Merc Studio Tech Blog: Banning ip from DDOS

After surfing around, ive found some very handy commands to handle blocking of ips

#to list all ip and # of connections

sudo netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -n
# list all ports
sudo netstat -plan|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -n

#to block a specific ip

sudo iptables -I INPUT 1 -s xx.xx.xx.xx -j DROP

#to block a class B ip

sudo iptables -I INPUT 1 -s xx.xx.0.0/16 -j DROP

#to block a class C ip

sudo iptables -I INPUT 1 -s xx.xx.xx.0/24 -j DROP

#to block a class A ip

sudo iptables -I INPUT 1 -s xx.0.0.0/16 -j DROP

Normally you might want to use Class B block if you want to block entire ip sets from a particular country...

*be very careful when blocking class B address, some ip range might be shared among different countries.

To know which country the ip resides on:

http://ip-to-country.webhosting.info/node/view/36

To list all the iptables rules for incoming traffic:

sudo iptables -L INPUT -n -v

A very good list of cidr ip for each particular country:

http://www.ipdeny.com/ipblocks/

Another way of attack is tcp level flood, aka: SYN FLOOD

#check tcp on SYN_RECV

sudo netstat -n -p TCP tcp | grep SYN_RECV

Good article about hardening system:

http://www.symantec.com/connect/articles/hardening-tcpip-stack-syn-attacks

#Very handy command to limit # of connections to a specific port from an ip

sudo iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 -j REJECT --reject-with tcp-reset

sudo iptables -A INPUT -p tcp --syn --dport 110 -m connlimit --connlimit-above 10 -j REJECT --reject-with tcp-reset

sudo iptables -A INPUT -p tcp --syn --dport 25 -m connlimit --connlimit-above 10 -j REJECT --reject-with tcp-reset

#To remove a rule (example):

sudo iptables -D INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 -j REJECT --reject-with tcp-reset

#To save it:

sudo service iptables save

http://www.cyberciti.biz/faq/iptables-connection-limits-howto/

Updated 2012 Feb 28:
Encountered another type of DOS attack using TIME_OUT ip status.
One way to solve this is to reduce the # of seconds the tcp will timeout to a incomplete disconnected tcp.
vi /etc/sysctl.conf

net.ipv4.tcp_fin_timeout = 35
net.ipv4.tcp_keepalive_time = 1800
net.ipv4.tcp_keepalive_intvl = 35
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1

sudo sysctl -p

Then restart the services effected, such as http and mysql.
To show all states of tcp in the system, run this:
netstat -an|awk '/tcp/ {print $6}'|sort|uniq -c

Hope this help :)

Merc Studio Tech Blog

Tuesday, September 6, 2011

Banning ip from DDOS

No comments: