1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Anti-DDos with iptables?

Discussion in 'Security' started by Kaizoku, Dec 8, 2007.

  1. #1
    Is there a simple rule that blocks ddos and syn attacks?
    SEMrush
     
    Kaizoku, Dec 8, 2007 IP
    SEMrush
  2. Ladadadada

    Ladadadada Peon

    Messages:
    382
    Likes Received:
    36
    Best Answers:
    0
    Trophy Points:
    0
    #2
    Not really. SYN attacks work because they look just like a normal connection but when your server responds with a SYN/ACK, the attacker never completes the handshake with the final ACK. Your server will then wait for it's timeout period, which is usually quite long. The attacker then uses up all your memory keeping track of all the connections that have been started but aren't fully connected yet.

    One thing you can do is to lower the handshake timeout. I can't remember off the top of my head how to do that but I'm sure Google has the answers.

    DDOS attacks are all different so you usually have to figure out which resource is being starved and find a way to fix that. It can be anything from hard drive space to RAM to bandwidth to port numbers to your service provider's bandwidth.

    Once you know what is the bottleneck in your setup, you need to find a way to fix that particular problem. The two most common strategies are widening the bottleneck and filtering the bad traffic out before the bottleneck is hit.

    IPTables can still be useful in blocking DOS attacks and even in blocking DDOS attacks. This is assuming that each zombie attacking you is attacking again and again and that you can identify a zombie by it's behaviour on the first attack and drop all packets from them on any later attack. This also assumes that IPTables is upstream of your bottleneck and that dropping packets will resolve the bottleneck (which it probably will).

    In my experience, it has rarely been very much use attempting to mitigate DOS attacks before they happen. The best you can hope for is to wait until it happens and already know how to deal with it when it does.
     
    Ladadadada, Dec 8, 2007 IP
  3. Kaizoku

    Kaizoku Well-Known Member

    Messages:
    1,261
    Likes Received:
    20
    Best Answers:
    1
    Trophy Points:
    105
    #3
    Thank you for your very detailed reply and explanation, which firewall or package you recommend I install to combat these attacks? I use the Debian Distro and install packages via apt-get and aptitude :)
     
    Kaizoku, Dec 8, 2007 IP
  4. Ladadadada

    Ladadadada Peon

    Messages:
    382
    Likes Received:
    36
    Best Answers:
    0
    Trophy Points:
    0
    #4
    I prefer IPTables but I have recently completed a Sun MicroSystems security course in which we were taught all about Solaris's default firewall: IPF. It's syntax is a little strange at first but it's really quite powerful. I would be surprised if it wasn't available for Linux.

    I have heard that Smoothwall is very easy to configure and use for someone who hasn't messed around with firewalls much before but I haven't used it myself so I can't say that with any authority.
     
    Ladadadada, Dec 8, 2007 IP
  5. creative4w3

    creative4w3 Active Member

    Messages:
    105
    Likes Received:
    4
    Best Answers:
    0
    Trophy Points:
    58
    #5
    Are there any good, free tutorials on IP tables off the top of anyones head? I've googled, but I can't find anything really significant, just small tutorials to do this or that. In most cases I can figure it out, but IP tables seems to be a little complex...
     
    creative4w3, Dec 8, 2007 IP
  6. SSANZ

    SSANZ Peon

    Messages:
    865
    Likes Received:
    10
    Best Answers:
    0
    Trophy Points:
    0
    #6
    Depending on what type of traffic and also what type of attack it is you may need to reconfigure a number of system variables to prepare the system for extra load as it processes which connection is technically " fake ".

    There are a number of tools -

    Check to see if it is an attack - :: netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

    Apache -

    Mod_evasive
    httpd.conf - reconfiguration ( timeout, keepalive, server spawn )


    Connection Monitoring -

    netstat -

    - Run these commands to seek all connections on port 80, with type SYN.

    netstat -n | grep :80 |wc -l

    netstat -n | grep :80 | grep SYN |wc -l


    install bwm-ng ( bandwidth monitor )

    sysctl.conf - hardening/reconfiguration. Helps the box handle extra load as connections are being processed.

    Enable syncookies as well via echo 1 > /proc/sys/net/ipv4/tcp_syncookies

    Good luck :)
     
    SSANZ, Dec 9, 2007 IP
  7. Kaizoku

    Kaizoku Well-Known Member

    Messages:
    1,261
    Likes Received:
    20
    Best Answers:
    1
    Trophy Points:
    105
    #7
    Thanks, I will try these out ^_^
     
    Kaizoku, Dec 9, 2007 IP
  8. CDVisors

    CDVisors Peon

    Messages:
    58
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #8
    I use the method of SSANZ its very good and it reduce the attacks
     
    CDVisors, Dec 21, 2007 IP
  9. gen1us2k

    gen1us2k Peon

    Messages:
    1
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #9
    Mod_evasive
    its normally when in attack port 80
    but hping -i u1 is dos tool... and its syn flood... here u need iptables or another firewall to drop/reject syn packets
     
    gen1us2k, Nov 22, 2009 IP
  10. submitmaster

    submitmaster Well-Known Member

    Messages:
    329
    Likes Received:
    2
    Best Answers:
    0
    Trophy Points:
    103
    #10
    i have never heard of SSANZ , what is that?
     
    submitmaster, Dec 16, 2009 IP
  11. SecureCP

    SecureCP Guest

    Messages:
    227
    Likes Received:
    2
    Best Answers:
    0
    Trophy Points:
    0
    #11
    perhaps I missed whether or not your running a control panel, but have you considered CSF config Server Firewall? It's very easy for novices to block IP's and has syn flood protection and port flood protection built in as well.
     
    SecureCP, Dec 16, 2009 IP
  12. tenev

    tenev Active Member

    Messages:
    322
    Likes Received:
    7
    Best Answers:
    0
    Trophy Points:
    95
    #12
    i had quite a-lot of problems in the past, since i use Mod_evasive , no problems at all, however i wrote a custom code working with my mod_evasive to fully block that IP's via firewall for 6 hours
     
    tenev, Dec 17, 2009 IP
  13. Kaizoku

    Kaizoku Well-Known Member

    Messages:
    1,261
    Likes Received:
    20
    Best Answers:
    1
    Trophy Points:
    105
    #13
    Someone dug up 2 year old thread :/

    I've gained alot of experience since then :)
     
    Kaizoku, Dec 17, 2009 IP