LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   What is the best way to stop this DDoS attack? (http://www.linuxquestions.org/questions/linux-security-4/what-is-the-best-way-to-stop-this-ddos-attack-720390/)

abefroman 04-20-2009 06:22 AM

What is the best way to stop this DDoS attack?
 
What is the best way to stop this DDoS attack?

As you can see its coming from serveral different IPs.

06:20:42.760166 IP 86.53.70.195.1222 > my_ip.http: UDP, length 512
06:20:42.760455 IP 124.158.113.29.23875 > my_ip.http: UDP, length 512
06:20:42.760838 IP 59.95.172.123.50657 > my_ip.http: UDP, length 512
06:20:42.761343 IP 83.110.224.126 > my_ip: icmp 520: echo request seq 44584
06:20:42.761417 IP 77.248.194.206.61004 > my_ip.http: UDP, length 512
06:20:42.761537 IP 90.41.207.221 > my_ip: icmp 520: echo request seq 14838
06:20:42.761584 IP 193.220.123.66.7203 > my_ip.http: S 370556910:370556910(0) win 16384 <mss 1460,nop,nop,sackOK>
06:20:42.761710 IP 117.204.81.58.1355 > my_ip.mysql: UDP, length 512
06:20:42.761763 IP 82.177.118.50 > my_ip: icmp 520: echo request seq 27028
06:20:42.761901 IP 88.71.37.64 > my_ip: icmp 520: echo request seq 33606
06:20:42.761947 IP 212.187.24.13.50750 > my_ip.http: UDP, length 512
06:20:42.761995 IP 85.86.178.150 > my_ip: icmp 520: echo request seq 17659
06:20:42.762084 IP 208.48.243.2.65112 > my_ip.mysql: UDP, length 512
06:20:42.762130 IP 87.160.126.100.64930 > my_ip.http: UDP, length 512
06:20:42.762203 IP 88.8.90.88.1378 > my_ip.http: UDP, length 512
06:20:42.762318 IP 117.196.10.54.14931 > my_ip.mysql: UDP, length 512
06:20:42.762553 IP 80.227.102.82.3294 > my_ip.http: UDP, length 512
06:20:42.762755 IP 69.225.9.26.1838 > my_ip.http: UDP, length 512
06:20:42.762815 IP 59.92.126.23.1464 > my_ip.http: UDP, length 512
06:20:42.762897 IP 88.174.238.123.9873 > my_ip.http: S 1769651539:1769651539(0) win 65535 <mss 1460,nop,wscale 3,nop,nop,sackOK>
06:20:42.763252 IP 115.147.106.7.50520 > my_ip.http: UDP, length 512
06:20:42.763359 IP 77.249.184.197.1519 > my_ip.http: UDP, length 512
06:20:42.763409 IP 77.249.184.197.1556 > my_ip.http: UDP, length 512
06:20:42.763422 IP 85.220.71.161.58835 > my_ip.http: S 384319938:384319938(0) win 8192 <mss 1350,nop,nop,sackOK>
06:20:42.763666 IP 81.7.78.69 > my_ip: icmp 520: echo request seq 63697
06:20:42.763761 IP 193.219.191.247.3917 > my_ip.http: UDP, length 512
06:20:42.763793 IP 81.7.78.69.59209 > my_ip.http: S 2930774192:2930774192(0) win 65535 <mss 1460,nop,nop,sackOK>
06:20:42.763880 IP my_ip.http > 81.7.78.69.59209: R 0:0(0) ack 1 win 0
06:20:42.763919 IP 88.174.238.123.9874 > my_ip.http: S 22604081:22604081(0) win 65535 <mss 1460,nop,wscale 3,nop,nop,sackOK>
06:20:42.764146 IP 189.59.23.125.17636 > my_ip.mysql: UDP, length 512
06:20:42.764227 IP 88.77.49.88.1188 > my_ip.http: S 33341437:33341437(0) win 32767 <mss 1452,nop,nop,sackOK>
06:20:42.764328 IP my_ip.http > 88.77.49.88.1188: R 0:0(0) ack 33341438 win 0
06:20:42.764368 IP 88.225.184.165 > my_ip: icmp 520: echo request seq 23178
06:20:42.764420 IP 85.220.71.161.58908 > my_ip.http: S 307102895:307102895(0) win 8192 <mss 1350,nop,nop,sackOK>
06:20:42.764544 IP 85.149.240.165 > my_ip: icmp 520: echo request seq 27333
06:20:42.764608 IP 88.87.240.35.61373 > my_ip.http: UDP, length 512
06:20:42.764861 IP 81.45.193.79 > my_ip: icmp 520: echo request seq 28628
06:20:42.765339 IP 80.227.102.82.3297 > my_ip.http: UDP, length 512
06:20:42.765759 IP 208.48.243.2.65111 > my_ip.http: UDP, length 512
06:20:42.765869 IP 88.174.238.123.9875 > my_ip.http: S 377507710:377507710(0) win 65535 <mss 1460,nop,wscale 3,nop,nop,sackOK>
06:20:42.766109 IP 77.196.101.90 > my_ip: icmp 520: echo request seq 1836
06:20:42.766189 IP 59.99.69.242.1200 > my_ip.http: UDP, length 512
06:20:42.766704 IP 90.41.207.221 > my_ip: icmp 520: echo request seq 15094
06:20:42.766879 IP 94.215.227.176.60681 > my_ip.http: UDP, length 512
06:20:42.766925 IP 82.177.118.50 > my_ip: icmp 520: echo request seq 27284
06:20:42.767342 IP 76.20.203.99.50369 > my_ip.http: UDP, length 512
06:20:42.767429 IP 80.238.119.215.52125 > my_ip.http: UDP, length 512
06:20:42.767554 IP 89.247.97.116 > my_ip: icmp 520: echo request seq 26930
06:20:42.767601 IP 61.11.102.86.23534 > my_ip.http: UDP, length 512
06:20:42.768165 IP 189.67.206.120 > my_ip: icmp 520: echo request seq 26625
06:20:42.768211 IP 86.61.236.237.1195 > my_ip.http: UDP, length 512
06:20:42.768220 IP 88.77.49.88.1189 > my_ip.http: S 2788791862:2788791862(0) win 32767 <mss 1452,nop,nop,sackOK>
06:20:42.768335 IP my_ip.http > 88.77.49.88.1189: R 0:0(0) ack 2788791863 win 0
06:20:42.768346 IP 82.107.43.43.3681 > my_ip.mysql: UDP, length 512
06:20:42.768678 IP 117.204.81.58.1361 > my_ip.mysql: UDP, length 512
06:20:42.769010 IP 80.227.102.82.3227 > my_ip.http: UDP, length 512
06:20:42.769267 IP 117.196.10.54.1260 > my_ip.http: UDP, length 512
06:20:42.769314 IP 79.182.237.2.3643 > my_ip.http: UDP, length 512
06:20:42.769447 IP 218.212.66.83.49196 > my_ip.http: UDP, length 512
06:20:42.769591 IP 87.160.126.100.64931 > my_ip.http: UDP, length 512
06:20:42.769640 IP 85.149.240.165 > my_ip: icmp 520: echo request seq 27845
06:20:42.770257 IP 81.7.78.69 > my_ip: icmp 520: echo request seq 63953
06:20:42.770594 IP 80.227.102.82.3240 > my_ip.http: UDP, length 512
06:20:42.770976 IP 88.178.196.205.50262 > my_ip.http: UDP, length 512
06:20:42.771251 IP 62.163.9.246.3230 > my_ip.http: UDP, length 512
06:20:42.771325 IP 201.251.111.12.2207 > my_ip.mysql: UDP, length 512
06:20:42.772137 IP 88.157.83.95.2834 > my_ip.mysql: UDP, length 512
06:20:42.772186 IP 80.227.102.82.3304 > my_ip.http: UDP, length 512
06:20:42.772252 IP 86.53.70.195.1233 > my_ip.http: UDP, length 512
06:20:42.772438 IP 86.61.236.237.1067 > my_ip.http: UDP, length 512
06:20:42.772490 IP 123.237.105.24.1144 > my_ip.mysql: UDP, length 512
06:20:42.772690 IP 58.9.188.20.1326 > my_ip.http: UDP, length 512
06:20:42.772769 IP 90.41.207.221 > my_ip: icmp 520: echo request seq 15350
06:20:42.772814 IP 218.102.79.242.3983 > my_ip.mysql: UDP, length 512
06:20:42.772871 IP 88.174.238.123.1380 > my_ip.http: UDP, length 512
06:20:42.772916 IP 94.215.227.176.63865 > my_ip.http: UDP, length 512
06:20:42.772998 IP 77.196.101.90 > my_ip: icmp 520: echo request seq 2348
06:20:42.773201 IP 82.177.118.50 > my_ip: icmp 520: echo request seq 27540
06:20:42.773294 IP 189.242.176.5.2504 > my_ip.http: UDP, length 512
06:20:42.773340 IP 80.227.102.82.3298 > my_ip.http: UDP, length 512
06:20:42.773397 IP 77.248.194.206.61711 > my_ip.http: UDP, length 512
06:20:42.773448 IP 69.225.9.26.1801 > my_ip.http: UDP, length 512
06:20:42.773550 IP 59.99.69.242.1188 > my_ip.http: UDP, length 512
06:20:42.773612 IP 201.251.111.12.2214 > my_ip.mysql: UDP, length 512
06:20:42.773726 IP 88.203.248.154.50321 > my_ip.http: UDP, length 512
06:20:42.774048 IP 83.5.64.27.2614 > my_ip.http: UDP, length 512
06:20:42.774079 IP 121.119.167.151.21578 > my_ip.mysql: UDP, length 512
06:20:42.774106 IP 91.22.84.2.1281 > my_ip.http: UDP, length 512
06:20:42.774376 IP 222.123.242.168 > my_ip: icmp 520: echo request seq 59743

tronayne 04-20-2009 08:35 AM

Two relatively simple solutions are (1) install DenyHosts (http://denyhosts.sourceforge.net) or (2) install IPTABLES country blocks (http://www.countryipblocks.net) for, at least, China and Korea (and think about India and Japan while you're about it).

Additionally, you can isolate the addresses (with, say, a small awk program) and add all of them to /etc/hosts.deny.

abefroman 04-20-2009 09:45 AM

Quote:

Originally Posted by tronayne (Post 3515032)
Two relatively simple solutions are (1) install DenyHosts (http://denyhosts.sourceforge.net)

Can that block udp floods?


Quote:

Originally Posted by tronayne (Post 3515032)
or (2) install IPTABLES country blocks (http://www.countryipblocks.net) for, at least, China and Korea (and think about India and Japan while you're about it).

Thanks! But I think most of those IPs are on the Ripe, and some with Arin too.

Quote:

Originally Posted by tronayne (Post 3515032)
Additionally, you can isolate the addresses (with, say, a small awk program) and add all of them to /etc/hosts.deny.

[/Quote]

Not sure how easy that would be, we are talking about thousands and thousands of IPs.
[~]# netstat -a -n | grep :80 | awk '{print $5}' | sed 's/::ffff://;/^*:/d' | sed 's/:.*//;/^*:/d' |uniq -c |sort -n|awk {'print $2'}|wc -l
2971

tronayne 04-20-2009 11:54 AM

Well, sticking 'em in /etc/hosts.deny will deny access (that's what DenyHosts does dynamically, plus other DenyHosts users are polled periodically and their bad-hats are added, plus DenyHosts purges /etc/deny.hosts every so often -- I have over 5,000 entries at present).

When these bastards get cranked up (you're getting hit by what looks an awful lot like compromised microjunk machines), other than pulling the plug there isn't all that much you can do but block entire countries (as in, do you really care if users in China or Korea can get to you?), use a tool like DenyHosts (which is pretty effective), block every non-essential port in your router, shut down SSHD, shut down FTP, shut down anything that responds to a ping (and don't ever allow a ping response in any event, that's one of the ways they find you).

Having a couple of thousand entries in /etc/hosts.deny doesn't hurt, can help and... what the heck, better safe than sorry, eh.

abefroman 04-20-2009 11:59 AM

Thanks!

Will try that.

anomie 04-21-2009 06:05 PM

Is there some reason you're allowing UDP traffic to e.g. http and mysql service ports? If not, you should be dropping those at the host firewall level (or further up the chain).

abefroman 04-21-2009 06:16 PM

Quote:

Originally Posted by anomie (Post 3516704)
Is there some reason you're allowing UDP traffic to e.g. http and mysql service ports? If not, you should be dropping those at the host firewall level (or further up the chain).

According to the firewall that is closed, would the server still have to process those packets?

anomie 04-21-2009 06:37 PM

If you've correctly configured netfilter to DROP or REJECT the packet, then it's processed to the extent that it is evaluated and then denied. But it doesn't reach the services you are protecting.

abefroman 04-21-2009 10:55 PM

Is there a way to test if its open?
telnet-udp xx.xx.xx.xx 80
something like a telnet for udp?

anomie 04-22-2009 11:25 AM

A couple options come to mind:

Option 1: Run a nmap UDP scan on that port. Be sure to read the caveats on UDP scans in the nmap manpages; or

Option 2: Fire up a nc listener on UDP port 80 and try pushing data to it from a client.

On the server:
# nc -lu 80

On the client:
$ nc -u server.here 80

Now, in the client terminal, start typing text. Is it appearing in the server terminal window? If so, UDP packets are getting through to port 80. If not, they're not.

[ note: Your nc options may differ slightly. ]


All times are GMT -5. The time now is 05:20 AM.