Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I was able to get some logfiles through tcpdump..it seems that they attack randomly udp ports.. I even blocked ALL udp packets through iptables.. no results..
Quote:
18:16:07.630793 IP car75-7-88-160-251-40.fbx.proxad.net.56065 > MYIP.fsp: UDP, length 1024
18:16:07.647791 IP alf94-12-88-161-73-155.fbx.proxad.net.21763 > MYIP.fsp: UDP, length 1024
18:16:07.700783 IP lns-bzn-60-82-254-206-231.adsl.proxad.net.42498 > MYIP.fsp: UDP, length 1024
18:16:07.720779 IP alf94-12-88-161-73-155.fbx.proxad.net.6147 > MYIP.fsp: UDP, length 1024
18:16:07.731778 IP n172-u39.cabletel.bg.5377 > MYIP.fsp: UDP, length 1024
18:16:07.732778 IP car75-7-88-160-251-40.fbx.proxad.net.43523 > MYIP.fsp: UDP, length 1024
18:16:07.732778 IP alf94-12-88-161-73-155.fbx.proxad.net.60160 > MYIP.fsp: UDP, length 1024
18:16:07.742776 IP car75-7-88-160-251-40.fbx.proxad.net.8451 > MYIP.fsp: UDP, length 1024
18:16:07.768772 IP 193.68.179.153.14851 > MYIP.fsp: UDP, length 1024
18:16:07.775771 IP alf94-12-88-161-73-155.fbx.proxad.net.1025 > MYIP.fsp: UDP, length 1024
18:16:07.786769 IP car75-7-88-160-251-40.fbx.proxad.net.60930 > MYIP.fsp: UDP, length 1024
18:16:07.803767 IP d83-187-15-9.cust.tele2.pt.58556 > MYIP.fsp: UDP, length 1024
18:16:07.806766 IP car75-7-88-160-251-40.fbx.proxad.net.41728 > MYIP.fsp: UDP, length 1024
18:16:07.807766 IP 83.11.193.76.31234 > MYIP.fsp: UDP, length 1024
18:16:07.812765 IP 88.160.42.64.20993 > MYIP.fsp: UDP, length 1024
18:16:07.815765 IP lns-bzn-53-82-65-58-147.adsl.proxad.net.32513 > MYIP.fsp: UDP, length 1024
18:16:07.820764 IP lns-bzn-60-82-254-206-231.adsl.proxad.net.25858 > MYIP.fsp: UDP, length 1024
18:16:07.824764 IP lns-bzn-53-82-65-58-147.adsl.proxad.net.47617 > MYIP.fsp: UDP, length 1024
18:16:07.834762 IP i60-36-27-78.s04.a014.ap.plala.or.jp.29697 > MYIP.fsp: UDP, length 1024
18:16:07.847760 IP 60.36.27.69.10497 > MYIP.fsp: UDP, length 1024
18:16:07.847760 IP 193.68.179.195.56065 > MYIP.fsp: UDP, length 1024
18:16:07.850760 IP p3159-ipbf1302hodogaya.kanagawa.ocn.ne.jp.35586 > MYIP.fsp: UDP, length 1024
18:16:07.851759 IP 122.26.146.43.3328 > MYIP.fsp: UDP, length 1024
18:16:07.851759 IP 60.36.27.22.17411 > MYIP.fsp: UDP, length 1024
18:16:07.852759 IP 122.26.146.32.44289 > MYIP.fsp: UDP, length 1024
There's not much else you can do on your side if you're already sending all those packets to DROP. You can either wait for the storm to pass, or contact your ISP to see if they'll do some filtering upstream from you. How much bandwidth is the DDoS taking-up?
There's not much else you can do on your side if you're already sending all those packets to DROP. You can either wait for the storm to pass, or contact your ISP to see if they'll do some filtering upstream from you. How much bandwidth is the DDoS taking-up?
Only 12 mbits at all.
But it takes the whole line down.
I'm not sure our iptables is good enough, but this should block all INCOMMING udp packets?
Yeah, it looks fine to me. Any UDP packets coming into eth0 get sent to the udp_packets chain, where they are sent to ACCEPT if they are --dport 53. Those that aren't --dport 53 get returned to the INPUT chain, where they don't match any other rules (aside from the LOG one) and end-up getting sent to DROP by the INPUT chain's policy.
But if it's bringing your whole connection down then, yeah, it sounds pretty bad.
Quote:
Iptables wont help obviously, guess the only way is to upgrade to a bigger line or adding a hardware firewall?
Upgrading to a bigger line might help, but it depends on the size of the botnet (or whatever) which has you under attack. As long as your attacker has more bandwidth than you she can keep denying your services. A "hardware firewall" won't help at all, for the same reasons iptables isn't helping you. No amount of firewalling on your side is going to be of any help. The attack needs to be dealt with further upstream (which normally means at your ISP's routers). It's the nature of a DDoS bandwidth attack.
I'm wondering, because we have 8754.8 packets/sec, and iptables chain blocked only 1292 packets.. even when I block ALL udp packets..
how can that be ? Do the other udp packets never receive iptables ? or do they skip iptables ?
Well, in what you posted you technically weren't blocking "all" UDP packets, since you were indeed sending the DNS (UDP port 53) ones to ACCEPT. So maybe your DNS daemon is getting hit too? Perhaps you are also getting DDoSed by TCP packets? Or perhaps the difference in packet counts can be attributed to normal traffic? Right now I'm not sure what to make of the apparent packet count difference.
I'm not a networking expert, but are you sure those rates youreported are accurate? If you've only got a 12mbit internet line, then you can't be getting 11998.8 kbytes/sec coming in. Are you sure that the rates aren't for the whole network (LAN and WAN)?
I don't think iptables is a limiting factor, but in case it is, you could drop the udp packets earlier (such as explicitly within the udp_packets chain), instead of sending them through the whole input chain and then just using the default rule to drop them at the end. It'd save a bit of cpu time if you dropped them as soon as possible. But as win32sux has said, the only thing you can really do is either ask you isp to drop the traffic, or just weather the attack.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.