickets hopefully will get much faster response. I thought it would launch Tuesday, but it doesn’t look like it’s finished yet.
Out of curiosity, what are you running on your server - and is everything fully updated and secured?
@jtittle Can you comment on behalf of DigitalOcean?