LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 02-09-2011, 05:00 PM   #16
Seregwethrin
Member
 
Registered: Feb 2008
Posts: 112

Original Poster
Rep: Reputation: 16

Hi,

I just wake up

you can check it here

I now just checked and it bans normal users too. For example disconnects me from ssh and I can't get a proper connection from nginx, my internet browser says connection was reset.

I just want to ban ips if an ip has 10 or more connections at given time point. Couldn't we just do that?
 
Old 02-09-2011, 06:20 PM   #17
xeleema
Member
 
Registered: Aug 2005
Location: D.i.t.h.o, Texas
Distribution: Slackware 13.x, rhel3/5, Solaris 8-10(sparc), HP-UX 11.x (pa-risc)
Posts: 987
Blog Entries: 4

Rep: Reputation: 252Reputation: 252Reputation: 252
Change this line;

Code:
iptables -A syn-flood -m limit --limit=12/s --limit-burst 24 -j RETURN
To this:
Code:
iptables -A syn-flood -m limit --limit=10/s -j RETURN
If that doesn't work, up the "limit" as needed.
 
Old 02-09-2011, 06:40 PM   #18
Seregwethrin
Member
 
Registered: Feb 2008
Posts: 112

Original Poster
Rep: Reputation: 16
Hi,

I'll try it but before I just tried this except rootkit
http://www.topwebhosts.org/tools/apf...os-rootkit.php

If that doesn't work, I'll try it.
 
Old 02-09-2011, 06:57 PM   #19
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,766
Blog Entries: 54

Rep: Reputation: 2976Reputation: 2976Reputation: 2976Reputation: 2976Reputation: 2976Reputation: 2976Reputation: 2976Reputation: 2976Reputation: 2976Reputation: 2976Reputation: 2976
Quote:
Originally Posted by xeleema View Post
There's a few options for dealing with those kinds of people.
The best first thing to tell an OP in case of (D)DoS is that in essence the endpoint can never solve a (D)DoS completely: succesful mitigation requires hosting provider or upstream cooperation (search LQ for threads on the topic?).


Quote:
Originally Posted by xeleema View Post
Blockhosts to cut them off
Please see this (in short: blocking through the firewall is more efficient and safer than blocking requiring service connections).


Quote:
Originally Posted by xeleema View Post
Code:
iptables -N syn-flood
iptables -A syn-flood -m limit --limit=12/s --limit-burst 24 -j RETURN
iptables -A syn-flood -j DROP
This doesn't "detect" attacks but limits any connection (no "-m state --state NEW") to any port (no "-m tcp -p tcp -dport 80"). Why not use "-m recent" to achieve "x connections per interval"?

Last edited by unSpawn; 02-09-2011 at 06:58 PM.
 
2 members found this post helpful.
Old 02-09-2011, 09:19 PM   #20
Seregwethrin
Member
 
Registered: Feb 2008
Posts: 112

Original Poster
Rep: Reputation: 16
I THINK I DID IT!

Woha I'm really happy. Apf, Bfd, DDoS Deflate runs perfect!

I tried a little to make apf work on vps but it is really effective with DDoS Deflate. DDoS Deflate wasn't effective enough with iptables (or maybe I could't do it right).

Hope it works like this without any problems.

But I'd like to ask this: Does Apf firewall has it's own network monitor or does it use iptables to work?
 
Old 02-10-2011, 01:33 AM   #21
xeleema
Member
 
Registered: Aug 2005
Location: D.i.t.h.o, Texas
Distribution: Slackware 13.x, rhel3/5, Solaris 8-10(sparc), HP-UX 11.x (pa-risc)
Posts: 987
Blog Entries: 4

Rep: Reputation: 252Reputation: 252Reputation: 252
Quote:
Originally Posted by unSpawn View Post
Please see this (in short: blocking through the firewall is more efficient and safer than blocking requiring service connections).
@unSpawn
Perhaps I should have been more clear, I use blockhosts to stop attacks via iptables, not /etc/hosts.allow and hosts.deny.
 
Old 02-10-2011, 10:10 AM   #22
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 3,919

Rep: Reputation: 779Reputation: 779Reputation: 779Reputation: 779Reputation: 779Reputation: 779Reputation: 779
Quote:
Originally Posted by Seregwethrin View Post
Woha I'm really happy...Hope it works like this without any problems.
That's important; will it stay this way?

Quote:
Originally Posted by Seregwethrin View Post

But I'd like to ask this: Does Apf firewall has it's own network monitor or does it use iptables to work?
APF, like all of these things that I can think of, is a script that Does Stuff (reg TM) with iptables. Well, actually, it is a small collection of scripts and you can look inside the .tar.gz package to see what they are, if you are interested. Or, indeed, you can list your iptables rules to see what the outcome has been, in your particular case.

I have one further comment; it looked as if you had lots of connections that were in the process of being opened, and that would seem to be a symptom of a slow_loris type of attack, rather than a plain DoS/DDoS. Is that the way that you see things? If so, a look at the wikipedia page on slow_loris might be a worthwhile investment.
 
1 members found this post helpful.
Old 02-10-2011, 10:22 AM   #23
Seregwethrin
Member
 
Registered: Feb 2008
Posts: 112

Original Poster
Rep: Reputation: 16
Yes they look like slow_loris attack. The computers which are sources of attacker connections don't have large bandwidths. They are just adsl connections, at best they should have 8mbit downstream 1mbit upstream connection. So it is really likely to the attack is a type of slow_loris attack. And their achieved result is filling resources of my vps. I did't even connect to ssh because the memory got full.

The attack still continues, but the ips are banned continuously. Hope they back down at the end!

Last edited by Seregwethrin; 02-10-2011 at 10:25 AM.
 
Old 02-11-2011, 08:17 AM   #24
iuselinux
LQ Newbie
 
Registered: Sep 2010
Posts: 23

Rep: Reputation: 4
Heres the deal man...

DDoS is an arms race, its how much bandwidth you have and how much they do, whos pipe is bigger... Other than upgrading, you cant do too much...

Try this..
[LINK REMOVED BY MODERATOR]

Or what you can do (this is what ive done), is just duplicate your website onto another server, and add another A record into whatever DNS provider you use to start some DNS level load balancing. Two things to take into consideration about this..

1) Do you use MySQL? Im sure you do, if so, you need to put it on another server somewhere. But now you need to think about DoSing yourself, you might flood your MySQL server with connections...
2) DO you use php based sessions or cookies? If its cookies you should be good, as it will be kept int he browser if the TTL expires and they hit the other server, if not, you may want to mount a LVM and configure PHP to put sessions on that, and share it between both servers... Although, this may not be a problem if the TTL is long enough, because it will cache the DNS on the viewers computer.

You said it wasnt a DoS attack, which means its not slowloris, but the dude above me seems to think it is... But... its hard to tell if it is, seeing as how the slowloris attack kills its connection before the header request is complete, meaning it wont log it to the access_logs... But if it is, you can install httpready, or you can add some iptable rules, or you can install CSF/LFD.

2 slowloris solutions at the bottom of this page: http://famousphil.com/blog/2010/02/s...p-dos-attacks/

Last edited by win32sux; 02-18-2011 at 06:09 AM. Reason: Removed dubious commercial link.
 
1 members found this post helpful.
Old 02-11-2011, 10:47 AM   #25
Seregwethrin
Member
 
Registered: Feb 2008
Posts: 112

Original Poster
Rep: Reputation: 16
Thanks all, I was able to lighten the attack. Of course it is not possible to totally get rid of it.
 
Old 02-13-2011, 10:43 AM   #26
GrapefruiTgirl
Guru
 
Registered: Dec 2006
Location: underground
Distribution: Slackware64
Posts: 7,594

Rep: Reputation: 550Reputation: 550Reputation: 550Reputation: 550Reputation: 550Reputation: 550
Moved: This thread is more suitable in Linux Security, and has been moved accordingly to help your thread/question get the exposure it deserves.

Kind regards!
 
Old 02-13-2011, 11:14 AM   #27
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 3,919

Rep: Reputation: 779Reputation: 779Reputation: 779Reputation: 779Reputation: 779Reputation: 779Reputation: 779
Quote:
Originally Posted by salasi View Post
...it looked as if you had lots of connections that were in the process of being opened, and that would seem to be a symptom of a slow_loris type of attack, rather than a plain DoS/DDoS. Is that the way that you see things? If so, a look at the wikipedia page on slow_loris might be a worthwhile investment.
While searching for something else, this interesting discussion came to my attention.
 
Old 03-11-2011, 02:55 PM   #28
xeleema
Member
 
Registered: Aug 2005
Location: D.i.t.h.o, Texas
Distribution: Slackware 13.x, rhel3/5, Solaris 8-10(sparc), HP-UX 11.x (pa-risc)
Posts: 987
Blog Entries: 4

Rep: Reputation: 252Reputation: 252Reputation: 252
Not to drudge up an old topic, but I've recently seem some strange behaviour on a friends webserver, so I threw this up into his existing /etc/sysconfig/iptables (RHEL).
Note that the thresholds (bolded text) are tuned to their relativly small webservers' logs. Should their readership grow, they'll have to have this expanded.
Code:
##############################################################################
# HTTP PROTECTIONS - port 80
##############################################################################
# Log and drop clients that hit us with 20 connections per sec, or burst 30.
-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -m limit --limit=20/s --limit-burst 30 -j LOG --log-prefix "30 conns/20s: "
-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -m limit --limit=20/s --limit-burst 30 -j DROP
# Log and drop any one IP that has 50 conns open
-A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 50 -j LOG --log-prefix "Slowaris Hit: "
-A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 50 -j DROP
P.S: Props go to unSpawn's earlier post. I failed to notice the very last line until today. Good point!

Last edited by xeleema; 03-11-2011 at 03:27 PM. Reason: Realized I copied-and-pasted the wrong version of the rules. Corrected.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
DDOS and pf sci3ntist Linux - Security 3 06-03-2010 03:48 PM
Hello / DDoS attacks cybernet2u Linux - Security 7 11-21-2009 10:30 PM
DDoS solution prudens Linux - Newbie 11 08-25-2009 09:38 PM
Ddos Mag|c Linux - Security 2 08-16-2003 10:41 PM
ddos attack ashis Linux - Security 1 06-14-2001 03:31 AM


All times are GMT -5. The time now is 08:40 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration