SYN_RECV, IPTABLES, Drop DDOS Flood IPs does not work!

Discussion in 'Security' started by benalmador, Sep 1, 2009.

  1. #1
    SYN_RECV, IPTABLES, Drop DDOS Flood IPs does not work!
    I use this command to block ddos ips

    while true; do netstat -n -p | grep SYN_REC | awk '{print $5}' | awk -F: '{print $1}' | sort | uniq; netstat -n -p | grep SYN_REC | awk '{print $5}' | awk -F: '{print $1}' | sort | uniq > /tmp/ips.txt;for IP in `cat /tmp/ips.txt`; do iptables -A INPUT -s $IP -j DROP;done;service iptables save; sleep 30; done;

    but still all the same ips that SYN RECV DDOS me remain active 
    I tried iptables restart still wont kill those bad connections
    How to really drop them so I wont see them again in netstat

    You have new mail in /var/spool/mail/root
    [root@vbox2fedora11 ~]# sysctl -p
    net.ipv4.ip_forward = 0
    net.ipv4.tcp_syncookies = 1
    net.ipv4.conf.default.rp_filter = 1
    net.ipv4.conf.default.accept_source_route = 0
    kernel.sysrq = 0
    kernel.core_uses_pid = 1
    [root@vbox2fedora11 ~]#

    96.49.250.193
    iptables: Saving firewall rules to /etc/sysconfig/iptables: [ OK ]
    10.1.231.55
    187.146.59.172
    188.51.4.221
    196.209.198.197
    201.165.12.21
    201.26.106.227
    24.234.86.254
    67.167.150.169
    69.46.142.122
    76.217.95.6
    77.183.84.46
    77.196.51.125
    77.210.98.64
    78.50.226.250
    82.9.59.77
    84.143.187.50
    85.157.188.208
    87.96.232.60
    91.193.220.129
    92.153.255.183
    94.153.161.250
    96.32.251.220
    96.49.250.193
    iptables: Saving firewall rules to /etc/sysconfig/iptables: [ OK ]
    10.1.231.55
    187.146.59.172
    196.209.198.197
    201.26.106.227
    217.201.127.118
    24.234.86.254
    67.167.150.169
    69.111.189.49
    69.46.142.122
    76.217.95.6
    77.183.84.46
    77.196.51.125
    77.210.98.64
    78.50.226.250
    82.9.59.77
    84.143.187.50
    85.157.188.208
    86.153.68.53
    87.96.232.60
    91.193.220.129
    92.153.255.183
    94.153.161.250
    96.32.251.220
    96.49.250.193
    iptables: Saving firewall rules to /etc/sysconfig/iptables: [ OK ]


    [root@vbox2fedora11 ~]# netstat
    Active Internet connections (w/o servers)
    Proto Recv-Q Send-Q Local Address Foreign Address State
    tcp 0 0 website.com:http S0106001cdf20124e.vc.:52419 SYN_RECV
    tcp 0 0 website.com:http S0106001cdf20124e.vc.:52414 SYN_RECV
    tcp 0 0 website.com:http a88-112-87-22:pnaconsult-lm SYN_RECV
    tcp 0 0 website.com:http dsl-187-146-59-172-:houston SYN_RECV
    tcp 0 0 website.com:http S0106001cdf20124e.vc.:52397 SYN_RECV
    tcp 0 0 website.com:http dsl-187-146-59-172-:yo-main SYN_RECV
    tcp 0 0 website.com:http S0106001cdf20124e.vc.:52416 SYN_RECV
    tcp 0 0 website.com:http S0106001cdf20124e.vc.:52420 SYN_RECV
    tcp 0 0 website.com:http S0106001cdf20124e.vc.:52398 SYN_RECV
    tcp 0 0 website.com:http S0106001cdf20124e.vc.:52395 SYN_RECV
    tcp 0 0 website.com:http static-84-166-145-212:14949 SYN_RECV
    tcp 0 0 website.com:http 5ad0d533.bb.sk:netbill-auth SYN_RECV
    tcp 0 0 website.com:http S0106001cdf20124e.vc.:52421 SYN_RECV
    tcp 0 0 website.com:http S0106001cdf20124e.vc.:52422 SYN_RECV
    tcp 0 0 website.com:http S0106001cdf20124e.vc.:52417 SYN_RECV
    tcp 0 0 website.com:http S0106001cdf20124e.vc.:52402 SYN_RECV
    tcp 0 0 website.com:http static.unknown.c:dicom-iscl SYN_RECV
    tcp 0 0 website.com:http d66-183-27-194.bchsia:60266 SYN_RECV
    tcp 0 0 website.com:http 10.1.231.55:edm-manager SYN_RECV
    tcp 0 0 website.com:http S0106001cdf20124e.vc.:52405 SYN_RECV
    tcp 0 0 website.com:http S0106001cdf20124e.vc.:52393 SYN_RECV
    tcp 0 0 website.com:http S0106001cdf20124e.vc.:52411 SYN_RECV
    tcp 0 0 website.com:http 188.51.4.221:46386 SYN_RECV
    tcp 0 0 website.com:http dsl-144-98-232.telkoma:3404 SYN_RECV
    tcp 0 0 website.com:http bl7-78-16.dsl.telepac:14020 SYN_RECV
    tcp 0 0 website.com:http 172.16.127.226:houston SYN_RECV
    tcp 0 0 website.com:http p548FBB32.dip.t-di:mps-raft SYN_RECV
    tcp 0 0 website.com:http adsl-76-217-95-6.dsl.:60250 SYN_RECV
    tcp 0 0 website.com:http S0106001cdf20124e.vc.:52401 SYN_RECV
    tcp 0 0 website.com:http S0106001cdf20124e.vc.:52407 SYN_RECV
    tcp 0 0 website.com:http 125.51.196-77.rev.g:netplan SYN_RECV
    tcp 0 0 website.com:http S0106001cdf20124e.vc.:52408 SYN_RECV
    tcp 0 0 website.com:http S0106001cdf20124e.vc.:52418 SYN_RECV
    tcp 0 0 website.com:http S0106001cdf20124e.vc.:52399 SYN_RECV
    tcp 0 0 website.com:http d66-183-27-194.bchsia:60285 SYN_RECV
    tcp 0 0 website.com:http static-84-166-145-212:14950 SYN_RECV
    tcp 0 0 website.com:http S0106001cdf20124e.vc.:52413 SYN_RECV
    tcp 0 0 website.com:http S0106001cdf20124e.vc.:52404 SYN_RECV
    tcp 0 0 website.com:http mobile-3G-dyn-BC-190-:52242 SYN_RECV
    tcp 0 0 website.com:http S0106001cdf20124e.vc.:52415 SYN_RECV
    tcp 0 0 website.com:http S0106001cdf20124e.vc.:52394 SYN_RECV
    tcp 0 0 website.com:http S0106001cdf20124e.vc.:52409 SYN_RECV
    tcp 0 0 website.com:http bas3-montreal31-12797:61810 SYN_RECV
    tcp 0 0 website.com:http S0106001cdf20124e.vc.:52396 SYN_RECV
    tcp 0 0 website.com:http S0106001cdf20124e.vc.:52423 SYN_RECV
    tcp 0 0 website.com:http 217.71.225.75:4497 SYN_RECV
    tcp 0 0 website.com:http S0106001cdf20124e.vc.:52412 SYN_RECV
     
    benalmador, Sep 1, 2009 IP
  2. zacharooni

    zacharooni Well-Known Member

    Messages:
    346
    Likes Received:
    20
    Best Answers:
    4
    Trophy Points:
    120
    #2
    Try using the routing table, example:

    /sbin/route add OFFENDING_IP reject
     
    zacharooni, Sep 7, 2009 IP
  3. Ladadadada

    Ladadadada Peon

    Messages:
    382
    Likes Received:
    36
    Best Answers:
    0
    Trophy Points:
    0
    #3
    The command

    iptables -A blah blah blah

    adds a new rules to the end of the chain that already exists. If there is a rule that is matching these packets and allowing them through already then adding a DROP rule to the end won't make any difference.

    Paste the output of iptables -L -n here if you want us to look through for something that might be matching.
     
    Ladadadada, Sep 12, 2009 IP
  4. hostvault

    hostvault Peon

    Messages:
    15
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #4
    Hello,

    You may want to take a look at CSF or APF firewall, as they have a ton of functionality built in that you could probably benefit from with your situation.
     
    hostvault, Sep 16, 2009 IP
  5. SecureCP

    SecureCP Guest

    Messages:
    226
    Likes Received:
    2
    Best Answers:
    0
    Trophy Points:
    0
    #5
    +1
    I highly recommend CSF with a nice tune, iptraf may be able to provide some other information if you don't notice a difference. ;)
     
    SecureCP, Sep 25, 2009 IP
  6. cpace1983

    cpace1983 Peon

    Messages:
    58
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    0
    #6
    As another poster noted, try inserting the rule, instead of appending:

    iptables -I -s $IP -j DROP

    should do the trick.
     
    cpace1983, Sep 27, 2009 IP