[HELP] Believe under DDoS attack

[twsps]

Hi all, I have been using my freenas for over a year. It has been working fine however the first symptom that I realize is my nextcloud starts showing 523 origin is unreachable. DNS by cloudflare. I have verified that the IP is right however it just can't reach to my server. I did a restart to the server and it starts working again.
But in these 2 days, reaching NAS at home network is unreasonable slow. And easy to show errors when copying files. These symptoms have never happen before.
I also checked with netstat and found the image attached below. (192.168.2.142 is my iMac's IP address). Is this DDoS attack? What should I do next?

Many thanks,
twsps

 

[HoneyBadger]

More likely you're the source of the DDoS based on the origin port numbers being in the ephemeral range and all hitting :443 on the targets. Downloaded anything sketchy lately, including browser plugins like "Netflix unblockers" or similar?

Re: the second image it could Bonjour protocol spam based on the "mDNSResponder" service.

 

[jgreco]

Hi all, I have been using my freenas for over a year. It has been working fine however the first symptom that I realize is my nextcloud starts showing 523 origin is unreachable. DNS by cloudflare. I have verified that the IP is right however it just can't reach to my server. I did a restart to the server and it starts working again.
But in these 2 days, reaching NAS at home network is unreasonable slow. And easy to show errors when copying files. These symptoms have never happen before.
I also checked with netstat and found the image attached below. (192.168.2.142 is my iMac's IP address). Is this DDoS attack? What should I do next?

Many thanks,
twsps

You appear to be the source of a denial of service (single-D DoS) attack. When many people participate in this, it's called a DDoS (double-D distributed denial of service) attack.

If 192.168.2.142 is your iMac's address, please do the world a favor, unplug it from the network, roll back to a Time Machine backup from several months ago, plug it back in, and make sure all your software is up-to-date, especially anything that talks on the Internet. Once infected, it's basically impossible to prove that future infection vectors haven't been buried in your system, so the realistic option is to consider your iMac compromised, even if you find whatever is generating the DoS. Formatting the disk and reloading a fresh OS is a better option, but people are usually reluctant.

At the same time, make sure any Internet-accessible service such as NextCloud is fully patched and the web server and PHP stack supporting it are also fully patched.

 

[twsps]

You appear to be the source of a denial of service (single-D DoS) attack. When many people participate in this, it's called a DDoS (double-D distributed denial of service) attack.

If 192.168.2.142 is your iMac's address, please do the world a favor, unplug it from the network, roll back to a Time Machine backup from several months ago, plug it back in, and make sure all your software is up-to-date, especially anything that talks on the Internet. Once infected, it's basically impossible to prove that future infection vectors haven't been buried in your system, so the realistic option is to consider your iMac compromised, even if you find whatever is generating the DoS. Formatting the disk and reloading a fresh OS is a better option, but people are usually reluctant.

At the same time, make sure any Internet-accessible service such as NextCloud is fully patched and the web server and PHP stack supporting it are also fully patched.

I will reinstall my iMac.
I have disconnected all home devices from the internet yesterday, and I did a netstat -na on freenas and I have attached the picture. This is when it's off the internet. Is it free of DDoS attack?

(192.168.2.111 is freenas IP)

Many thanks,
Twsps

 

[twsps]

You appear to be the source of a denial of service (single-D DoS) attack. When many people participate in this, it's called a DDoS (double-D distributed denial of service) attack.

If 192.168.2.142 is your iMac's address, please do the world a favor, unplug it from the network, roll back to a Time Machine backup from several months ago, plug it back in, and make sure all your software is up-to-date, especially anything that talks on the Internet. Once infected, it's basically impossible to prove that future infection vectors haven't been buried in your system, so the realistic option is to consider your iMac compromised, even if you find whatever is generating the DoS. Formatting the disk and reloading a fresh OS is a better option, but people are usually reluctant.

At the same time, make sure any Internet-accessible service such as NextCloud is fully patched and the web server and PHP stack supporting it are also fully patched.

I do not fully agree with your comment here after I've reinstall my iMac macOS. It appears when it's connected or opened several websites, then it comes with johnimaclocal.port descending with port numbers. I've also run through antivirus on all Macs that I have and there are no problems with it.

So what is the best way to protect from DDoS attack and being a zombie of DDoS for FreeNAS or any computer?

 

[proto]

So what is the best way to protect from DDoS attack and being a zombie of DDoS for FreeNAS or any computer?

I think it's out of scope here, sorry. That's a network security question...

Anyway: you and your browser are the "source" of that DDOS attack if you consider your last screenshot (TIME_WAIT on localhost port 9042). Just open your favourite browser and browse FreeNAS WEB UI... Port 9042 is nginx fastcgi_pass.
So it's not a DDOS attack...