LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 04-20-2009, 06:22 AM   #1
abefroman
Senior Member
 
Registered: Feb 2004
Location: Chicago
Distribution: CentOS
Posts: 1,263

Rep: Reputation: 53
What is the best way to stop this DDoS attack?


What is the best way to stop this DDoS attack?

As you can see its coming from serveral different IPs.

06:20:42.760166 IP 86.53.70.195.1222 > my_ip.http: UDP, length 512
06:20:42.760455 IP 124.158.113.29.23875 > my_ip.http: UDP, length 512
06:20:42.760838 IP 59.95.172.123.50657 > my_ip.http: UDP, length 512
06:20:42.761343 IP 83.110.224.126 > my_ip: icmp 520: echo request seq 44584
06:20:42.761417 IP 77.248.194.206.61004 > my_ip.http: UDP, length 512
06:20:42.761537 IP 90.41.207.221 > my_ip: icmp 520: echo request seq 14838
06:20:42.761584 IP 193.220.123.66.7203 > my_ip.http: S 370556910:370556910(0) win 16384 <mss 1460,nop,nop,sackOK>
06:20:42.761710 IP 117.204.81.58.1355 > my_ip.mysql: UDP, length 512
06:20:42.761763 IP 82.177.118.50 > my_ip: icmp 520: echo request seq 27028
06:20:42.761901 IP 88.71.37.64 > my_ip: icmp 520: echo request seq 33606
06:20:42.761947 IP 212.187.24.13.50750 > my_ip.http: UDP, length 512
06:20:42.761995 IP 85.86.178.150 > my_ip: icmp 520: echo request seq 17659
06:20:42.762084 IP 208.48.243.2.65112 > my_ip.mysql: UDP, length 512
06:20:42.762130 IP 87.160.126.100.64930 > my_ip.http: UDP, length 512
06:20:42.762203 IP 88.8.90.88.1378 > my_ip.http: UDP, length 512
06:20:42.762318 IP 117.196.10.54.14931 > my_ip.mysql: UDP, length 512
06:20:42.762553 IP 80.227.102.82.3294 > my_ip.http: UDP, length 512
06:20:42.762755 IP 69.225.9.26.1838 > my_ip.http: UDP, length 512
06:20:42.762815 IP 59.92.126.23.1464 > my_ip.http: UDP, length 512
06:20:42.762897 IP 88.174.238.123.9873 > my_ip.http: S 1769651539:1769651539(0) win 65535 <mss 1460,nop,wscale 3,nop,nop,sackOK>
06:20:42.763252 IP 115.147.106.7.50520 > my_ip.http: UDP, length 512
06:20:42.763359 IP 77.249.184.197.1519 > my_ip.http: UDP, length 512
06:20:42.763409 IP 77.249.184.197.1556 > my_ip.http: UDP, length 512
06:20:42.763422 IP 85.220.71.161.58835 > my_ip.http: S 384319938:384319938(0) win 8192 <mss 1350,nop,nop,sackOK>
06:20:42.763666 IP 81.7.78.69 > my_ip: icmp 520: echo request seq 63697
06:20:42.763761 IP 193.219.191.247.3917 > my_ip.http: UDP, length 512
06:20:42.763793 IP 81.7.78.69.59209 > my_ip.http: S 2930774192:2930774192(0) win 65535 <mss 1460,nop,nop,sackOK>
06:20:42.763880 IP my_ip.http > 81.7.78.69.59209: R 0:0(0) ack 1 win 0
06:20:42.763919 IP 88.174.238.123.9874 > my_ip.http: S 22604081:22604081(0) win 65535 <mss 1460,nop,wscale 3,nop,nop,sackOK>
06:20:42.764146 IP 189.59.23.125.17636 > my_ip.mysql: UDP, length 512
06:20:42.764227 IP 88.77.49.88.1188 > my_ip.http: S 33341437:33341437(0) win 32767 <mss 1452,nop,nop,sackOK>
06:20:42.764328 IP my_ip.http > 88.77.49.88.1188: R 0:0(0) ack 33341438 win 0
06:20:42.764368 IP 88.225.184.165 > my_ip: icmp 520: echo request seq 23178
06:20:42.764420 IP 85.220.71.161.58908 > my_ip.http: S 307102895:307102895(0) win 8192 <mss 1350,nop,nop,sackOK>
06:20:42.764544 IP 85.149.240.165 > my_ip: icmp 520: echo request seq 27333
06:20:42.764608 IP 88.87.240.35.61373 > my_ip.http: UDP, length 512
06:20:42.764861 IP 81.45.193.79 > my_ip: icmp 520: echo request seq 28628
06:20:42.765339 IP 80.227.102.82.3297 > my_ip.http: UDP, length 512
06:20:42.765759 IP 208.48.243.2.65111 > my_ip.http: UDP, length 512
06:20:42.765869 IP 88.174.238.123.9875 > my_ip.http: S 377507710:377507710(0) win 65535 <mss 1460,nop,wscale 3,nop,nop,sackOK>
06:20:42.766109 IP 77.196.101.90 > my_ip: icmp 520: echo request seq 1836
06:20:42.766189 IP 59.99.69.242.1200 > my_ip.http: UDP, length 512
06:20:42.766704 IP 90.41.207.221 > my_ip: icmp 520: echo request seq 15094
06:20:42.766879 IP 94.215.227.176.60681 > my_ip.http: UDP, length 512
06:20:42.766925 IP 82.177.118.50 > my_ip: icmp 520: echo request seq 27284
06:20:42.767342 IP 76.20.203.99.50369 > my_ip.http: UDP, length 512
06:20:42.767429 IP 80.238.119.215.52125 > my_ip.http: UDP, length 512
06:20:42.767554 IP 89.247.97.116 > my_ip: icmp 520: echo request seq 26930
06:20:42.767601 IP 61.11.102.86.23534 > my_ip.http: UDP, length 512
06:20:42.768165 IP 189.67.206.120 > my_ip: icmp 520: echo request seq 26625
06:20:42.768211 IP 86.61.236.237.1195 > my_ip.http: UDP, length 512
06:20:42.768220 IP 88.77.49.88.1189 > my_ip.http: S 2788791862:2788791862(0) win 32767 <mss 1452,nop,nop,sackOK>
06:20:42.768335 IP my_ip.http > 88.77.49.88.1189: R 0:0(0) ack 2788791863 win 0
06:20:42.768346 IP 82.107.43.43.3681 > my_ip.mysql: UDP, length 512
06:20:42.768678 IP 117.204.81.58.1361 > my_ip.mysql: UDP, length 512
06:20:42.769010 IP 80.227.102.82.3227 > my_ip.http: UDP, length 512
06:20:42.769267 IP 117.196.10.54.1260 > my_ip.http: UDP, length 512
06:20:42.769314 IP 79.182.237.2.3643 > my_ip.http: UDP, length 512
06:20:42.769447 IP 218.212.66.83.49196 > my_ip.http: UDP, length 512
06:20:42.769591 IP 87.160.126.100.64931 > my_ip.http: UDP, length 512
06:20:42.769640 IP 85.149.240.165 > my_ip: icmp 520: echo request seq 27845
06:20:42.770257 IP 81.7.78.69 > my_ip: icmp 520: echo request seq 63953
06:20:42.770594 IP 80.227.102.82.3240 > my_ip.http: UDP, length 512
06:20:42.770976 IP 88.178.196.205.50262 > my_ip.http: UDP, length 512
06:20:42.771251 IP 62.163.9.246.3230 > my_ip.http: UDP, length 512
06:20:42.771325 IP 201.251.111.12.2207 > my_ip.mysql: UDP, length 512
06:20:42.772137 IP 88.157.83.95.2834 > my_ip.mysql: UDP, length 512
06:20:42.772186 IP 80.227.102.82.3304 > my_ip.http: UDP, length 512
06:20:42.772252 IP 86.53.70.195.1233 > my_ip.http: UDP, length 512
06:20:42.772438 IP 86.61.236.237.1067 > my_ip.http: UDP, length 512
06:20:42.772490 IP 123.237.105.24.1144 > my_ip.mysql: UDP, length 512
06:20:42.772690 IP 58.9.188.20.1326 > my_ip.http: UDP, length 512
06:20:42.772769 IP 90.41.207.221 > my_ip: icmp 520: echo request seq 15350
06:20:42.772814 IP 218.102.79.242.3983 > my_ip.mysql: UDP, length 512
06:20:42.772871 IP 88.174.238.123.1380 > my_ip.http: UDP, length 512
06:20:42.772916 IP 94.215.227.176.63865 > my_ip.http: UDP, length 512
06:20:42.772998 IP 77.196.101.90 > my_ip: icmp 520: echo request seq 2348
06:20:42.773201 IP 82.177.118.50 > my_ip: icmp 520: echo request seq 27540
06:20:42.773294 IP 189.242.176.5.2504 > my_ip.http: UDP, length 512
06:20:42.773340 IP 80.227.102.82.3298 > my_ip.http: UDP, length 512
06:20:42.773397 IP 77.248.194.206.61711 > my_ip.http: UDP, length 512
06:20:42.773448 IP 69.225.9.26.1801 > my_ip.http: UDP, length 512
06:20:42.773550 IP 59.99.69.242.1188 > my_ip.http: UDP, length 512
06:20:42.773612 IP 201.251.111.12.2214 > my_ip.mysql: UDP, length 512
06:20:42.773726 IP 88.203.248.154.50321 > my_ip.http: UDP, length 512
06:20:42.774048 IP 83.5.64.27.2614 > my_ip.http: UDP, length 512
06:20:42.774079 IP 121.119.167.151.21578 > my_ip.mysql: UDP, length 512
06:20:42.774106 IP 91.22.84.2.1281 > my_ip.http: UDP, length 512
06:20:42.774376 IP 222.123.242.168 > my_ip: icmp 520: echo request seq 59743
 
Old 04-20-2009, 08:35 AM   #2
tronayne
Senior Member
 
Registered: Oct 2003
Location: Northeastern Michigan, where Carhartt is a Designer Label
Distribution: Slackware 32- & 64-bit Stable
Posts: 3,074

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
Two relatively simple solutions are (1) install DenyHosts (http://denyhosts.sourceforge.net) or (2) install IPTABLES country blocks (http://www.countryipblocks.net) for, at least, China and Korea (and think about India and Japan while you're about it).

Additionally, you can isolate the addresses (with, say, a small awk program) and add all of them to /etc/hosts.deny.

Last edited by tronayne; 04-20-2009 at 08:38 AM.
 
Old 04-20-2009, 09:45 AM   #3
abefroman
Senior Member
 
Registered: Feb 2004
Location: Chicago
Distribution: CentOS
Posts: 1,263

Original Poster
Rep: Reputation: 53
Quote:
Originally Posted by tronayne View Post
Two relatively simple solutions are (1) install DenyHosts (http://denyhosts.sourceforge.net)
Can that block udp floods?


Quote:
Originally Posted by tronayne View Post
or (2) install IPTABLES country blocks (http://www.countryipblocks.net) for, at least, China and Korea (and think about India and Japan while you're about it).
Thanks! But I think most of those IPs are on the Ripe, and some with Arin too.

Quote:
Originally Posted by tronayne View Post
Additionally, you can isolate the addresses (with, say, a small awk program) and add all of them to /etc/hosts.deny.
[/Quote]

Not sure how easy that would be, we are talking about thousands and thousands of IPs.
[~]# netstat -a -n | grep :80 | awk '{print $5}' | sed 's/::ffff://;/^*:/d' | sed 's/:.*//;/^*:/d' |uniq -c |sort -n|awk {'print $2'}|wc -l
2971
 
Old 04-20-2009, 11:54 AM   #4
tronayne
Senior Member
 
Registered: Oct 2003
Location: Northeastern Michigan, where Carhartt is a Designer Label
Distribution: Slackware 32- & 64-bit Stable
Posts: 3,074

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
Well, sticking 'em in /etc/hosts.deny will deny access (that's what DenyHosts does dynamically, plus other DenyHosts users are polled periodically and their bad-hats are added, plus DenyHosts purges /etc/deny.hosts every so often -- I have over 5,000 entries at present).

When these bastards get cranked up (you're getting hit by what looks an awful lot like compromised microjunk machines), other than pulling the plug there isn't all that much you can do but block entire countries (as in, do you really care if users in China or Korea can get to you?), use a tool like DenyHosts (which is pretty effective), block every non-essential port in your router, shut down SSHD, shut down FTP, shut down anything that responds to a ping (and don't ever allow a ping response in any event, that's one of the ways they find you).

Having a couple of thousand entries in /etc/hosts.deny doesn't hurt, can help and... what the heck, better safe than sorry, eh.
 
Old 04-20-2009, 11:59 AM   #5
abefroman
Senior Member
 
Registered: Feb 2004
Location: Chicago
Distribution: CentOS
Posts: 1,263

Original Poster
Rep: Reputation: 53
Thanks!

Will try that.
 
Old 04-21-2009, 06:05 PM   #6
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
Is there some reason you're allowing UDP traffic to e.g. http and mysql service ports? If not, you should be dropping those at the host firewall level (or further up the chain).
 
Old 04-21-2009, 06:16 PM   #7
abefroman
Senior Member
 
Registered: Feb 2004
Location: Chicago
Distribution: CentOS
Posts: 1,263

Original Poster
Rep: Reputation: 53
Quote:
Originally Posted by anomie View Post
Is there some reason you're allowing UDP traffic to e.g. http and mysql service ports? If not, you should be dropping those at the host firewall level (or further up the chain).
According to the firewall that is closed, would the server still have to process those packets?
 
Old 04-21-2009, 06:37 PM   #8
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
If you've correctly configured netfilter to DROP or REJECT the packet, then it's processed to the extent that it is evaluated and then denied. But it doesn't reach the services you are protecting.
 
Old 04-21-2009, 10:55 PM   #9
abefroman
Senior Member
 
Registered: Feb 2004
Location: Chicago
Distribution: CentOS
Posts: 1,263

Original Poster
Rep: Reputation: 53
Is there a way to test if its open?
telnet-udp xx.xx.xx.xx 80
something like a telnet for udp?
 
Old 04-22-2009, 11:25 AM   #10
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
A couple options come to mind:

Option 1: Run a nmap UDP scan on that port. Be sure to read the caveats on UDP scans in the nmap manpages; or

Option 2: Fire up a nc listener on UDP port 80 and try pushing data to it from a client.

On the server:
# nc -lu 80

On the client:
$ nc -u server.here 80

Now, in the client terminal, start typing text. Is it appearing in the server terminal window? If so, UDP packets are getting through to port 80. If not, they're not.

[ note: Your nc options may differ slightly. ]
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
DDOS Attack studiofos Linux - Security 3 09-12-2006 03:42 AM
DDOS attack in BIND9 inaki Linux - Security 1 08-07-2006 01:46 AM
Looking for a great ddos/attack protection. crime Linux - Security 2 06-07-2006 10:18 PM
DDOS attack WebProblem GNU Linux - Security 15 02-09-2005 09:28 PM
ddos attack ashis Linux - Security 1 06-14-2001 02:31 AM


All times are GMT -5. The time now is 12:04 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration