Massive attacks [iptables doesn't work]

ps1x0 · 05-16-2012, 02:51 AM

Hey,

I'm getting massive attacks by IP's mainly from USA, Russia, Korea, Italy, China and blocking them with iptables doesn't help.

Here's the log from iptraf:

Code:

Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 97.119.90.56:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 10.180.97.127:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 75.101.101.144:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 169.173.38.168:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 115.21.186.90:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 56.71.64.30:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 117.137.53.32:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 14.191.76.81:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 197.183.181.144:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 283 bytes; from my.ip:27015 to 23.85.22.157:27005
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 1.162.6.24:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 96.120.120.177:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 283 bytes; from my.ip:27015 to 10.180.97.127:27005
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 188.67.120.111:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 283 bytes; from my.ip:27015 to 140.112.20.25:27005
Wed May 16 01:15:05 2012; UDP; eth0; 283 bytes; from my.ip:27015 to 115.21.186.90:27005
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 82.140.114.0:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 57 bytes; from 78.83.25.187:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 283 bytes; from my.ip:27015 to 98.30.13.149:27005
Wed May 16 01:15:05 2012; UDP; eth0; 283 bytes; from my.ip:27015 to 197.183.181.144:27005
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 58.11.37.59:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 98.159.17.50:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 283 bytes; from my.ip:27015 to 198.195.108.49:27005
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 121.152.53.127:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 45.136.189.26:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 95.171.154.4:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 283 bytes; from my.ip:27015 to 160.119.148.7:27005
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 194.81.109.189:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 283 bytes; from my.ip:27015 to 101.78.77.79:27005
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 116.46.78.0:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 67.50.0.50:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 97.24.72.54:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 52.193.147.144:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 283 bytes; from my.ip:27015 to 80.41.1.176:27005
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 104.130.189.62:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 180.1.76.19:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 38.119.189.16:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 87.147.3.56:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 129.157.136.46:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 128.107.138.148:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 47.96.63.169:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 191.187.157.95:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 283 bytes; from my.ip:27015 to 152.107.48.15:27005
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 111.199.163.30:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 83.134.61.196:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 83.12.118.82:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 146.90.113.198:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 166.93.90.74:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 283 bytes; from my.ip:27015 to 25.33.152.106:27005
Wed May 16 01:15:05 2012; UDP; eth0; 58 bytes; from 78.83.140.183:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 178.100.38.140:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 283 bytes; from my.ip:27015 to 42.57.36.113:27005
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 160.71.128.85:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 89.171.188.99:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 102.194.22.184:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 283 bytes; from my.ip:27015 to 172.189.44.9:27005
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 91.40.106.19:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 31.118.81.48:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 6.39.50.198:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 163.58.110.133:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 12.78.154.163:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 84.130.178.144:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 183.45.79.120:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 163.75.37.157:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 99.20.38.198:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 190.91.11.64:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 283 bytes; from my.ip:27015 to 193.193.65.87:27005
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 10.36.126.22:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 171.85.66.167:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 20.54.120.147:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 48.13.41.32:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 40.79.145.142:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 23.162.171.50:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 191.12.198.106:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 53.82.30.85:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 164.97.180.104:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 190.85.44.41:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 139.12.31.111:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 119.104.157.3:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 100.58.150.194:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 58 bytes; from 78.83.140.183:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 21.191.100.100:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 63.38.122.171:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 62.104.53.96:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 108.148.188.9:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 88.194.162.79:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 77.50.68.92:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 177.119.128.43:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 185.51.79.74:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 145.195.130.58:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 161.50.147.69:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 195.22.167.113:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 186.10.41.18:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 82.155.27.21:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 51.40.118.57:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 64.30.90.145:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 283 bytes; from my.ip:27015 to 48.196.57.64:27005
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 51.66.64.52:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 47.102.47.55:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 283 bytes; from my.ip:27015 to 108.148.188.9:27005
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 122.59.25.35:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 2.48.52.129:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 82.126.23.52:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 283 bytes; from my.ip:27015 to 133.3.139.68:27005
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 92.100.196.20:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 283 bytes; from my.ip:27015 to 164.192.12.49:27005
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 75.57.69.162:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 157.150.8.76:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 57 bytes; from 78.83.25.187:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 87.21.152.121:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 58 bytes; from 78.83.140.183:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 58 bytes; from 78.90.97.56:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 123.88.105.102:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 128.89.87.161:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 116.32.138.19:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 137.46.11.101:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 32.69.35.14:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 136.92.174.46:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 154.171.84.103:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 138.67.84.190:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 283 bytes; from my.ip:27015 to 62.186.2.66:27005
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 82.165.29.192:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 106.164.120.138:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 159.158.110.115:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 69.114.65.56:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 23.77.39.173:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 166.104.59.185:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 182.138.51.68:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 28.77.155.56:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 39.35.47.18:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 197.184.85.16:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 190.58.89.100:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 119.123.71.184:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 156.14.5.7:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 84.46.16.165:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 51.4.192.91:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 37.110.104.178:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 123.15.187.59:27005 to my.ip:27015
Wed May 16 01:15:05 2012; UDP; eth0; 46 bytes; from 170.16.80.12:27005 to my.ip:27015
Wed May 16 01:15:05 2012; ******** IP traffic monitor stopped ********

Tried blocking all those countries - no effect. Droped all packets with lenght 46 - also didn't help. ISP isn't willing to help...

acid_kewpie · 05-16-2012, 03:01 AM

what are you doing with iptables to block the traffic? Looks like you just want to blanket drop all traffic to udp:27005 and udp:27015. Nothing too tricky about that. But then if there's nothing listening on those ports (something about Halflife Game Server?) then they won't be doing anything anyway, and there's nothing you can do about it as they won't be causing any actual problems that wouldn't also be encountered whnever the traffic reaches your machine.

ps1x0 · 05-16-2012, 03:24 AM

Yep. There is a game server on that port.

About the first question:

I used this script to block all the traffic from the mentioned countries:

Code:

#!/bin/bash
### Block all traffic from AFGHANISTAN (af) and CHINA (CN). Use ISO code ###
ISO="us cn ru it"
 
### Set PATH ###
IPT=/sbin/iptables
WGET=/usr/bin/wget
EGREP=/bin/egrep
 
### No editing below ###
SPAMLIST="countrydrop"
ZONEROOT="/root/iptables"
DLROOT="http://www.ipdeny.com/ipblocks/data/countries"
 
cleanOldRules(){
$IPT -F
$IPT -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
}
 
# create a dir
[ ! -d $ZONEROOT ] && /bin/mkdir -p $ZONEROOT
 
# clean old rules
cleanOldRules
 
# create a new iptables list
$IPT -N $SPAMLIST
 
for c  in $ISO
do
	# local zone file
	tDB=$ZONEROOT/$c.zone
 
	# get fresh zone file
	$WGET -O $tDB $DLROOT/$c.zone
 
	# country specific log message
	SPAMDROPMSG="$c Country Drop"
 
	# get
	BADIPS=$(egrep -v "^#|^$" $tDB)
	for ipblock in $BADIPS
	do
	   $IPT -A $SPAMLIST -s $ipblock -j LOG --log-prefix "$SPAMDROPMSG"
	   $IPT -A $SPAMLIST -s $ipblock -j DROP
	done
done
 
# Drop everything
$IPT -I INPUT -j $SPAMLIST
$IPT -I OUTPUT -j $SPAMLIST
$IPT -I FORWARD -j $SPAMLIST
 
# call your other iptable script
# /path/to/other/iptables.sh
 
exit 0

I tried dropping all packets with lenght 46 with this:

Code:

iptables -N REJECT_FLOOD46
iptables -A REJECT_FLOOD46 -j LOG --log-prefix 'IPTABLES-FLOOD LENGTH 46: ' --log-level info
iptables -A REJECT_FLOOD46 -j DROP

acid_kewpie · 05-16-2012, 03:56 AM

Right, so what do you actually want to acheive, and what are the problems you're experiencing? you can't make that traffic not hit you...

ps1x0 · 05-16-2012, 04:01 AM

The machine starts lagging massively. I can't connect via SSH (or even if I can it's VERY slow) and ping also shows up to 70 % packets dropped.
What I'm trying to achieve?
Is there any way to stop these attacks or are there any rules that might prevent them?

acid_kewpie · 05-16-2012, 04:05 AM

well are your blocking rules blocking them? If they are then that's all you can hope to achieve really. there is still a load inherently generated from blocking requests as much as there is from accepting them.

TenTenths · 05-16-2012, 04:11 AM

Are you talking about a "home" machine running this or is it a server in a datacenter? If it's in a datacenter you could try to ask them if they'll block traffic from those countries at router level rather than passing it through to your server. If it's at home, then I suppose you could try your service provider but I wouldn't hold out much hope as actually getting to speak to anyone other than a headset headcount is almost impossible.

pan64 · 05-16-2012, 04:42 AM

sometimes there are outgoing traffic to those addresses/ports I think you can block that. What replies to those packages?

ps1x0 · 05-16-2012, 02:38 PM

@TenTenths - I'll try, though I don't think they'll to it (datacenter).
@pan64 - gameserver UDP based (counter-strike)

pan64 · 05-16-2012, 02:43 PM

since the game server answers your host is registered out there. Switch it off or protect it with a firewall and they will forget you (probably)

TenTenths · 05-17-2012, 02:47 AM

Quote:

Originally Posted by ps1x0

@TenTenths - I'll try, though I don't think they'll to it (datacenter).

If they won't then you may need to consider a dedicated firewall device infront of your server.

ps1x0 · 05-18-2012, 03:53 AM

So they stopped all the internetional traffic, but with no effect. Looks like the attacker is using spoofed IP's. NO firewall (csf,apf), ddos protection tool (ddos deflate) or other rules in iptables helped so far.