LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 04-08-2017, 06:43 PM   #31
Obada
LQ Newbie
 
Registered: Apr 2017
Posts: 21

Original Poster
Rep: Reputation: Disabled

Quote:
Originally Posted by end View Post
great then you solved it.

try remove and restart. and then try our approach it should work.
no not solved that protection just on tcp ports

the tcp port protection come from ddos deflate script

but yes i will try to remove the ddos deflate and try your approach
 
Old 04-08-2017, 06:59 PM   #32
end
Member
 
Registered: Aug 2016
Posts: 236

Rep: Reputation: Disabled
and restart maybe somthing stack somewere and oweriding rules
 
Old 04-08-2017, 07:34 PM   #33
Obada
LQ Newbie
 
Registered: Apr 2017
Posts: 21

Original Poster
Rep: Reputation: Disabled
all iptables problem because the ufw is exist so i deleted my ufw firewall using this commands


Code:
sudo ufw disable
sudo apt-get remove ufw
sudo apt-get purge ufw
and now i can block ip using iptables

now i test your rules for protect from udp flooding ....
 
Old 04-08-2017, 07:48 PM   #34
Obada
LQ Newbie
 
Registered: Apr 2017
Posts: 21

Original Poster
Rep: Reputation: Disabled
i add this rules

Code:
iptables -I INPUT -p udp --dport 27043 -m state --state NEW -m recent --set
iptables -I INPUT -p udp --dport 27043 -m state --state NEW -m recent --update --seconds 1 --hitcount 2 -j DROP
iptables -I INPUT -p udp -m udp -d 162.222.73.15 --sport 27043 -m connlimit --connlimit-above 1 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j DROP

iptables -I OUTPUT -p udp -d 162.222.73.15 --sport 27043 -m state --state NEW -m recent --set
iptables -I OUTPUT -p udp -d 162.222.73.15 --sport 27043 -m state --state NEW -m recent --update --seconds 1 --hitcount 2 -j DROP
iptables -I OUTPUT -p udp -m udp -d 162.222.73.15 --sport 27043 -m connlimit --connlimit-above 1 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j DROP
but no effect

i block ip manually

Code:
iptables -I INPUT -s 162.222.73.15 -j DROP
iptables -I INPUT -d 162.222.73.15 -j DROP

iptables -I INPUT -s 162-222-73-15.saucelabs.net -j DROP
iptables -I INPUT -d 162-222-73-15.saucelabs.net -j DROP
the result is tcp closed and got request out when i make ping,

but the attacker still can mak udp flood even if he blocked !

Last edited by Obada; 04-08-2017 at 07:50 PM.
 
Old 04-08-2017, 07:51 PM   #35
end
Member
 
Registered: Aug 2016
Posts: 236

Rep: Reputation: Disabled
try

iptables -I INPUT -p udp --dport 27043 -m state --state NEW -m recent --set
iptables -I INPUT -p udp --dport 27043 -m state --state NEW -m recent --update --seconds 1 --hitcount 1 -j DROP
iptables -I INPUT -p udp -m udp -s 162.222.73.15 --dport 27043 -m connlimit --connlimit-above 1 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j DROP
 
Old 04-08-2017, 07:58 PM   #36
end
Member
 
Registered: Aug 2016
Posts: 236

Rep: Reputation: Disabled
i forgot after every rule do iptables -F to delete previous rules. and try block ip and try attack.

verify with iptables -nvL that all chains is to accept then add rule. if that rule dont work again iptables -F and add another. that was problem first time its not ddos script. i forgot to mention this.

Last edited by end; 04-08-2017 at 08:01 PM.
 
Old 04-08-2017, 08:02 PM   #37
Obada
LQ Newbie
 
Registered: Apr 2017
Posts: 21

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by end View Post
i forgot after every rule do iptables -F to delete previous rules. and try block ip and try attack.

verify with iptables -nvL that all chains is to accept then add rule. if that rule dont work again iptables -F and add another. that was problem first time its not ddos script. i forgot to mention this.
i made this code after finished any fail test
Code:
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -F
iptables -t mangle -F
iptables -F
iptables -X
 
Old 04-08-2017, 08:03 PM   #38
end
Member
 
Registered: Aug 2016
Posts: 236

Rep: Reputation: Disabled
iptables -t nat -F
iptables -t mangle -F
iptables -F
iptables -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT


this is right order
 
Old 04-08-2017, 08:05 PM   #39
end
Member
 
Registered: Aug 2016
Posts: 236

Rep: Reputation: Disabled
hove do you test udp flood i need test this myself
 
Old 04-08-2017, 08:09 PM   #40
Obada
LQ Newbie
 
Registered: Apr 2017
Posts: 21

Original Poster
Rep: Reputation: Disabled
yes i test it and no effect the udp flood still working
 
Old 04-08-2017, 08:09 PM   #41
Obada
LQ Newbie
 
Registered: Apr 2017
Posts: 21

Original Poster
Rep: Reputation: Disabled
i can send you my udp flood script

i am using udpflood script writing in perl on rdp for making test attack on my gameserver(ubuntu)

you can using it udp-flood.pl

Last edited by Obada; 04-08-2017 at 08:24 PM.
 
Old 04-08-2017, 10:18 PM   #42
end
Member
 
Registered: Aug 2016
Posts: 236

Rep: Reputation: Disabled
actualy rules working i was confused from your iftop output. if your see output you can see that your ip dont send any packets to attacker only attacker to you. even if you have drop rules as default policy. and that normal because you need to see whats happening to your network that didnt meen that they packets actually pass firewall and affect function of network. put log on rules and you will see that everything is dropped.
 
Old 04-09-2017, 09:01 AM   #43
Obada
LQ Newbie
 
Registered: Apr 2017
Posts: 21

Original Poster
Rep: Reputation: Disabled
you are using udp flood and and you are protected ?? by using your approach ?

what os you run ?

for me not work even if i block the ip i will show you the steps i made and i fail :\

first step: flush the iptables using this:

Code:
iptables -t nat -F
iptables -t mangle -F
iptables -F
iptables -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
second step: blocking ip

Code:
iptables -I INPUT -s 162.222.73.7 -j DROP
iptables -I INPUT -d 162.222.73.7 -j DROP
after that i try to ping my game server from attacker machine

ping from attacker machine

as you see i got
Code:
Request timed out.
Request timed out.
then make attack on my game server

attack screenshot


i let the attacker machine running so let's see our game server iftop and check our game server ping

iftop screenshot

my game server running in this port got offline and not only this port all game server on my vps got offline

game server status screenshot

any issue with my steps ??
 
Old 04-09-2017, 09:03 AM   #44
Obada
LQ Newbie
 
Registered: Apr 2017
Posts: 21

Original Poster
Rep: Reputation: Disabled
can you check my problem by teamviewer ?
 
Old 04-09-2017, 09:59 AM   #45
Obada
LQ Newbie
 
Registered: Apr 2017
Posts: 21

Original Poster
Rep: Reputation: Disabled
i see someone like my problem

http://serverfault.com/questions/691...-an-ip-for-udp
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables: trying to forward UDP traffic jbbroccard2 Linux - Networking 2 07-27-2017 01:11 AM
UDP traffic unauthorized on Ubuntu 10.04 galen Linux - Security 2 03-12-2011 07:05 PM
Should traffic control root qdsic & child class limit traffic? Washington Ratso Linux - Networking 0 02-23-2011 07:16 PM
[HELP] redirect traffic to spesific port based on Traffic Content using iptables summersgone Linux - Server 2 06-22-2009 11:26 AM
how to limit traffic a device (eth0) using iptables? modpriest Linux - Software 1 09-04-2008 01:22 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:00 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration