Anti-DDos with iptables?

Is there a simple rule that blocks ddos and syn attacks?

 

Not really. SYN attacks work because they look just like a normal connection but when your server responds with a SYN/ACK, the attacker never completes the handshake with the final ACK. Your server will then wait for it's timeout period, which is usually quite long. The attacker then uses up all your memory keeping track of all the connections that have been started but aren't fully connected yet.

One thing you can do is to lower the handshake timeout. I can't remember off the top of my head how to do that but I'm sure Google has the answers.

DDOS attacks are all different so you usually have to figure out which resource is being starved and find a way to fix that. It can be anything from hard drive space to RAM to bandwidth to port numbers to your service provider's bandwidth.

Once you know what is the bottleneck in your setup, you need to find a way to fix that particular problem. The two most common strategies are widening the bottleneck and filtering the bad traffic out before the bottleneck is hit.

IPTables can still be useful in blocking DOS attacks and even in blocking DDOS attacks. This is assuming that each zombie attacking you is attacking again and again and that you can identify a zombie by it's behaviour on the first attack and drop all packets from them on any later attack. This also assumes that IPTables is upstream of your bottleneck and that dropping packets will resolve the bottleneck (which it probably will).

In my experience, it has rarely been very much use attempting to mitigate DOS attacks before they happen. The best you can hope for is to wait until it happens and already know how to deal with it when it does.

 

Thank you for your very detailed reply and explanation, which firewall or package you recommend I install to combat these attacks? I use the Debian Distro and install packages via apt-get and aptitude

 

I prefer IPTables but I have recently completed a Sun MicroSystems security course in which we were taught all about Solaris's default firewall: IPF. It's syntax is a little strange at first but it's really quite powerful. I would be surprised if it wasn't available for Linux.

I have heard that Smoothwall is very easy to configure and use for someone who hasn't messed around with firewalls much before but I haven't used it myself so I can't say that with any authority.

 

Are there any good, free tutorials on IP tables off the top of anyones head? I've googled, but I can't find anything really significant, just small tutorials to do this or that. In most cases I can figure it out, but IP tables seems to be a little complex...

 

Depending on what type of traffic and also what type of attack it is you may need to reconfigure a number of system variables to prepare the system for extra load as it processes which connection is technically " fake ".

There are a number of tools -

Check to see if it is an attack - :: netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

Apache -

Mod_evasive
httpd.conf - reconfiguration ( timeout, keepalive, server spawn )

Connection Monitoring -

netstat -

- Run these commands to seek all connections on port 80, with type SYN.

netstat -n | grep :80 |wc -l

netstat -n | grep :80 | grep SYN |wc -l

install bwm-ng ( bandwidth monitor )

sysctl.conf - hardening/reconfiguration. Helps the box handle extra load as connections are being processed.

Enable syncookies as well via echo 1 > /proc/sys/net/ipv4/tcp_syncookies

Good luck

 

Thanks, I will try these out ^_^

 

I use the method of SSANZ its very good and it reduce the attacks

 

Mod_evasive
its normally when in attack port 80
but hping -i u1 is dos tool... and its syn flood... here u need iptables or another firewall to drop/reject syn packets

 

i have never heard of SSANZ , what is that?

 

perhaps I missed whether or not your running a control panel, but have you considered CSF config Server Firewall? It's very easy for novices to block IP's and has syn flood protection and port flood protection built in as well.

 

i had quite a-lot of problems in the past, since i use Mod_evasive , no problems at all, however i wrote a custom code working with my mod_evasive to fully block that IP's via firewall for 6 hours

 

Someone dug up 2 year old thread :/

I've gained alot of experience since then