Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
are you sure it is a "Distributed Denial of service "
and not a misconfiguration server just tiring to access
i once had "The University of Chicago" try to dl my ENTIRE site( html,php,ssc's ,png's ,jpg's everything) over and over and over .To the tune of 4 to 6 gig per day .
Eng_Designer, please spell out your words and avoid using 'texting' slang, short lines, and abbreviations because it makes your question very hard to read.
As far as your concerns about a DDOS attack, the best thing you can do is contact your ISP. If you really are facing a DDOS, the help of your ISP will be required to stop it. The chances that you are actually getting such an attack are very small, unless you have done something to anger the wrong group of people. This is not to say that you aren't have a problem with rogue connections, just that it isn't likely to be a true DDOS scenario.
Rather than speculate on what may, or may not be happening, would you please post some examples of the troublesome log entries. Also describe exactly what you are trying to do and what type of service / server you are running. Also look at your logs for signs of a problem other than connections as this can cause a very high system load.
are you sure it is a "Distributed Denial of service "
and not a misconfiguration server just tiring to access
i once had "The University of Chicago" try to dl my ENTIRE site( html,php,ssc's ,png's ,jpg's everything) over and over and over .To the tune of 4 to 6 gig per day .
i solve it
thanks alot
---------- Post added 06-01-11 at 10:58 PM ----------
Quote:
Originally Posted by Noway2
Eng_Designer, please spell out your words and avoid using 'texting' slang, short lines, and abbreviations because it makes your question very hard to read.
As far as your concerns about a DDOS attack, the best thing you can do is contact your ISP. If you really are facing a DDOS, the help of your ISP will be required to stop it. The chances that you are actually getting such an attack are very small, unless you have done something to anger the wrong group of people. This is not to say that you aren't have a problem with rogue connections, just that it isn't likely to be a true DDOS scenario.
Rather than speculate on what may, or may not be happening, would you please post some examples of the troublesome log entries. Also describe exactly what you are trying to do and what type of service / server you are running. Also look at your logs for signs of a problem other than connections as this can cause a very high system load.
i'm sorry for my bad language but i was write fast ,
anyway, i solve it
thanks alot
Good Morning.
i have 1 question no more because i got many ddos attack and my load is 95++
what is the best program to stop DDOS Attack ???
Thanks
Abdelrahman
Are you actually running Linux?
Since no-one has mentioned this, please don't put "urgent" in your thread titles. This is a volunteer site and no threads are any more urgent than any other.
Also, "alot" is incorrect - it should be two words (see the link in my signature).
Since no-one has mentioned this, please don't put "urgent" in your thread titles. This is a volunteer site and no threads are any more urgent than any other.
Also, "alot" is incorrect - it should be two words (see the link in my signature).
so?
we will forget problem and debate what should i write alot or a lot?
thanks for reply and your solve !!
i make a bash script that's block's ip's make syn attack
Huh? The "DDoS" you were referring to was a SYN flood? How did you conclude it was DDoS? I mean, a SYN flood can be done from a single IP-spoofing host (no DDoS necessary). What does your script look like? Why didn't you just enable SYN cookies?
Huh? The "DDoS" you were referring to was a SYN flood? How did you conclude it was DDoS? I mean, a SYN flood can be done from a single IP-spoofing host (no DDoS necessary). What does your script look like? Why didn't you just enable SYN cookies?
and SYN attack also not only DDoS
#!/bin/bash
netstat -na | grep -i SYN_RECV |cut -d: -f2 |awk '{print $2}' > /tmp/ip
for i in `cat /tmp/ip`
do
iptables -v -A INPUT -s ${i} -j DROP
iptables -v -D INPUT -s ${i} -j DROP
iptables -v -A OUTPUT -d ${i} -j DROP
iptables -v -I INPUT -s ${i} -j DROP
done
service iptables save
netstat -na | grep -i SYN_RECV |cut -d: -f2 |awk '{print $2}' > /tmp/ip
for i in `cat /tmp/ip`
do
iptables -v -A INPUT -s ${i} -j DROP
iptables -v -D INPUT -s ${i} -j DROP
iptables -v -A OUTPUT -d ${i} -j DROP
iptables -v -I INPUT -s ${i} -j DROP
done
service iptables save
So basically you're using netstat to look for half-open connections, then using iptables to filter packets from the relevant source addresses? What you've done is essentially created a giant denial-of-service vulnerability. Now all a bad guy has to do is spoof a packet with the source IP of any host he wishes to block to/from your server (which may include critical things such as security update package repositories). Not to mention that since in most SYN floods the spoofed IPs are random, these iptables rules are potentially useless. So yeah, use SYN cookies instead (it's what they're designed for). Getting back to the DDoS (separate issue): How did you solve that? Did your ISP jump in? You never even showed us or described what it looked like, AFAICT.
There is a compelling reason to use tools like "Shorewall" to manage your iptables entries. (P.S. it's free, FOSS.)
When you simply try to "roll your own" commands, you're very likely to make some mistake ... even to create some vulnerability ... just because you really didn't know what you are doing. Whereas the authors of Shorewall have dealt with the same problems very deeply for a long time and have developed software to do the right thing.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
