ddos protection

[Boten]

Hi all comunity !

Since 1 month i receive an http attack who use all my memory and ressource this block my server

i have installed ddos defalte , iptables without result !

if somebody know how to stop these n00b who are playing with this script kiddie , he tell me !!!

Kindest Regards

 

[tillo]

I have experience with custom DDoS attacks, mostly on web servers, and I can probably help you using iptables and some nice workarounds... but I am going to need some more informations.

Can you provide an anonymized pcap dump or some other kind of explanation of the attack?

 

[Boten]

The attack is on my website exactly in my forum directory , this attack use all ressource of forum

like loading of threads , forumdisplay ..

at this moment the server block , load average can be at 220...

when i look the ip adresse in apache log at the end

Gecko/20071127 Firefox/2.0.0.11;MEGAUPLOAD 1.0"


then i execute just lit bit of time this rule to ban an IP
/sbin/iptables -I INPUT 1 -s 41.224.172.222 -j DROP


if you have annother script or other solution... tell me please

 

[tillo]

If the addresses running your heavy-load forum scripts are "hammering" them you can use some iptables nice modules and automatically block (INPUT->DROP is fine) any IP connecting more then X (for example 120) times per minute at port 80.

If they just run a script every few minutes per address you can use mod_security or parse Apache logs automatically to ban them.

Let me know if you need something more specific.
If you need professional help just contact me in private, I would take care of everything.

 

[andyreed]

The attack is on my website exactly in my forum directory , this attack use all ressource of forum

It is likely that your server is under one of the following Internet attacks:
TCP SYN Flooding, DoS, or DDoS. If you are positive that the attacker is targeting a Web site, then you can use Mod Evasive and Mod Security with tough rules to minimize the attack.

If that doesn't help, you can use one of the software-based firewall such as APF/BFD which will, automatically, ban offensive IPs. If that dosesn't help, ask your host to put your server behind a good hardware-based firewall such as Cisco ASA 5500 series.

 

[Boten]

Thank you guys !

I want a rule of iptable

if IP have more than 10 connection = banned

how to do this ?

 

[yulia]

iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 3 -j DROP

Is what I normally use to drop DDoSers like flies. I've taken some pretty big hits (past 300mbp/s) and that stopped that attack in no time.

 

[Boten]

Thank you my friend !

your rule is for 10 connection per IP ?

iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 3 -j DROP

 

[yulia]

Thank you my friend !

your rule is for 10 connection per IP ?

iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 3 -j DROP

No. You don't want to block IPs if they make 10 connections, you will end up blocking a lot of legit users.

iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 3 -j DROP

will block anyone who tries to flood your site, so it works just as well without blocking legit users.

 

[Boten]

Sorry but the command don't work

 

[johny_gjx]

limit would match until the limit is reached, means that this rule would cause netfilter to block them as long as they only send one syn request per second, if it should be accepted they'd have to send over 3 per second, this is not what you want.

You should generally DROP all syn packets and add sth like:

iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 3 -j ACCEPT

as a superceding rule, yet the numbers are too harsh but it means it would accept syn as long as there is only one per second.