LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 03-05-2011, 01:38 PM   #1
zubbe
LQ Newbie
 
Registered: Mar 2011
Posts: 5

Rep: Reputation: 0
Question Protection against incoming attacks


Hi everyone!

I'm using Debian 6 to host a website (with apache2) and a game server. But because of attacks to my server, my hosting company have now set it offline.

These are the two logs that they provided (I replaced all IPs):
Code:
Direction IN
Internal ***.***.***.***
Threshold Traffic 150 MBit/s
Sum 5,694 GByte/300s (155 MBit/s), 4.077.000 packets/300s (13.590 packets/s), 3.918 flows/300s (13 flows/s)
External ***.***.***.***, 2,355 GByte/300s (64 MBit/s), 1.686.000 packets/300s (5.620 packets/s), 1.554 flows/300s (5 flows/s)
External ***.***.***.***, 0,698 GByte/300s (19 MBit/s), 500.000 packets/300s (1.666 packets/s), 492 flows/300s (1 flows/s)
External ***.***.***.***, 0,552 GByte/300s (15 MBit/s), 395.000 packets/300s (1.316 packets/s), 389 flows/300s (1 flows/s)
External ***.***.***.***, 0,542 GByte/300s (14 MBit/s), 388.000 packets/300s (1.293 packets/s), 385 flows/300s (1 flows/s)
External ***.***.***.***, 0,524 GByte/300s (14 MBit/s), 375.000 packets/300s (1.250 packets/s), 369 flows/300s (1 flows/s)
External ***.***.***.***, 0,383 GByte/300s (10 MBit/s), 274.000 packets/300s (913 packets/s), 272 flows/300s (0 flows/s)
External ***.***.***.***, 0,351 GByte/300s (9 MBit/s), 251.000 packets/300s (836 packets/s), 250 flows/300s (0 flows/s)
External ***.***.***.***, 0,082 GByte/300s (2 MBit/s), 59.000 packets/300s (196 packets/s), 59 flows/300s (0 flows/s)
External ***.***.***.***, 0,066 GByte/300s (1 MBit/s), 47.000 packets/300s (156 packets/s), 47 flows/300s (0 flows/s)
External ***.***.***.***, 0,057 GByte/300s (1 MBit/s), 41.000 packets/300s (136 packets/s), 41 flows/300s (0 flows/s)
External ***.***.***.***, 0,041 GByte/300s (1 MBit/s), 29.000 packets/300s (96 packets/s), 29 flows/300s (0 flows/s)
External ***.***.***.***, 0,021 GByte/300s (0 MBit/s), 15.000 packets/300s (50 packets/s), 15 flows/300s (0 flows/s)
External ***.***.***.***, 0,011 GByte/300s (0 MBit/s), 8.000 packets/300s (26 packets/s), 7 flows/300s (0 flows/s)
External ***.***.***.***, 0,010 GByte/300s (0 MBit/s), 7.000 packets/300s (23 packets/s), 7 flows/300s (0 flows/s)
External ***.***.***.***, 0,001 GByte/300s (0 MBit/s), 1.000 packets/300s (3 packets/s), 1 flows/300s (0 flows/s)
External ***.***.***.***, 0,000 GByte/300s (0 MBit/s), 1.000 packets/300s (3 packets/s), 1 flows/300s (0 flows/s)
Code:
Direction IN
Internal ***.***.***.***
Threshold Traffic 200 MBit/s
Sum 9,047 GByte/300s (247 MBit/s), 6.478.000 packets/300s (21.593 packets/s), 6.241 flows/300s (20 flows/s)
External ***.***.***.***, 2,348 GByte/300s (64 MBit/s), 1.681.000 packets/300s (5.603 packets/s), 1.636 flows/300s (5 flows/s)
External ***.***.***.***, 1,721 GByte/300s (46 MBit/s), 1.232.000 packets/300s (4.106 packets/s), 1.163 flows/300s (3 flows/s)
External ***.***.***.***, 1,690 GByte/300s (46 MBit/s), 1.210.000 packets/300s (4.033 packets/s), 1.131 flows/300s (3 flows/s)
External ***.***.***.***, 0,437 GByte/300s (11 MBit/s), 313.000 packets/300s (1.043 packets/s), 311 flows/300s (1 flows/s)
External ***.***.***.***, 0,436 GByte/300s (11 MBit/s), 312.000 packets/300s (1.040 packets/s), 310 flows/300s (1 flows/s)
External ***.***.***.***, 0,434 GByte/300s (11 MBit/s), 311.000 packets/300s (1.036 packets/s), 306 flows/300s (1 flows/s)
External ***.***.***.***, 0,415 GByte/300s (11 MBit/s), 297.000 packets/300s (990 packets/s), 291 flows/300s (0 flows/s)
External ***.***.***.***, 0,372 GByte/300s (10 MBit/s), 266.000 packets/300s (886 packets/s), 261 flows/300s (0 flows/s)
External ***.***.***.***, 0,289 GByte/300s (7 MBit/s), 207.000 packets/300s (690 packets/s), 186 flows/300s (0 flows/s)
External ***.***.***.***, 0,172 GByte/300s (4 MBit/s), 123.000 packets/300s (410 packets/s), 121 flows/300s (0 flows/s)
External ***.***.***.***, 0,163 GByte/300s (4 MBit/s), 117.000 packets/300s (390 packets/s), 117 flows/300s (0 flows/s)
External ***.***.***.***, 0,154 GByte/300s (4 MBit/s), 110.000 packets/300s (366 packets/s), 109 flows/300s (0 flows/s)
External ***.***.***.***, 0,127 GByte/300s (3 MBit/s), 91.000 packets/300s (303 packets/s), 91 flows/300s (0 flows/s)
External ***.***.***.***, 0,066 GByte/300s (1 MBit/s), 47.000 packets/300s (156 packets/s), 47 flows/300s (0 flows/s)
External ***.***.***.***, 0,063 GByte/300s (1 MBit/s), 45.000 packets/300s (150 packets/s), 45 flows/300s (0 flows/s)
External ***.***.***.***1, 0,038 GByte/300s (1 MBit/s), 27.000 packets/300s (90 packets/s), 27 flows/300s (0 flows/s)
External ***.***.***.***, 0,025 GByte/300s (0 MBit/s), 18.000 packets/300s (60 packets/s), 18 flows/300s (0 flows/s)
External ***.***.***.***, 0,024 GByte/300s (0 MBit/s), 17.000 packets/300s (56 packets/s), 17 flows/300s (0 flows/s)
External ***.***.***.***, 0,019 GByte/300s (0 MBit/s), 14.000 packets/300s (46 packets/s), 14 flows/300s (0 flows/s)
External ***.***.***.***, 0,013 GByte/300s (0 MBit/s), 9.000 packets/300s (30 packets/s), 9 flows/300s (0 flows/s)
External ***.***.***.***, 0,008 GByte/300s (0 MBit/s), 6.000 packets/300s (20 packets/s), 6 flows/300s (0 flows/s)
External ***.***.***.***, 0,006 GByte/300s (0 MBit/s), 4.000 packets/300s (13 packets/s), 4 flows/300s (0 flows/s)
External ***.***.***.***, 0,006 GByte/300s (0 MBit/s), 4.000 packets/300s (13 packets/s), 4 flows/300s (0 flows/s)
External ***.***.***.***, 0,004 GByte/300s (0 MBit/s), 3.000 packets/300s (10 packets/s), 3 flows/300s (0 flows/s)
External ***.***.***.***, 0,004 GByte/300s (0 MBit/s), 3.000 packets/300s (10 packets/s), 3 flows/300s (0 flows/s)
External ***.***.***.***, 0,003 GByte/300s (0 MBit/s), 2.000 packets/300s (6 packets/s), 2 flows/300s (0 flows/s)
External ***.***.***.***, 0,001 GByte/300s (0 MBit/s), 1.000 packets/300s (3 packets/s), 1 flows/300s (0 flows/s)
External ***.***.***.***, 0,001 GByte/300s (0 MBit/s), 1.000 packets/300s (3 packets/s), 1 flows/300s (0 flows/s)
External ***.***.***.***, 0,001 GByte/300s (0 MBit/s), 1.000 packets/300s (3 packets/s), 1 flows/300s (0 flows/s)
External ***.***.***.***, 0,001 GByte/300s (0 MBit/s), 1.000 packets/300s (3 packets/s), 1 flows/300s (0 flows/s)
External ***.***.***.***, 0,001 GByte/300s (0 MBit/s), 1.000 packets/300s (3 packets/s), 1 flows/300s (0 flows/s)
External ***.***.***.***, 0,001 GByte/300s (0 MBit/s), 1.000 packets/300s (3 packets/s), 1 flows/300s (0 flows/s)
External ***.***.***.***, 0,001 GByte/300s (0 MBit/s), 1.000 packets/300s (3 packets/s), 1 flows/300s (0 flows/s)
External ***.***.***.***, 0,001 GByte/300s (0 MBit/s), 1.000 packets/300s (3 packets/s), 1 flows/300s (0 flows/s)
External ***.***.***.***, 0,000 GByte/300s (0 MBit/s), 1.000 packets/300s (3 packets/s), 1 flows/300s (0 flows/s)
How can I prevent this from ever happening again?

I was thinking about limiting the bandwidth use for each unique IP, will this work? Is there any better solutions?
 
Old 03-05-2011, 01:49 PM   #2
business_kid
LQ Guru
 
Registered: Jan 2006
Location: Ireland
Distribution: Slackware & Android
Posts: 8,910

Rep: Reputation: 914Reputation: 914Reputation: 914Reputation: 914Reputation: 914Reputation: 914Reputation: 914Reputation: 914
Find out exactly what happened, check for security updates on everything you are running (website, not .deb), run rkhunter, etc.
 
Old 03-05-2011, 02:38 PM   #3
zubbe
LQ Newbie
 
Registered: Mar 2011
Posts: 5

Original Poster
Rep: Reputation: 0
Right now I can't find out exactly what happened because of poor support from the company (they have blocked all access to my server).

Everything I was running already had the latest updates.

But isn't there any applications/mods/programs or whatever that should deal with these kind of attacks?
 
Old 03-05-2011, 05:10 PM   #4
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 782
Blog Entries: 8

Rep: Reputation: 157Reputation: 157
Quote:
Originally Posted by zubbe View Post
But isn't there any applications/mods/programs or whatever that should deal with these kind of attacks?
How are we supposed to suggest a solution when you haven't given us the whos, whats, when,wheres and why's? more info is needed. Those logs don't really mean anything, IMO. There are no IPs, there are no ports, no timestamps...

Those logs look to be network statistics. It is a bit difficult to rely on those alone.

Also, it's weird that your provider shut you down based on incoming traffic. It appears to be a lot. The traffic may be affecting their services (just an assumption). You need to get more info from them so that you know what to look for. They're hinting that this activity is DoS-like, they could be wrong. Sometimes providing a service appears as DoS activity.

Last edited by unixfool; 03-06-2011 at 11:32 AM. Reason: Edited for clarity
 
Old 03-05-2011, 07:09 PM   #5
zubbe
LQ Newbie
 
Registered: Mar 2011
Posts: 5

Original Poster
Rep: Reputation: 0
My only ports open are 80, 22, and 39000 (game server). I'm pretty sure the attack was at port 39000 because I believe I already have effective protection for apache2.

Is there any way to limit the bandwidth usage to let's say 0,2Mbit/s for each unique IP?
 
Old 03-06-2011, 05:12 AM   #6
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 779Reputation: 779Reputation: 779Reputation: 779Reputation: 779Reputation: 779Reputation: 779
Yes there is. Iptables supports rate limiting. Any of the good iptables tutorials will show you how to implement this. Here are a couple of tutorials that I would recommend: one on dos prevention and one on general iptables.
Here is a link to a similar thread on LQ from a couple of weeks ago, where someone running a game server was having an overload of connections and was getting shut down by their provider. Towards the bottom is a set of iptables commands (two of them) that you need to enter. You will need to change your port / and IP information as appropriate for your setup.
 
Old 03-06-2011, 05:32 AM   #7
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 4,065

Rep: Reputation: 894Reputation: 894Reputation: 894Reputation: 894Reputation: 894Reputation: 894Reputation: 894
I am asking you to consider a little further before acting:

Quote:
Originally Posted by zubbe View Post
My only ports open are 80, 22, and 39000 (game server). I'm pretty sure the attack was at port 39000 because I believe I already have effective protection for apache2.

Is there any way to limit the bandwidth usage to let's say 0,2Mbit/s for each unique IP?
Yes, there is (but you may not want to do it). You could use iptables, and specifically the limit option, to, err, limit.

However you need to consider
  • Whether limiting to a 'reasonable' number would cause problems to your legitimate users.
  • Is there a better way of achieving your aim (should you be doing something like blacklisting bad accesses? can you determine which are bad accesses?); there are various utilities that might help, each of which has slightly different advantages and disadvantages, but which are similar overall
  • You really, really should be able to tell to which port the accesses are using; if you can't, seriously consider what you could do to find out. Restricting ports at random until something seems to work just isn't a good idea.
  • Do these attacks have the characteristics of a DoS or a DDoS (or something else)? Blocking individual IPs for a DDoS may not help much.
  • Is there anything showing up in your log files? Is the only evidence that you have those listings from your provider? If it is, and then the addresses change, you won't be able to readjust until your provider blocks you again. This is not what you want.

And you've got to remember that you haven't told us anything about the distribution of 'bad' packets around different IP addresses so we are taking complete guesses about what is going on, and therefore we may not be giving you the best advice.
 
Old 03-06-2011, 11:39 AM   #8
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 782
Blog Entries: 8

Rep: Reputation: 157Reputation: 157
Quote:
Originally Posted by zubbe View Post
My only ports open are 80, 22, and 39000 (game server). I'm pretty sure the attack was at port 39000 because I believe I already have effective protection for apache2.

Is there any way to limit the bandwidth usage to let's say 0,2Mbit/s for each unique IP?
You need to peruse all your logs, looking for suspicious activity directed at those services. What distro are you using? What game are you serving?

I gotta agree with the previous poster. Rate-limiting might make things worse. It definitely won't stop a D/DoS and might actually cause the system to consume it's own resources.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
injection attacks rockymaxsource Linux - Security 5 07-13-2007 01:50 AM
DoS Attacks Protection chenkoforever Linux - Security 2 07-04-2004 04:11 PM
protection from SYN flood attacks chenkoforever Linux - Security 4 06-22-2004 05:38 PM
htpd attacks plisken Linux - Security 3 04-18-2004 04:12 PM
IP attacks sundarrnathan Linux - Security 1 06-04-2003 05:33 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:07 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration