Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: Usually Linux Mint, Debian, Ubuntu or CentOS
Posts: 234
Rep:
Being DDoS'd. Can I cap connections?
Hi. We think we're getting repeatedly DDoS'd.
I run Ubuntu 12.04 on my server.
Is there any way to completely limit all connections, so that a DDoS cannot bring down the surrounding network and then hopefully I can allow through my own connection for maintenance?
I know that this means my websites would go down, but at least I'd still have access and a degree of control and wouldn't jeopardise my hosting.
I read that I could do this with my http server - lighttpd - but I was wondering if Linux can do this holistically?
I am by no means an expert and would encourage others to comment but the first thing I thought off was conntrack and found this article for Redhat which may be relevant:
iptables -N In_RULE_1
iptables -A INPUT -p icmp -m icmp --icmp-type any -j In_RULE_1
iptables -A In_RULE_1 -j LOG --log-level info --log-prefix "RULE 1 -- DENY "
iptables -A In_RULE_1 -j DROP
I also have an anti-spoof rule:
Code:
iptables -N In_RULE_0
iptables -A INPUT -i your_network_card -s your_host_name -j In_RULE_0
iptables -A In_RULE_0 -j LOG --log-level info --log-prefix "RULE 0 -- DENY "
iptables -A In_RULE_0 -j DROP
In my case:
Code:
iptables -N In_RULE_0
iptables -A INPUT -i enp0s7 -s amarildo -j In_RULE_0
iptables -A In_RULE_0 -j LOG --log-level info --log-prefix "RULE 0 -- DENY "
iptables -A In_RULE_0 -j DROP
Also, a rule to block invalid packets:
Code:
iptables -N drop_invalid
iptables -A OUTPUT -m state --state INVALID -j drop_invalid
iptables -A INPUT -m state --state INVALID -j drop_invalid
iptables -A INPUT -p tcp -m tcp --sport 1:65535 --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j drop_invalid
iptables -A drop_invalid -j LOG --log-level debug --log-prefix "INVALID state -- DENY "
iptables -A drop_invalid -j DROP
Also a no-Whois rule:
Code:
iptables -N In_RULE_2
iptables -A INPUT -p tcp -m tcp --dport 43 -j In_RULE_2
iptables -A In_RULE_2 -j LOG --log-level info --log-prefix "RULE 2 -- DENY "
iptables -A In_RULE_2 -j DROP
And a no-xmas-scan rule
Code:
iptables -N In_RULE_4
iptables -A INPUT -p tcp -m tcp --tcp-flags ALL URG,ACK,PSH,RST,SYN,FIN -j In_RULE_4
iptables -A In_RULE_4 -j LOG --log-level info --log-prefix "RULE 4 -- DENY "
iptables -A In_RULE_4 -j DROP
Protection against IP fragments too:
Code:
iptables -N In_RULE_5
iptables -A INPUT -p all -f -j In_RULE_5
iptables -A In_RULE_5 -j LOG --log-level info --log-prefix "RULE 5 -- DENY "
iptables -A In_RULE_5 -j DROP
No tracerout either:
Code:
iptables -N In_RULE_7
iptables -A INPUT -p udp -m udp --dport 33434:33524 -j In_RULE_7
iptables -A In_RULE_7 -j LOG --log-level info --log-prefix "RULE 7 -- DENY "
iptables -A In_RULE_7 -j DROP
And no "who" too:
Code:
iptables -N In_RULE_6
iptables -A INPUT -p udp -m udp --dport 513 -j In_RULE_6
iptables -A In_RULE_6 -j LOG --log-level info --log-prefix "RULE 6 -- DENY "
iptables -A In_RULE_6 -j DROP
Why do you think that? Perhaps as relevant, if you have captured some packets, then maybe there are some characteristics of the packets that are useful in filtering out the bad stuff from the good stuff. Feel free to obfuscate any of your own addresses before posting anything.
Quote:
Originally Posted by darksmiley
Is there any way to completely limit all connections, so that a DDoS cannot bring down the surrounding network and then hopefully I can allow through my own connection for maintenance?
Well, if for example, all of the DDOS packets are on one port and you have SSH on another port, you could drop all of the packets coming in some port/range of ports, and allow through the packets on the SSH port. Probably won't work perfectly, but may work well enough.
Quote:
Originally Posted by darksmiley
I know that this means my websites would go down, but at least I'd still have access and a degree of control and wouldn't jeopardise my hosting.
Websites will probably be intermittently accessible, but that may be better than where you are now. A lot depends on whether there are bottlenecks upstream that are limitations.
Quote:
Originally Posted by darksmiley
I read that I could do this with my http server - lighttpd - but I was wondering if Linux can do this holistically?
I don't know what you mean by 'holistically', but the further upstream you do this, the less unnecessary processing you do before dropping stuff, the less chance that you run out of processing power to deal with the packets.
Oh, and you can rate limit almost anything in iptables. The difficulty is doing it without doing more harm than good...
Last edited by salasi; 05-29-2015 at 04:46 PM.
Reason: added 'rate limiting'
Is there any way to completely limit all connections, so that a DDoS cannot bring down the surrounding network and then hopefully I can allow through my own connection for maintenance?
Limiting connections can be done using iptables modules but DoS and DDoS measures should be applied upstream. Please see common SANS and other DoS / DDoS mitigation documentation.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.