LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   SYN_RECV, IPTABLES, Drop DDOS Flood IPs does not work! (https://www.linuxquestions.org/questions/linux-server-73/syn_recv-iptables-drop-ddos-flood-ips-does-not-work-751982/)

eurusd 09-02-2009 01:34 AM

SYN_RECV, IPTABLES, Drop DDOS Flood IPs does not work!
 
SYN_RECV, IPTABLES, Drop DDOS Flood IPs does not work!
I use this command to block ddos ips

while true; do netstat -n -p | grep SYN_REC | awk '{print $5}' | awk -F: '{print $1}' | sort | uniq; netstat -n -p | grep SYN_REC | awk '{print $5}' | awk -F: '{print $1}' | sort | uniq > /tmp/ips.txt;for IP in `cat /tmp/ips.txt`; do iptables -A INPUT -s $IP -j DROP;done;service iptables save; sleep 30; done;

but still all the same ips that SYN RECV DDOS me remain active 
I tried iptables restart still wont kill those bad connections
How to really drop them so I wont see them again in netstat

You have new mail in /var/spool/mail/root
[root@vbox2fedora11 ~]# sysctl -p
net.ipv4.ip_forward = 0
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
[root@vbox2fedora11 ~]#

96.49.250.193
iptables: Saving firewall rules to /etc/sysconfig/iptables: [ OK ]
10.1.231.55
187.146.59.172
188.51.4.221
196.209.198.197
201.165.12.21
201.26.106.227
24.234.86.254
67.167.150.169
69.46.142.122
76.217.95.6
77.183.84.46
77.196.51.125
77.210.98.64
78.50.226.250
82.9.59.77
84.143.187.50
85.157.188.208
87.96.232.60
91.193.220.129
92.153.255.183
94.153.161.250
96.32.251.220
96.49.250.193
iptables: Saving firewall rules to /etc/sysconfig/iptables: [ OK ]
10.1.231.55
187.146.59.172
196.209.198.197
201.26.106.227
217.201.127.118
24.234.86.254
67.167.150.169
69.111.189.49
69.46.142.122
76.217.95.6
77.183.84.46
77.196.51.125
77.210.98.64
78.50.226.250
82.9.59.77
84.143.187.50
85.157.188.208
86.153.68.53
87.96.232.60
91.193.220.129
92.153.255.183
94.153.161.250
96.32.251.220
96.49.250.193
iptables: Saving firewall rules to /etc/sysconfig/iptables: [ OK ]


[root@vbox2fedora11 ~]# netstat
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 :http S0106001cdf20124e.vc.:52419 SYN_RECV
tcp 0 0 :http S0106001cdf20124e.vc.:52414 SYN_RECV
tcp 0 0 :http a88-112-87-22:pnaconsult-lm SYN_RECV
tcp 0 0 :http dsl-187-146-59-172-:houston SYN_RECV
tcp 0 0 :http S0106001cdf20124e.vc.:52397 SYN_RECV
tcp 0 0 :http dsl-187-146-59-172-:yo-main SYN_RECV
tcp 0 0 :http S0106001cdf20124e.vc.:52416 SYN_RECV
tcp 0 0 :http S0106001cdf20124e.vc.:52420 SYN_RECV
tcp 0 0 :http S0106001cdf20124e.vc.:52398 SYN_RECV
tcp 0 0 :http S0106001cdf20124e.vc.:52395 SYN_RECV
tcp 0 0 :http static-84-166-145-212:14949 SYN_RECV
tcp 0 0 :http 5ad0d533.bb.sk:netbill-auth SYN_RECV
tcp 0 0 :http S0106001cdf20124e.vc.:52421 SYN_RECV
tcp 0 0 :http S0106001cdf20124e.vc.:52422 SYN_RECV
tcp 0 0 :http S0106001cdf20124e.vc.:52417 SYN_RECV
tcp 0 0 :http S0106001cdf20124e.vc.:52402 SYN_RECV
tcp 0 0 :http static.unknown.c:dicom-iscl SYN_RECV
tcp 0 0 :http d66-183-27-194.bchsia:60266 SYN_RECV
tcp 0 0 :http 10.1.231.55:edm-manager SYN_RECV
tcp 0 0 :http S0106001cdf20124e.vc.:52405 SYN_RECV
tcp 0 0 :http S0106001cdf20124e.vc.:52393 SYN_RECV
tcp 0 0 :http S0106001cdf20124e.vc.:52411 SYN_RECV
tcp 0 0 :http 188.51.4.221:46386 SYN_RECV
tcp 0 0 :http dsl-144-98-232.telkoma:3404 SYN_RECV
tcp 0 0 :http bl7-78-16.dsl.telepac:14020 SYN_RECV
tcp 0 0 :http 172.16.127.226:houston SYN_RECV
tcp 0 0 :http p548FBB32.dip.t-di:mps-raft SYN_RECV
tcp 0 0 :http adsl-76-217-95-6.dsl.:60250 SYN_RECV
tcp 0 0 :http S0106001cdf20124e.vc.:52401 SYN_RECV
tcp 0 0 :http S0106001cdf20124e.vc.:52407 SYN_RECV
tcp 0 0 :http 125.51.196-77.rev.g:netplan SYN_RECV
tcp 0 0 :http S0106001cdf20124e.vc.:52408 SYN_RECV
tcp 0 0 :http S0106001cdf20124e.vc.:52418 SYN_RECV
tcp 0 0 :http S0106001cdf20124e.vc.:52399 SYN_RECV
tcp 0 0 :http d66-183-27-194.bchsia:60285 SYN_RECV
tcp 0 0 :http static-84-166-145-212:14950 SYN_RECV
tcp 0 0 :http S0106001cdf20124e.vc.:52413 SYN_RECV
tcp 0 0 :http S0106001cdf20124e.vc.:52404 SYN_RECV
tcp 0 0 :http mobile-3G-dyn-BC-190-:52242 SYN_RECV
tcp 0 0 :http S0106001cdf20124e.vc.:52415 SYN_RECV
tcp 0 0 :http S0106001cdf20124e.vc.:52394 SYN_RECV
tcp 0 0 :http S0106001cdf20124e.vc.:52409 SYN_RECV
tcp 0 0 :http bas3-montreal31-12797:61810 SYN_RECV
tcp 0 0 :http S0106001cdf20124e.vc.:52396 SYN_RECV
tcp 0 0 :http S0106001cdf20124e.vc.:52423 SYN_RECV
tcp 0 0 :http 217.71.225.75:4497 SYN_RECV
tcp 0 0 :http S0106001cdf20124e.vc.:52412 SYN_RECV

cbtshare 09-02-2009 08:01 AM

I'd suggest if you have cpanel use csf plugin.If not install APF and DDos Deflate(be careful not to change the APF setting to 1 until your sure the server is fine,you can get locked out) In DDOS D you can set the rules that defines a bad connection and it will use iptables or APF to block the automatically.Configured correctly can be a great ease to Sys Admins.Software is no match for hardware though , if the attacks become too great , software will falter.

chrism01 09-02-2009 11:40 PM

Also, have a look at fail2ban, which is designed for this.
You should also consider contacting your ISP if the problem is ongoing for a while.


All times are GMT -5. The time now is 03:41 AM.