LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Track DDOS (http://www.linuxquestions.org/questions/linux-security-4/track-ddos-4175430814/)

SamiMukahhal 10-06-2012 05:53 AM

Track DDOS
 
I'm getting heavily ddosed.
I can't even enter ssh while I'm getting ddosed.
Everything just locks.
Each and every google search , moreover than 200+ say to type in the netstat command and check in number of connections by each IP to block it.
In real time ddos I'm not able to enter SSH.

I was wondering If I could check logs somewhere or something and track down the IP that is dosing me.

Can anyone please help or assist me with what to do ?

Does var/logs/iptables.log have to do anything with this ?

Help is highly appreciated, I wanna know the doser

unSpawn 10-06-2012 07:11 AM

Quote:

Originally Posted by SamiMukahhal (Post 4798690)
I'm getting heavily ddosed. (..) I was wondering If I could check logs somewhere or something and track down the IP that is dosing me. (..) I wanna know the doser

The most important thing to know about mitigating a DoS or DDoS situation is that you can not solve this on your own. Sure there are things you could do to mitigate the situation from rate limiting traffic to shutting down publicly accessible services but in the end there is only so much an end point can accomplish on its own: you require the cooperation of your hosting provider to block traffic at their border until the threat passes by.

Noway2 10-07-2012 09:29 AM

I would also add that when one is getting DDOS'd there is usually a reason for it, as in you have done something to attract unwanted attention. Based upon the threads on this subject that I've seen in this forum over the couple of years, the most common cause is running a game server. You haven't given much in the way of detail regarding your situation, but as unSpawn correctly pointed out, it is pretty much immaterial as you will need to address this upstream of your server.

okcomputer44 10-07-2012 01:40 PM

Hi,

PfSense could be a solution in some case.
If you have a spare machine with strong CPU with 1GB RAM that would do the trick for you.

Basically when you got the attack the attacker computers don't care about the SYNC packages.
And your system try to answere all the new packages that is why your box dies, because it wants to reply to IP addresses which are fake actually.

If you would have a PfSense firewall front of your box, then PfSense drops the packages if no open ports to sync back or faked IPs.
One of my colleague tested it with 150K/sec packages and they still had fine replies from the PfSense box and had the console too.

Of course it wont work in some cases but in some this would help you.
Unfortunately PfSense firewall's kernel does not fine tuning to work well on any virtual machines.
You can install it on VmWare or KVM but the CPU usage will be high all the time however you could test it at least to see how it works. If you use virtual machine choose the Free-BSD system cause PfSense based on Free-BSD.

Laz


All times are GMT -5. The time now is 09:41 PM.