Showing posts with label block ip. Show all posts
Showing posts with label block ip. Show all posts

Tuesday, September 6, 2011

Banning ip from DDOS

After surfing around, ive found some very handy commands to handle blocking of ips

#to list all ip and # of connections
sudo netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -n
# list all ports
sudo netstat -plan|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -n

#to block a specific ip
sudo iptables -I INPUT 1 -s xx.xx.xx.xx -j DROP

#to block a class B ip
sudo iptables -I INPUT 1 -s xx.xx.0.0/16 -j DROP


#to block a class C ip
sudo iptables -I INPUT 1 -s xx.xx.xx.0/24 -j DROP


#to block a class A ip
sudo iptables -I INPUT 1 -s xx.0.0.0/16 -j DROP

Normally you might want to use Class B block if you want to block entire ip sets from a particular country...
*be very careful when blocking class B address, some ip range might be shared among different countries.

To know which country the ip resides on:

To list all the iptables rules for incoming traffic:
sudo iptables -L INPUT -n -v

A very good list of cidr ip for each particular country:

Another way of attack is tcp level flood, aka: SYN FLOOD
#check tcp on SYN_RECV
sudo netstat -n -p TCP tcp | grep SYN_RECV

Good article about hardening system:

#Very handy command to limit # of connections to a specific port from an ip
sudo iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 -j REJECT --reject-with tcp-reset
sudo iptables -A INPUT -p tcp --syn --dport 110 -m connlimit --connlimit-above 10 -j REJECT --reject-with tcp-reset
sudo iptables -A INPUT -p tcp --syn --dport 25 -m connlimit --connlimit-above 10 -j REJECT --reject-with tcp-reset

#To remove a rule (example):
sudo iptables -D INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 -j REJECT --reject-with tcp-reset


#To save it:
sudo service iptables save

Updated 2012 Feb 28:
Encountered another type of DOS attack using TIME_OUT ip status.
One way to solve this is to reduce the # of seconds the tcp will timeout to a incomplete disconnected tcp.
vi /etc/sysctl.conf

net.ipv4.tcp_fin_timeout = 35
net.ipv4.tcp_keepalive_time = 1800
net.ipv4.tcp_keepalive_intvl = 35
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1

sudo sysctl -p

Then restart the services effected, such as http and mysql.
To show all states of tcp in the system, run this:
netstat -an|awk '/tcp/ {print $6}'|sort|uniq -c


Hope this help :)


Posted by at No comments:
Labels: , ,
Subscribe to: Posts (Atom)