Re: [suse-security] I�m under DoS attack!
... sorry about the massive email :( ...
what about REJECT instead DROP ?
iptables -I INPUT -s
Do someone know how can i protect my Server, Iptables rules, Susefirewall?
Now are only 3 IPs sources where the attack comes from (is a small one) ...
iptables -I INPUT -s IP#1 -j DROP iptables -I INPUT -s IP#2 -j DROP iptables -I INPUT -s IP#3 -j DROP It makes no sense at all to add these permanently to your firewall, since an attack usually only lasts a couple of hours/days. After the attack subsides, remove the rules by iptables -D INPUT -s IP#1 -j DROP iptables -D INPUT -s IP#2 -j DROP iptables -D INPUT -s IP#3 -j DROP If you need logging, you may want to insert additional rules to log the dropped packets. Note that a firewall will not help in defending a 'real' DDoS attack, this must be stopped at your uplink.
Should I filter the Ips with Iptables?
Example - apache-error-log:
[Fri Jul 11 15:27:10 2003] [error] [client xxx.xxx.xxx.xxx] request failed: erroneous characters after protocol string: \t\x97\xf2|\xfbS?Xdm8\xd4\xfa\xca\x03\x11\xb1\xa1\xc8\"\x99\xd2\xb7\t\x04zN \xe1\xe7\xc4\xd4^\x83\x02*sD\xfb\xc2R\xe8\x87\xef\x99\xe5Za\xca\x06\x1e\xe8\ x16\xd5\xa9#F\xe3\xe4\x7fD\xeb\x02\xc3\xe4\x01\x1b\xb1\xb0\x1b\x96%\xe6\x0cM \xa4\xc0\xb5\xeb8\xf7z\x99z\x8a\xf2\xda\xef\xbc\xe4\xb4\x99\\p\x11\xc6I\x89e -5\xab\x90\x12\x86Fe\xd7B2\x80+\x9fS\xb0\x1d{\xe0\xe1==x\xca\xbaeb\x1d\xc7g\ x19\x01D\xba\b\xc1\x9b,\x92\xc5\xe7xU\xc2\\\x1b\xb0/\xe3b\x82\xf8\x05\xc75\x 1f\xa0\xd2M\x1a\xab\xfe\x1c\xf4\x8bO\x9ae\xae\xc8\xcb:>\x04\xbd\xeb=\xe6\x7f\xa5W\t\x0fZN\x1f\x18\x95\xd3%|Gh\xadQ\xb9{\x1c\xe7\xdf \x98|\xd6$\xd6\xdc\xa38m\xe7Z\xc7\xe5M\x03\x89\xaa\x1dv\xc4wtq\x14\x10\\\xe7 g0\xed\x9bK\xc1\xba\xeelSi\xf5X\xc7\xa1\xcf\x86L)6\x97\x19\v\xc9\x05]\xe7zZa \b\xd1j1\xda\xd37\x93\x9c\x1a\x05\x8c\xcbvj&\xde\xda\xa7q5w9\xc7K\"\xabU3\xf b\xaf\xd7APn\xa3\b\xbf\x1c\xe9\x84\x9b'\xb6\xecH-\xc6\x8e+j\xa1\x89\xd7\xc8\ x95\xc2/\xf8\xa0\x0fC\x15\x85\xf5\x0c\x83 \xb6\\\x1c\xf5\x8b\x15\x8e\x10.\x98\ xfe
[Fri Jul 11 16:13:03 2003] [error] [client xxx.xxx.xxx.xxx] Invalid URI in request É#26;?¹">¦ñ©æt¨bf8Ó¿óÝ@©êNNËH¤ A$>É?¹
[Fri Jul 11 16:13:09 2003] [error] [client xxx.xxx.xxx.xxx] Invalid URI in request hInW|ÿ ègO
[Fri Jul 11 16:13:18 2003] [error] [client xxx.xxx.xxx.xxx] request failed: erroneous characters after protocol string: \xbe\xb6\x18\xc4>\x81\x18\xe4\xc1\x8ei\xc2\xe9\x0cT\x1c\xd3\xaf\x85t?JXQ\xf 0\xa0S\xa6Ww\xf3\x93k\xef\xacL\xdb\x13+Vg\xac\xde\xf8\x8b]\xb6\xf0_\xec,\xbb \x11\xb4\x0c\xb1g?\xfdb\b\x8f\xbdQ\xee\xf9\\\x1d\xd6\xa4v\xbce\xea\v\t\xa4\x 02\x8a|\xb2\xdb/9\xbaK\x8fM#ir4\x067\xe0\x9e\xe4\x84~r\x98\x11\xb8\xf4\x19\x cbBg\xd3\xaa\xc3\xcf\x15\xb7h\xb9\t\xfe^\xad\xe8k8\x05z9\x91\xfa\xd6\xa8\xf1 \x05o\xf7\xf5dQ\x91\xab\xfa\xa7\x82<]\x81/\xcd+\xd4C\xa6\x9c\xc2E\xc2\xec\xb 7\xee/\xb0\x94 \x89\x1a.\x13\xb1\xdcw\xbfRC\xa3[]\xcf;\x1e\xb5\"nH-\x1b\xa8e\xafBg\xd0\xbd gIw\x1e\x86i\xde\xd1\xee\xebhF\xa2B\x1b\x96\xc1Yz\xccj\xc4Jh\xb2\xcf\xb8\xb1 \\\x8a\xa4\xdaXn\xb0\xcc~C\x97'\x82A\xc0\x83%u\x14\xfa\xa8f\x0c\xeb\x86\xf8\ x0e\xf9c\x92\xf9T?|\xfe:O\x1f\xad;R{\xa8W\x17'\xf7\xb3bd#\xc9\x97\x98JH}\xfe \x0ceC\x9c\xa7r\xc0v`\xb1\xff\x02&j\xfb\xdbr;\xa7\xb9q\xb02\xa1e\x14\x88YILk \x9b\x11\x8e\xb0\xf1\xe6\xcc\xfb;\xc2F\xa2M\xbe\x03\x9c\x0c\xb7\xb7\xdbtG\xe a\xdd\xdf\xf3W\x7f\x85\xa6\x92\x11@_\xee\xaf\x92'\x9e\xce\xe9E\x1a\x15\"\xb3 \xc4nKI\xb4\xa4n\xb5\xa0\x8b\xfb\x83\x0f\xfa\xbcS\xaaB\xd2\x8a\xd5\x8d\xcaU\ x9b\t-\xea\xe5IR\x12\xf0\xe7v\xe3\xfeo\x0e\xd2Lx\\\xeaD\x14@W\xf2kQ'\xbc\xa2 V\xc5iY\xe6RGs\xc0\x8fm\xa7j\xfa0\x8cv\xecZN\xa8's\xeb\\\xae?\xa3\"\xd9\x88\ xa9\xaa\xa8\x1e\x1f\xe7X\x1bBo4k\xe0!\xae\x8c\x13\v\xae\x93S:i_b\\V\xdeK\xa5 \xad~\xc0\x8dY\x8d\x9c\x17\xa3
--------------------------------- Internet GRATIS es Yahoo! Conexión. Usuario: yahoo; contraseña: yahoo Desde Buenos Aires: 4004-1010 Más ciudades: clic aquí.
It makes no sense at all to add these permanently to your firewall, since an attack usually only lasts a couple of hours/days. After the attack subsides, remove the rules by
iptables -D INPUT -s IP#1 -j DROP iptables -D INPUT -s IP#2 -j DROP iptables -D INPUT -s IP#3 -j DROP
If you need logging, you may want to insert additional rules to log the dropped packets. Note that a firewall will not help in defending a 'real' DDoS attack, this must be stopped at your uplink.
I got the following from the Packet Filtering HOWTO, by Rusty Russell. You may need to filter the INPUT chain as well, to protect your own machine(s). USE AT YOUR OWN RISK!!! #------------------------------------------------------# # LOG Syn-flood Denial of Service attempts - 10 per hour iptables -A FORWARD -p tcp --syn -m limit --limit 10/h \ -j LOG --log-prefix 'Syn-flood attack??? ' # Syn-flood protection iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT #------------------------------------------------------# # LOG Furtive Port Scanner attempts - 10 per hour iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST \ -m limit --limit 10/h -j LOG --log-prefix 'Port Scanner attack??? ' # Port Scanner protection iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST \ -m limit --limit 1/s -j ACCEPT #------------------------------------------------------# # LOG Ping of Death Denial of Service attempts - 10 per hour iptables -A FORWARD -p icmp --icmp-type echo-request \ -m limit --limit 10/h -j LOG --log-prefix 'Ping of Death attack??? ' # Ping of Death protection iptables -A FORWARD -p icmp --icmp-type echo-request \ -m limit --limit 1/s -j ACCEPT #------------------------------------------------------# Regards - Keith Roberts
participants (2)
-
keith@topaz5.worldonline.co.uk
-
Marcos Rojas