Our SOC has detected an attack from our servers to another provider
After analyzing the logs we notice that the source comes from one of our teamspeak servers on port 9987
Do you have an idea how he can do that ?
I am using the latest version of the teamspeak server
Good for you
It’s not the server that scans anything on any other machine.
It only listens on local IPs and the ports that are set. And this must be possible else no server would be pointless.
Maybe you or the host did setup an external or wrong IP in the server ini?
What scan ports on other machines are port scanners. This is not our software doing this.
When people DDoS your server, the attackers will spoof IP’s, the TeamSpeak server responds to the spoofed IP’s with an initial connection packet, and then the host that receives these packets sends an abuse complaint to your host, it’s not a port scan but because there’s no previous packet exchange it looks like one, this is happening more and more to servers these days, but it’s just an inherent weakness of UDP packets.
The best you can do is block as many IP’s as you can in your server firewall that your server should not be communicating with, Hetzner are the worst at reporting servers for this, so blocking them is probably a good start if you can.
Thanks for the reply
Yes its Heztzner
i have nulled all prefix announced by AS24940 AS24940 Hetzner Online GmbH details - IPinfo.io