Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi,
My website is being abused and thrown at a massive DDoS attack. The attack is simple, SYN + http flood. Here is a sample of it,
Code:
Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7 (.NET CLR 3.5.30729)
Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1
Host: 85.100.227.159
Http Code: 200 Date: Mar 14 05:08:28
Http Version: HTTP/1.1 Size in Bytes: 3174
Agent: Opera/9.02 (Windows NT 5.1; U; ru)
Hosts are random, but all the agents have 1 thing in common, the word ru and rv. It seems like a botnet, I see around 20,000 syn connections in netstat. I have tried, floodmon, apf and all sort of iptables magics, none of them are working. I even have tried in Firebox x550e hardware device, that even goes to it's knees. Traffic volume is around 20Mbps not that much.
What I am doing right now is taking each IP from apache access_log and netstat output and using iptables to block it, but that also not helping out. apf also not helping at all. Seems like someone is having fun with PitBull Bot V5 PRiVaTE Sh3llBoT or something similar.
Would love to hear from your experiences, help ... anything ..
m stuck ...
Goni
Last edited by Goni; 03-14-2010 at 06:16 AM.
Reason: update
No you can't. It's neither suitable or effective. Whatever was posted in that thread has nothing to do with GNU/Linux or Linux Security but is only the result of boredom. I suggest you do not post such "advice" in this forum, even if meant jocularly.
So, are you hosting this site ? I know most routers have an option to protect against syn and ddos. Now, I'm not sure if this will help if you're up against a large botnet, never had such a thing happen.
I don't think anything will really be able to stand up to a decent, genuine DDoS attack. If you have thousands of hosts all firing out SYN packets to the same IP you might as well take a pee in the ocean. Things like rate control are fine and dandy, but there is still overhead in processing the request. I've seen some of the 'angry spammer' DDoS attacks on clients and with all the best will in the world they mostly succeed in disrpupting service. Whilst some defence is better than none a true 'massive DDoS attack' as the title suggest is something you really can't do a great deal about.
The attack is likely hitting whatever IP the DNS resolves to , so changing may have little effect. In any case, it would certainly be easy for the attackers to just switch to the new IP!
The attack is likely hitting whatever IP the DNS resolves to , so changing may have little effect. In any case, it would certainly be easy for the attackers to just switch to the new IP!
I do not think botnet uses DNS resolvers.
But anyway, as I already have suggested here, the only way is to filter all IPs one was attacked from or if it necessary - to block whole network. If ISP refuse to help with it, one need linux computer with 2 ethernet cards, configured like bridge, and manually add IP range.
nimnull22 changing IP is absolutely useless since attackers most commonly hunting down domain(specific site or other service). Please don't give such a bad advices.
Blocking IP ranges isn't a big help either. B-net is b-net after all, so you may occasionally block your own future customers of provided services.
There are NO tools(those who claim they can help to stop ddos with some magic wand are liars) that can stop ddos. Only way to limit it's impact is to analyze traffic/logs of attacked application and make some strategy of filtering requests on either firewall or application side.
In your case, if you run webserver your solutions may be in reviewing logs, finding out some sequence and trying to block it. Say if attackers use similar user-agent string or refer to similar script, there is a way to block them or limit number of requests per interval of time, etc.
Anyway, ddos can be of different types. What's an impact of current situation? They overload your network channel? Or making a dos for cpu resources or memory? does your webserver returns 50* errors under that load?
If you want some help over this, post some part of logs or traffic dumps so we can possibly suggest something. Any additional information about current situation is welcome.
Have you tried Snort? Maybe you can use it to intercept a request before it reaches the apache server and block (through iptables) the address if its requests matches the patterns that you have. This is more like a preemptive defense and I think it's a lot better than checking out logs of apache and netstat. It saves a lot of resources as well.
Have you tried Snort? Maybe you can use it to intercept a request before it reaches the apache server and block (through iptables) the address if its requests matches the patterns that you have. This is more like a preemptive defense and I think it's a lot better than checking out logs of apache and netstat. It saves a lot of resources as well.
Enabling Snort inline isn't a trivial task. It isn't something that he's going to be able to immediately deploy, either.
Also, something's going to take the load and end up getting tilted and in this case, it may well be the firewall...the firewall and/or kernel may tilt anyways when just trying to track the connections. AND, the system is going to try to log the activity, which may impact the system's resources.
I believe another user mentioned upstream blocking (at the perimeter router...I don't mean a Linksys home gateway). Blocking upstream is the better method, as the router/switch is designed to handle such loads and leaves the other security layers less taxed and more able to deal with things that make it through.
DDoS are difficult to mitigate. Some BIG companies can do this but those companies usually own their own backbone.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.