LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
Reload this Page SYN_RECV, IPTABLES, Drop DDOS Flood IPs does not work!
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 09-02-2009, 01:34 AM   #1
eurusd
LQ Newbie
 
Registered: Sep 2009
Posts: 7

Rep: Reputation: 0
SYN_RECV, IPTABLES, Drop DDOS Flood IPs does not work!

SYN_RECV, IPTABLES, Drop DDOS Flood IPs does not work!
I use this command to block ddos ips

while true; do netstat -n -p | grep SYN_REC | awk '{print $5}' | awk -F: '{print $1}' | sort | uniq; netstat -n -p | grep SYN_REC | awk '{print $5}' | awk -F: '{print $1}' | sort | uniq > /tmp/ips.txt;for IP in `cat /tmp/ips.txt`; do iptables -A INPUT -s $IP -j DROP;done;service iptables save; sleep 30; done;

but still all the same ips that SYN RECV DDOS me remain active 
I tried iptables restart still wont kill those bad connections
How to really drop them so I wont see them again in netstat

You have new mail in /var/spool/mail/root
[root@vbox2fedora11 ~]# sysctl -p
net.ipv4.ip_forward = 0
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
[root@vbox2fedora11 ~]#

96.49.250.193
iptables: Saving firewall rules to /etc/sysconfig/iptables: [ OK ]
10.1.231.55
187.146.59.172
188.51.4.221
196.209.198.197
201.165.12.21
201.26.106.227
24.234.86.254
67.167.150.169
69.46.142.122
76.217.95.6
77.183.84.46
77.196.51.125
77.210.98.64
78.50.226.250
82.9.59.77
84.143.187.50
85.157.188.208
87.96.232.60
91.193.220.129
92.153.255.183
94.153.161.250
96.32.251.220
96.49.250.193
iptables: Saving firewall rules to /etc/sysconfig/iptables: [ OK ]
10.1.231.55
187.146.59.172
196.209.198.197
201.26.106.227
217.201.127.118
24.234.86.254
67.167.150.169
69.111.189.49
69.46.142.122
76.217.95.6
77.183.84.46
77.196.51.125
77.210.98.64
78.50.226.250
82.9.59.77
84.143.187.50
85.157.188.208
86.153.68.53
87.96.232.60
91.193.220.129
92.153.255.183
94.153.161.250
96.32.251.220
96.49.250.193
iptables: Saving firewall rules to /etc/sysconfig/iptables: [ OK ]


[root@vbox2fedora11 ~]# netstat
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 :http S0106001cdf20124e.vc.:52419 SYN_RECV
tcp 0 0 :http S0106001cdf20124e.vc.:52414 SYN_RECV
tcp 0 0 :http a88-112-87-22naconsult-lm SYN_RECV
tcp 0 0 :http dsl-187-146-59-172-:houston SYN_RECV
tcp 0 0 :http S0106001cdf20124e.vc.:52397 SYN_RECV
tcp 0 0 :http dsl-187-146-59-172-:yo-main SYN_RECV
tcp 0 0 :http S0106001cdf20124e.vc.:52416 SYN_RECV
tcp 0 0 :http S0106001cdf20124e.vc.:52420 SYN_RECV
tcp 0 0 :http S0106001cdf20124e.vc.:52398 SYN_RECV
tcp 0 0 :http S0106001cdf20124e.vc.:52395 SYN_RECV
tcp 0 0 :http static-84-166-145-212:14949 SYN_RECV
tcp 0 0 :http 5ad0d533.bb.sk:netbill-auth SYN_RECV
tcp 0 0 :http S0106001cdf20124e.vc.:52421 SYN_RECV
tcp 0 0 :http S0106001cdf20124e.vc.:52422 SYN_RECV
tcp 0 0 :http S0106001cdf20124e.vc.:52417 SYN_RECV
tcp 0 0 :http S0106001cdf20124e.vc.:52402 SYN_RECV
tcp 0 0 :http static.unknown.c:dicom-iscl SYN_RECV
tcp 0 0 :http d66-183-27-194.bchsia:60266 SYN_RECV
tcp 0 0 :http 10.1.231.55:edm-manager SYN_RECV
tcp 0 0 :http S0106001cdf20124e.vc.:52405 SYN_RECV
tcp 0 0 :http S0106001cdf20124e.vc.:52393 SYN_RECV
tcp 0 0 :http S0106001cdf20124e.vc.:52411 SYN_RECV
tcp 0 0 :http 188.51.4.221:46386 SYN_RECV
tcp 0 0 :http dsl-144-98-232.telkoma:3404 SYN_RECV
tcp 0 0 :http bl7-78-16.dsl.telepac:14020 SYN_RECV
tcp 0 0 :http 172.16.127.226:houston SYN_RECV
tcp 0 0 :http p548FBB32.dip.t-di:mps-raft SYN_RECV
tcp 0 0 :http adsl-76-217-95-6.dsl.:60250 SYN_RECV
tcp 0 0 :http S0106001cdf20124e.vc.:52401 SYN_RECV
tcp 0 0 :http S0106001cdf20124e.vc.:52407 SYN_RECV
tcp 0 0 :http 125.51.196-77.rev.g:netplan SYN_RECV
tcp 0 0 :http S0106001cdf20124e.vc.:52408 SYN_RECV
tcp 0 0 :http S0106001cdf20124e.vc.:52418 SYN_RECV
tcp 0 0 :http S0106001cdf20124e.vc.:52399 SYN_RECV
tcp 0 0 :http d66-183-27-194.bchsia:60285 SYN_RECV
tcp 0 0 :http static-84-166-145-212:14950 SYN_RECV
tcp 0 0 :http S0106001cdf20124e.vc.:52413 SYN_RECV
tcp 0 0 :http S0106001cdf20124e.vc.:52404 SYN_RECV
tcp 0 0 :http mobile-3G-dyn-BC-190-:52242 SYN_RECV
tcp 0 0 :http S0106001cdf20124e.vc.:52415 SYN_RECV
tcp 0 0 :http S0106001cdf20124e.vc.:52394 SYN_RECV
tcp 0 0 :http S0106001cdf20124e.vc.:52409 SYN_RECV
tcp 0 0 :http bas3-montreal31-12797:61810 SYN_RECV
tcp 0 0 :http S0106001cdf20124e.vc.:52396 SYN_RECV
tcp 0 0 :http S0106001cdf20124e.vc.:52423 SYN_RECV
tcp 0 0 :http 217.71.225.75:4497 SYN_RECV
tcp 0 0 :http S0106001cdf20124e.vc.:52412 SYN_RECV
 
Old 09-02-2009, 08:01 AM   #2
cbtshare
Member
 
Registered: Jul 2009
Posts: 645

Rep: Reputation: 42
I'd suggest if you have cpanel use csf plugin.If not install APF and DDos Deflate(be careful not to change the APF setting to 1 until your sure the server is fine,you can get locked out) In DDOS D you can set the rules that defines a bad connection and it will use iptables or APF to block the automatically.Configured correctly can be a great ease to Sys Admins.Software is no match for hardware though , if the attacks become too great , software will falter.
 
Old 09-02-2009, 11:40 PM   #3
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Rocky 9.2
Posts: 18,359

Rep: Reputation: 2751Reputation: 2751Reputation: 2751Reputation: 2751Reputation: 2751Reputation: 2751Reputation: 2751Reputation: 2751Reputation: 2751Reputation: 2751Reputation: 2751
Also, have a look at fail2ban, which is designed for this.
You should also consider contacting your ISP if the problem is ongoing for a while.
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Filter UDP flood using iptables LandRover Linux - Security 1 10-18-2007 05:18 PM
I got DDOS: Need some help (esp with iptables) Swakoo Linux - Networking 3 01-16-2006 12:16 AM
iptables - drop all -> allow needed OR allow all -> drop specific lucastic Linux - Security 5 12-21-2004 02:07 AM
how to define a specific range of IPs and/or multiple IPs in an iptables rule?... TheHellsMaster Linux - Security 9 09-20-2004 10:06 AM
SYN_RECV flood still happening with giptables micro_sucks Linux - Security 4 06-15-2004 07:24 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 09:09 PM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration