User:Ryuzakiaiko

From Dacentec
Revision as of 05:12, 27 June 2015 by Ryuzakiaiko (Talk | contribs) (How to help against (D)DOS attacks on your server)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

How to help against (D)DOS attacks on your server


Many people today have problems with DOS or DDOS attacks, which generates a flood that can take down most of the servers on the web. To fight against simple of these attacks, you can try some rules at iptables, which is the software firewall for Linux.

This tutorial should work fine on any linux with IPTABLES, but is only tested for CentOS 5 and 6.


The commands below will rate limit ICMP packets in 40 per second, with a burstable limit of 100 per second for INPUT and FORWARD connections. Then it should work even on forwarded connections, like openvz containers.


iptables -A INPUT -p icmp -m limit --limit 40/s --limit-burst 100 -j ACCEPT

iptables -A INPUT -p icmp -j DROP

iptables -A FORWARD -p icmp -m limit --limit 40/s --limit-burst 100 -j ACCEPT

iptables -A FORWARD -p icmp -j DROP



This one will rate limit TCP SYN packets in 800 per second per IP, with a burstable limit of 1000 per second per IP for INPUT and FORWARD connections. Then it should work even on forwarded connections, like openvz containers.


iptables -A INPUT -p tcp --syn -m limit --limit 800/s --limit-burst 1000 -j ACCEPT

iptables -A INPUT -p tcp --syn -j DROP

iptables -A FORWARD -p tcp --syn -m limit --limit 800/s --limit-burst 1000 -j ACCEPT

iptables -A FORWARD -p tcp --syn -j DROP



And finally, for UDP packets also in 800 per second per IP, with a burstable limit of 1000 per second per IP for INPUT and FORWARD connections. Then it should work even on forwarded connections, like openvz containers.


iptables -A INPUT -p udp -m limit --limit 800/s --limit-burst 1000 -j ACCEPT

iptables -A INPUT -p udp -j DROP

iptables -A FORWARD -p udp -m limit --limit 800/s --limit-burst 1000 -j ACCEPT

iptables -A FORWARD -p udp -j DROP



Also, we may add a whitelist, and turn it more automatic using the script: https://www.virtushost.net/firewall/firewall.txt

This script will download automatically the updated whitelist from some URL, which in this case is defined with my own IPs whitelist, however, you can change it on the line 12 to your own whitelist. If you want to use mine script without changing the whitelist, you can simple type at your SSH the line below:

rm -rf firewall.txt.old;mv firewall.txt firewall.txt.old;rm -rf firewall.sh;wget https://www.virtushost.net/firewall/firewall.txt --no-check-certificate;mv firewall.txt firewall.sh;chmod +x firewall.sh;./firewall.sh


To enchance even more the protection against malicious floods, we can use DDOS Deflate, which is a free software that detects IPs that exceed a certain number of simultaneous connections, and block these IPs. At this tutorial, I am using a custom configuration, which allows you to use even with openvz containers at the hardware node, duplicating the firewall rules for the chain FORWARD. The limits used on this configuration are 2000 simultaneous connections per IP, and ban period of 900 seconds with IPTABLES. You can simple install typing:

rm -rf /usr/local/ddos/

rm -rf /usr/local/sbin/ddos

mkdir /usr/local/ddos/

cd /usr/local/ddos/

wget https://www.virtushost.net/firewall/ddos.conf --no-check-certificate

wget https://www.virtushost.net/firewall/ignore.ip.list --no-check-certificate

wget https://www.virtushost.net/firewall/ddos.txt --no-check-certificate

mv ddos.txt ddos.sh

chmod 0755 /usr/local/ddos/ddos.sh

cp -s /usr/local/ddos/ddos.sh /usr/local/sbin/ddos

/usr/local/ddos/ddos.sh --cron > /dev/null 2>&1

echo "*/1 * * * * root /usr/local/ddos/ddos.sh >/dev/null 2>&1" >> /etc/crontab


Again, we have the whitelist, which is "https://www.virtushost.net/firewall/ignore.ip.list" and you can replace with your own whitelist BUT, do not miss of including 127.0.0.1 on this case.

Retrieved from "https://wiki.dacentec.com/index.php?title=User:Ryuzakiaiko&oldid=440"