A Problem About UDP port 80


(Umutcan Onal) #1

Hi,

We have been testing Elasticsearch for a while. Our ES cluster was on
AWS. We installed Bigdesk, Marvel, Thrift, EC2 Discovery plugins. There
were 5 instance (1 load balancer, 4 data node) and all of them were
version 0.90.

Yesterday, We have received an e-mail from AWS. They said one of our
instance in ES cluster was making DOS attacks from UDP port 80.

We did not restrict ports, because it was an test cluster. It can be
main cause of this problem, but I still want to ask if there is a known
bug (in ES or modules or plugins) that cause something like this or if
there is anyone who have seen some kind of similar problem.

Thanks,
Umutcan Onal

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/53BD012A.2090109%40gamegos.com.
For more options, visit https://groups.google.com/d/optout.


(David Pilato) #2

3 bad things here:

  • You exposed your cluster to internet directly
  • You did not disable dynamic scripting
  • May be you are running your elasticsearch node as root?

You should read that documentation: http://www.elasticsearch.org/guide/en/elasticsearch/reference/0.90/modules-scripting.html#_disabling_dynamic_scripts

--
David Pilato | Technical Advocate | Elasticsearch.com
@dadoonet | @elasticsearchfr

Le 9 juillet 2014 à 10:45:30, Umutcan (umutcan@gamegos.com) a écrit:

Hi,

We have been testing Elasticsearch for a while. Our ES cluster was on
AWS. We installed Bigdesk, Marvel, Thrift, EC2 Discovery plugins. There
were 5 instance (1 load balancer, 4 data node) and all of them were
version 0.90.

Yesterday, We have received an e-mail from AWS. They said one of our
instance in ES cluster was making DOS attacks from UDP port 80.

We did not restrict ports, because it was an test cluster. It can be
main cause of this problem, but I still want to ask if there is a known
bug (in ES or modules or plugins) that cause something like this or if
there is anyone who have seen some kind of similar problem.

Thanks,
Umutcan Onal

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/53BD012A.2090109%40gamegos.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/etPan.53bd04d9.189a769b.6455%40MacBook-Air-de-David.local.
For more options, visit https://groups.google.com/d/optout.


(Umutcan Onal) #3

You are right. We were aware that exposing cluster to internet was a bad
idea. It was a temporary situation. We are planing to use it behind an
application in our product.

Thanks for advice.

On 09-07-2014 12:01, David Pilato wrote:

3 bad things here:

  • You exposed your cluster to internet directly
  • You did not disable dynamic scripting
  • May be you are running your elasticsearch node as root?

You should read that documentation:
http://www.elasticsearch.org/guide/en/elasticsearch/reference/0.90/modules-scripting.html#_disabling_dynamic_scripts

--
David Pilato | /Technical Advocate/ | Elasticsearch.com
@dadoonet https://twitter.com/dadoonet | @elasticsearchfr
https://twitter.com/elasticsearchfr

Le 9 juillet 2014 à 10:45:30, Umutcan (umutcan@gamegos.com
mailto:umutcan@gamegos.com) a écrit:

Hi,

We have been testing Elasticsearch for a while. Our ES cluster was on
AWS. We installed Bigdesk, Marvel, Thrift, EC2 Discovery plugins. There
were 5 instance (1 load balancer, 4 data node) and all of them were
version 0.90.

Yesterday, We have received an e-mail from AWS. They said one of our
instance in ES cluster was making DOS attacks from UDP port 80.

We did not restrict ports, because it was an test cluster. It can be
main cause of this problem, but I still want to ask if there is a known
bug (in ES or modules or plugins) that cause something like this or if
there is anyone who have seen some kind of similar problem.

Thanks,
Umutcan Onal

--
You received this message because you are subscribed to the Google
Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/53BD012A.2090109%40gamegos.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google
Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to elasticsearch+unsubscribe@googlegroups.com
mailto:elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/etPan.53bd04d9.189a769b.6455%40MacBook-Air-de-David.local
https://groups.google.com/d/msgid/elasticsearch/etPan.53bd04d9.189a769b.6455%40MacBook-Air-de-David.local?utm_medium=email&utm_source=footer.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/53BD0DD2.5080400%40gamegos.com.
For more options, visit https://groups.google.com/d/optout.


(Ivan Brusic) #4

Elasticsearch wrote a blog post regarding the issue today:

--
Ivan

On Wed, Jul 9, 2014 at 2:39 AM, Umutcan umutcan@gamegos.com wrote:

You are right. We were aware that exposing cluster to internet was a bad
idea. It was a temporary situation. We are planing to use it behind an
application in our product.

Thanks for advice.

On 09-07-2014 12:01, David Pilato wrote:

3 bad things here:

  • You exposed your cluster to internet directly
  • You did not disable dynamic scripting
  • May be you are running your elasticsearch node as root?

You should read that documentation:
http://www.elasticsearch.org/guide/en/elasticsearch/reference/0.90/modules-scripting.html#_disabling_dynamic_scripts

  --

David Pilato | Technical Advocate | Elasticsearch.com
@dadoonet https://twitter.com/dadoonet | @elasticsearchfr
https://twitter.com/elasticsearchfr

Le 9 juillet 2014 à 10:45:30, Umutcan (umutcan@gamegos.com) a écrit:

Hi,

We have been testing Elasticsearch for a while. Our ES cluster was on
AWS. We installed Bigdesk, Marvel, Thrift, EC2 Discovery plugins. There
were 5 instance (1 load balancer, 4 data node) and all of them were
version 0.90.

Yesterday, We have received an e-mail from AWS. They said one of our
instance in ES cluster was making DOS attacks from UDP port 80.

We did not restrict ports, because it was an test cluster. It can be
main cause of this problem, but I still want to ask if there is a known
bug (in ES or modules or plugins) that cause something like this or if
there is anyone who have seen some kind of similar problem.

Thanks,
Umutcan Onal

--
You received this message because you are subscribed to the Google Groups
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/53BD012A.2090109%40gamegos.com
.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/etPan.53bd04d9.189a769b.6455%40MacBook-Air-de-David.local
https://groups.google.com/d/msgid/elasticsearch/etPan.53bd04d9.189a769b.6455%40MacBook-Air-de-David.local?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/53BD0DD2.5080400%40gamegos.com
https://groups.google.com/d/msgid/elasticsearch/53BD0DD2.5080400%40gamegos.com?utm_medium=email&utm_source=footer
.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/CALY%3DcQBxE6KnZb5Art%2B%3DKMiVSQBcOChDaVsnnDoJAxdNCanLTA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


(system) #5