Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm getting massive attacks by IP's mainly from USA, Russia, Korea, Italy, China and blocking them with iptables doesn't help.
Here's the log from iptraf:
Code:
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 97.119.90.56:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 10.180.97.127:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 75.101.101.144:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 169.173.38.168:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 115.21.186.90:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 56.71.64.30:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 117.137.53.32:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 14.191.76.81:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 197.183.181.144:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 283 bytes; from my.ip:27015 to 23.85.22.157:27005
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 1.162.6.24:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 96.120.120.177:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 283 bytes; from my.ip:27015 to 10.180.97.127:27005
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 188.67.120.111:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 283 bytes; from my.ip:27015 to 140.112.20.25:27005
Wed May 16 01:15:05 2012; UDP; eth0; 283 bytes; from my.ip:27015 to 115.21.186.90:27005
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 82.140.114.0:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 57 bytes; from 78.83.25.187:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 283 bytes; from my.ip:27015 to 98.30.13.149:27005
Wed May 16 01:15:05 2012; UDP; eth0; 283 bytes; from my.ip:27015 to 197.183.181.144:27005
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 58.11.37.59:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 98.159.17.50:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 283 bytes; from my.ip:27015 to 198.195.108.49:27005
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 121.152.53.127:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 45.136.189.26:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 95.171.154.4:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 283 bytes; from my.ip:27015 to 160.119.148.7:27005
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 194.81.109.189:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 283 bytes; from my.ip:27015 to 101.78.77.79:27005
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 116.46.78.0:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 67.50.0.50:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 97.24.72.54:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 52.193.147.144:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 283 bytes; from my.ip:27015 to 80.41.1.176:27005
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 104.130.189.62:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 180.1.76.19:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 38.119.189.16:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 87.147.3.56:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 129.157.136.46:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 128.107.138.148:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 47.96.63.169:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 191.187.157.95:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 283 bytes; from my.ip:27015 to 152.107.48.15:27005
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 111.199.163.30:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 83.134.61.196:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 83.12.118.82:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 146.90.113.198:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 166.93.90.74:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 283 bytes; from my.ip:27015 to 25.33.152.106:27005
Wed May 16 01:15:05 2012; UDP; eth0; 58 bytes; from 78.83.140.183:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 178.100.38.140:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 283 bytes; from my.ip:27015 to 42.57.36.113:27005
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 160.71.128.85:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 89.171.188.99:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 102.194.22.184:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 283 bytes; from my.ip:27015 to 172.189.44.9:27005
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 91.40.106.19:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 31.118.81.48:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 6.39.50.198:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 163.58.110.133:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 12.78.154.163:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 84.130.178.144:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 183.45.79.120:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 163.75.37.157:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 99.20.38.198:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 190.91.11.64:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 283 bytes; from my.ip:27015 to 193.193.65.87:27005
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 10.36.126.22:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 171.85.66.167:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 20.54.120.147:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 48.13.41.32:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 40.79.145.142:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 23.162.171.50:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 191.12.198.106:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 53.82.30.85:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 164.97.180.104:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 190.85.44.41:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 139.12.31.111:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 119.104.157.3:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 100.58.150.194:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 58 bytes; from 78.83.140.183:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 21.191.100.100:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 63.38.122.171:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 62.104.53.96:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 108.148.188.9:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 88.194.162.79:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 77.50.68.92:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 177.119.128.43:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 185.51.79.74:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 145.195.130.58:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 161.50.147.69:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 195.22.167.113:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 186.10.41.18:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 82.155.27.21:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 51.40.118.57:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 64.30.90.145:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 283 bytes; from my.ip:27015 to 48.196.57.64:27005
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 51.66.64.52:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 47.102.47.55:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 283 bytes; from my.ip:27015 to 108.148.188.9:27005
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 122.59.25.35:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 2.48.52.129:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 82.126.23.52:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 283 bytes; from my.ip:27015 to 133.3.139.68:27005
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 92.100.196.20:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 283 bytes; from my.ip:27015 to 164.192.12.49:27005
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 75.57.69.162:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 157.150.8.76:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 57 bytes; from 78.83.25.187:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 87.21.152.121:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 58 bytes; from 78.83.140.183:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 58 bytes; from 78.90.97.56:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 123.88.105.102:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 128.89.87.161:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 116.32.138.19:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 137.46.11.101:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 32.69.35.14:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 136.92.174.46:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 154.171.84.103:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 138.67.84.190:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 283 bytes; from my.ip:27015 to 62.186.2.66:27005
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 82.165.29.192:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 106.164.120.138:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 159.158.110.115:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 69.114.65.56:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 23.77.39.173:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 166.104.59.185:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 182.138.51.68:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 28.77.155.56:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 39.35.47.18:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 197.184.85.16:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 190.58.89.100:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 119.123.71.184:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 156.14.5.7:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 84.46.16.165:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 51.4.192.91:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 37.110.104.178:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 123.15.187.59:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 170.16.80.12:27005 to my.ip:27015
Wed May 16 01:15:05 2012; ******** IP traffic monitor stopped ********
Tried blocking all those countries - no effect. Droped all packets with lenght 46 - also didn't help. ISP isn't willing to help...
what are you doing with iptables to block the traffic? Looks like you just want to blanket drop all traffic to udp:27005 and udp:27015. Nothing too tricky about that. But then if there's nothing listening on those ports (something about Halflife Game Server?) then they won't be doing anything anyway, and there's nothing you can do about it as they won't be causing any actual problems that wouldn't also be encountered whnever the traffic reaches your machine.
I used this script to block all the traffic from the mentioned countries:
Code:
#!/bin/bash
### Block all traffic from AFGHANISTAN (af) and CHINA (CN). Use ISO code ###
ISO="us cn ru it"
### Set PATH ###
IPT=/sbin/iptables
WGET=/usr/bin/wget
EGREP=/bin/egrep
### No editing below ###
SPAMLIST="countrydrop"
ZONEROOT="/root/iptables"
DLROOT="http://www.ipdeny.com/ipblocks/data/countries"
cleanOldRules(){
$IPT -F
$IPT -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
}
# create a dir
[ ! -d $ZONEROOT ] && /bin/mkdir -p $ZONEROOT
# clean old rules
cleanOldRules
# create a new iptables list
$IPT -N $SPAMLIST
for c in $ISO
do
# local zone file
tDB=$ZONEROOT/$c.zone
# get fresh zone file
$WGET -O $tDB $DLROOT/$c.zone
# country specific log message
SPAMDROPMSG="$c Country Drop"
# get
BADIPS=$(egrep -v "^#|^$" $tDB)
for ipblock in $BADIPS
do
$IPT -A $SPAMLIST -s $ipblock -j LOG --log-prefix "$SPAMDROPMSG"
$IPT -A $SPAMLIST -s $ipblock -j DROP
done
done
# Drop everything
$IPT -I INPUT -j $SPAMLIST
$IPT -I OUTPUT -j $SPAMLIST
$IPT -I FORWARD -j $SPAMLIST
# call your other iptable script
# /path/to/other/iptables.sh
exit 0
I tried dropping all packets with lenght 46 with this:
Code:
iptables -N REJECT_FLOOD46
iptables -A REJECT_FLOOD46 -j LOG --log-prefix 'IPTABLES-FLOOD LENGTH 46: ' --log-level info
iptables -A REJECT_FLOOD46 -j DROP
The machine starts lagging massively. I can't connect via SSH (or even if I can it's VERY slow) and ping also shows up to 70 % packets dropped.
What I'm trying to achieve?
Is there any way to stop these attacks or are there any rules that might prevent them?
well are your blocking rules blocking them? If they are then that's all you can hope to achieve really. there is still a load inherently generated from blocking requests as much as there is from accepting them.
Are you talking about a "home" machine running this or is it a server in a datacenter? If it's in a datacenter you could try to ask them if they'll block traffic from those countries at router level rather than passing it through to your server. If it's at home, then I suppose you could try your service provider but I wouldn't hold out much hope as actually getting to speak to anyone other than a headset headcount is almost impossible.
So they stopped all the internetional traffic, but with no effect. Looks like the attacker is using spoofed IP's. NO firewall (csf,apf), ddos protection tool (ddos deflate) or other rules in iptables helped so far.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.