Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Well, I've been a victim of Ddos attacks and I really can't figure out how to avoid it. On some machines it works, while on some it doesn't or probably I'm doing it wrong in some way,
Attackers are using multiple IPs to attack my game server ports that make my game-server output 1mb/s to each IP Address, these are UDP reflective attacks technically. Here is how I see to protect them,
Code:
iptables -A INPUT -p udp -m state --state NEW -m recent --set --name DDOS --rsource
iptables -A INPUT -p udp -m state --state NEW -m recent --update --seconds 1 --hitcount 5 --name DDOS --rsource -j DROP
Technically this would block every attacker on UDP ports. I check if the attacker is blocked using "iftop" or "tcpdump" when I see that the output to attacker's IP becomes 0, this confirms me that the protection is working.
On my CentOS 6 machine running iptables 1.4.7, I am using similar method to block it and its really weird that it works sometimes and the next hour it doesn't. After a lot of tries, I restarted my system and iptables, protection worked fine and attacker was blocked. I logged into my system today and he is attacking me again and although I restarted iptables, hes not getting blocked. I dont want to restart my system again and again to make it work so what could be the issue?
Also, some people say UDP is state-less but whatever it technically is - I've always used this command and it has worked before for me, why not now or why partially now?
What I see is that your line to DROP contains no port numbers, it seems that perhaps you have configured this in a way that is oversimplified and you need an if then fi.
Perhaps this example from my firewall will help.
if [ "$CONNECTION_TRACKING" = "1" ]; then
$IPTABLES -A OUTPUT -o $INTERNET -p udp -m multiport --destination-port $NFS_PORT,$LOCKD_PORT -m state --state NEW -j REJECT
$IPTABLES -A INPUT -i $INTERNET -p udp -m multiport --destination-port $NFS_PORT,$LOCKD_PORT -m state --state NEW -j DROP
else
$IPTABLES -A OUTPUT -o $INTERNET -p udp -m multiport --destination-port $NFS_PORT -j REJECT
$IPTABLES -A INPUT -i $INTERNET -p udp -m multiport --destination-port $NFS_PORT -j DROP
fi
I realize that this is specific to NFS but perhaps you could remodel what you have to do something similar and solve this issue.
We can never get away from bandits, they steal, break, obscure and generally are outlaws. Tracking their IP may be futile as they could be using techniques that obscure their real IP address. If you use REJECT they will know because they get that info so DROP should reveal nothing. As far as they are concerned they are unable to connect.
Okay I tried CSF and that also doesn't block the attacker so now I'm sure problem is not with my commands.
Setting rate-limit in iptables manually or through CSF ( and restarting system ) blocks the attacker very fine but after 10 hours ( might be less, I just woke up after that much ), attacker is attacking again and iptables are doing nothing. After doing a lot of commands even then iptables wont work but on restarting the system, it works again by itself.
Why does this happen?
I have another VPS with InterServer.net running CentOS OpenVZ Kernel 2.6.18 ( like the machine above ), same thing is happening on that machine. At this moment, I just restarted my VPS and iptables is working fine and blocking the attacker but I'm sure when i wake up tomorrow, I'll see the attacker not being blocked anymore.
So Is there any issue with this kernel?
This is weird isn't it?
At least programming or mathematics can't explain that shit.
If someone is attacking the system right at the current time, and if you restart your system - It will block the IP Addresses.
If now another attacker comes, it will not block that attacker or even if the previous attacker takes a break and attacks again, he will get through once again. Same case with the CentOS machine and its really weird.
Uptil now I was using rate limit to block it but I observed, attackers are sending constant packet of UDP length 14 and even blocking the length alone doesn't block the packets. But leave that aside, even directly blocking new attacker's IP won't work while the previous attacker who was attacking while server was restarting is blocked ( with rate-limit ). But maybe if I'm using CSF, I can't manually do length or manual block until I flush the chain?
Your threads, over the past year, have displayed a wide range of trouble ranging from crashes to (perceived) root level compromises. Reading back it seems your DDoS problem started early last year (according to this, this and this thread) and apparently you found the issue urgent enough to start this thread (duplicate). What is bothering me in all of this is that these threads, over the period nearly of a year, have not lead to anything conclusive. Part of it seems due to a lack of follow-ups and part of it is due to you failing to communicate OS, service, attack and measure effectiveness details properly. It is important to realize that in terms of Netfilter usage, and other aspects like the ability for a hosting company to oversell, OpenVZ is not equal to a dedicated host. Unless you manage dom0 yourself, then until your dom0 owner cooperates, you will not be able to achieve what you need to.
I strongly suggest that you start from scratch in your next reply and post detailed OS information: kernel version, game version and ports used, iptables version, full iptables rule set as in 'iptables-save > outputfile' and enough packet captures that can be used to analyze traffic.
Iptables rules are somehow not working even on XEN machines with latest kernel and not even on 2.6.18 Kernel OpenVZ. I tried contacting my providers but they couldn't help me about it. I don't know why on restart, the rules start working and after a few hours - the attacker is able to break in.
The above rules are the only thing I have in my iptables list.
It would be more useful to have you respond to unSpawn in the manner requested. The information you impart is not very useful.
Quote:
strongly suggest that you start from scratch in your next reply and post detailed OS information: kernel version, game version and ports used, iptables version, full iptables rule set as in 'iptables-save > outputfile' and enough packet captures that can be used to analyze traffic.
Your firewall seems to be the problem and perhaps it is configured incorrectly. Responding positively to a request for information will net you more help than you can get get by offering conversational type dialogue.
It appears anything specified with -A INPUT -m does not work ( the -m option ).
"Does not work" is not proper diagnostics. If the iptables recent module was available then it should show in the list of available target matches and module listing and if it was in use then catting your target bucket should show hits. Checking that makes no sense unless the iptables recent module was configured in the OpenVZ hardware node and your OpenVZ container was restarted. Without these two conditions being met you will not be able to use the module. Maybe it didn't sink in but that's basically what I wrote in post #6.
Quote:
Originally Posted by AsadMoeen
Soldier of Fortune 2 v1.00
It seems you run an old version. I don't know if there's any server updates but if you look at the CVE entries you see SOF2 isn't without problems: http://cve.mitre.org/cgi-bin/cvekey....ier+of+Fortune. Check the vendor for patches. Also tell me if you have Punkbuster enabled on the server.
Quote:
Originally Posted by AsadMoeen
Anything else required?
Yes. I haven't got a clue about your traffic. What I would like is output along the lines of you running (as root) something like 'tcpdump -C 50 -W 3 -p -n -nn -s 0 -i eth -w /path/to/eth.pcap' where "eth" is your 'net-facing Ethernet device name (like "eth0") and "/path/to/eth.pcap" is the path and file name on a partition with enough space to support storing 3 packet captures of 50 megs each. Once you have got these send me an email to discuss where I can download the files for analysis.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.