Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have been a target of DoS/UDP flood attacks for at least a year now (very persistent Turkish citizen) which doesn't overwhelm the network, but it makes the service (game server) on that port he is attacking unavailable. I have given up on blocking the length as he always finds another way to do it.
I have analyzed the packets via tcpdump and I got an idea how to stop it as I can see the pattern. I believe it already exist, I just don't know what to search for. Otherwise I need help to make it possible (via a script if necessary).
When the server is receiving packets, it never sends a response back to the attacker. Since the server receive so many packets from the same IP in a row, I would like to block it.
My idea is: When the script is running, it runs tcpdump to capture the packets and Python analyzes it live. If one IP is consecutively only sending packets X amount in a row (lets say 10), block it via iptables (iptables -w -I INPUT -s <ip here> -j DROP).
With a whitelist of IPs as exception OR if the "length" is between 16-30.
Here are some snippets I took during an attack via tcpdump (tcpdump -n -an portrange 27015-27017 and host not server.ip):
Code:
00:41:12.076843 IP 34.91.83.47.59099 > server.ip.27017: UDP, length 31
00:41:12.076843 IP 34.91.83.47.59099 > server.ip.27017: UDP, length 31
00:41:12.076843 IP 34.91.83.47.59099 > server.ip.27017: UDP, length 31
00:41:12.076843 IP 34.91.83.47.59099 > server.ip.27017: UDP, length 31
...
16:59:50.044807 IP 34.90.117.188.40293 > server.ip.27017: UDP, length 251
16:59:50.044821 IP 34.90.117.188.40293 > server.ip.27017: UDP, length 251
16:59:50.044821 IP 34.90.117.188.40293 > server.ip.27017: UDP, length 251
16:59:50.044821 IP 34.90.117.188.40293 > server.ip.27017: UDP, length 251
...
16:07:09.618772 IP attacker.ip.60954 > server.ip.27017: UDP, length 27
16:07:09.618985 IP attacker.ip.60911 > server.ip.27017: UDP, length 9
16:07:09.618986 IP attacker.ip.60911 > server.ip.27017: UDP, length 27
16:07:09.619117 IP server.ip.27017 > legit.client.ip.27005: UDP, length 510
16:07:09.619319 IP attacker.ip.60915 > server.ip.27017: UDP, length 9
16:07:09.619320 IP attacker.ip.60915 > server.ip.27017: UDP, length 27
16:07:09.619430 IP attacker.ip.60930 > server.ip.27017: UDP, length 9
16:07:09.619431 IP attacker.ip.60930 > server.ip.27017: UDP, length 27
16:07:09.619431 IP attacker.ip.60914 > server.ip.27017: UDP, length 9
16:07:09.619431 IP attacker.ip.60914 > server.ip.27017: UDP, length 27
16:07:09.619431 IP attacker.ip.60931 > server.ip.27017: UDP, length 9
16:07:09.619587 IP attacker.ip.60931 > server.ip.27017: UDP, length 27
16:07:09.619745 IP attacker.ip.60934 > server.ip.27017: UDP, length 9
16:07:09.619745 IP attacker.ip.60934 > server.ip.27017: UDP, length 27
16:07:09.619811 IP attacker.ip.60935 > server.ip.27017: UDP, length 9
16:07:09.619811 IP attacker.ip.60935 > server.ip.27017: UDP, length 27
16:07:09.620082 IP attacker.ip.60956 > server.ip.27017: UDP, length 9
16:07:09.620083 IP attacker.ip.60956 > server.ip.27017: UDP, length 27
16:07:09.620346 IP attacker.ip.60937 > server.ip.27017: UDP, length 9
16:07:09.620394 IP attacker.ip.60918 > server.ip.27017: UDP, length 9
16:07:09.620394 IP attacker.ip.60918 > server.ip.27017: UDP, length 27
16:07:09.620394 IP attacker.ip.60937 > server.ip.27017: UDP, length 27
16:07:09.620695 IP attacker.ip.60919 > server.ip.27017: UDP, length 9
16:07:09.620695 IP attacker.ip.60919 > server.ip.27017: UDP, length 27
16:07:09.620696 IP attacker.ip.60959 > server.ip.27017: UDP, length 9
16:07:09.620696 IP attacker.ip.60959 > server.ip.27017: UDP, length 27
16:07:09.620779 IP attacker.ip.60960 > server.ip.27017: UDP, length 9
16:07:09.620779 IP attacker.ip.60960 > server.ip.27017: UDP, length 27
16:07:09.620801 IP legit.client.ip.27005 > server.ip.27017: UDP, length 31
16:07:09.620855 IP attacker.ip.60961 > server.ip.27017: UDP, length 9
16:07:09.620856 IP attacker.ip.60961 > server.ip.27017: UDP, length 27
16:07:09.621194 IP attacker.ip.60968 > server.ip.27017: UDP, length 9
...
With legit traffic connected to the service port it looks like this (receive <-> send):
Code:
00:53:56.633496 IP server.ip.27017 > legit.client.ip.30151: UDP, length 16
00:53:56.659680 IP legit.client.ip.30151 > server.ip.27017: UDP, length 16
00:53:56.661719 IP server.ip.27017 > legit.client.ip.30151: UDP, length 16
00:53:56.690934 IP legit.client.ip.30151 > server.ip.27017: UDP, length 16
00:53:56.694027 IP server.ip.27017 > legit.client.ip.30151: UDP, length 16
00:53:56.722953 IP legit.client.ip.30151 > server.ip.27017: UDP, length 16
00:53:56.727744 IP server.ip.27017 > legit.client.ip.30151: UDP, length 1046
...
Appreciate any help I can get.
Generated this via ChatGPT, which is not doing the job of course, but it is a start at least.
Code:
import subprocess
import re
import time
WHITELIST_FILE = "whitelist.txt"
def run_tcpdump():
command = "tcpdump -n -an portrange 27015-27017"
process = subprocess.Popen(command, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)
return process
def block_ip(source_ip):
block_command = f"iptables -w -I INPUT -s {source_ip} -j DROP"
subprocess.run(block_command, shell=True)
print(f"Blocked: {source_ip}")
def load_whitelist():
try:
with open(WHITELIST_FILE, "r") as file:
return set(line.strip() for line in file)
except FileNotFoundError:
return set()
def main():
consecutive_count = 0
consecutive_threshold = 10
source_ip = None
destination_ip = None
tcpdump_process = run_tcpdump()
whitelist = load_whitelist()
try:
for line in iter(tcpdump_process.stdout.readline, b''):
line = line.decode('utf-8').strip()
# Debugging: Print the output of tcpdump
# print(f"tcpdump output: {line}")
# Example tcpdump output line: "IP 192.168.1.2 > 192.168.1.3: Flags [S], seq 12345"
match = re.match(r'IP (\d+\.\d+\.\d+\.\d+) > (\d+\.\d+\.\d+\.\d+):', line)
if match:
source_ip, destination_ip = match.groups()
if source_ip and destination_ip:
if source_ip in whitelist:
print(f"IP {source_ip} is in the whitelist. Skipping...")
continue
if source_ip != destination_ip:
consecutive_count += 1
if consecutive_count >= consecutive_threshold:
block_ip(source_ip)
consecutive_count = 0
else:
consecutive_count = 0
except KeyboardInterrupt:
print("Script terminated by user.")
finally:
tcpdump_process.terminate()
if __name__ == "__main__":
main()
One idea might be to trace that IP. If it's from an isp, you could send them a log segment and pressure them to block the customer. I ran a whois on your IP:
Code:
*** The IP addresses under this Org-ID are in use by Google Cloud customers ***
Comment:
Comment: Direct all copyright and legal complaints to
Comment: https://support.google.com/legal/go/report
Comment:
Comment: Direct all spam and abuse complaints to
Comment: https://support.google.com/code/go/gce_abuse_report
Comment:
Comment: For fastest response, use the relevant forms above.
Comment:
Comment: Complaints can also be sent to the GC Abuse desk
Comment: (google-cloud-compliance@google.com)
Comment: but may have longer turnaround times.
Last edited by business_kid; 01-20-2024 at 12:12 PM.
One idea might be to trace that IP. If it's from an isp, you could send them a log segment and pressure them to block the customer. I ran a whois on your IP:
Code:
*** The IP addresses under this Org-ID are in use by Google Cloud customers ***
Comment:
Comment: Direct all copyright and legal complaints to
Comment: https://support.google.com/legal/go/report
Comment:
Comment: Direct all spam and abuse complaints to
Comment: https://support.google.com/code/go/gce_abuse_report
Comment:
Comment: For fastest response, use the relevant forms above.
Comment:
Comment: Complaints can also be sent to the GC Abuse desk
Comment: (google-cloud-compliance@google.com)
Comment: but may have longer turnaround times.
Quote:
Originally Posted by jayjwa
Get your ISPs involved. DoS is a crime in most places. If his ISP won't act, tell yours. They have more power to take action.
That option is not possible sadly. I reported some of the IPs to their respective ISP without any response back.
To Hetzner I provided some of the IPs they own which were used against my service, but since they are spoofed, there is not much they can do.
"Unfortunately there is little else we can do in this case, sorry...a few dozen of the IPs aren't actually active, they're not allocated to any clients. So we have to again conclude that these are spoofed attacks.".
To Hetzner I provided some of the IPs they own which were used against my service, but since they are spoofed, there is not much they can do.
"Unfortunately there is little else we can do in this case, sorry...a few dozen of the IPs aren't actually active, they're not allocated to any clients. So we have to again conclude that these are spoofed attacks.".
Why not block that entire array of unallocated (or allocated & unallocated)?
Okay, he's hiding himself. Now think: Who has the motive? Who's not wasting their time when they're attacking your site? Have you competitors?
He just like to show off that "he just can". And he is targeting a Korean youtuber playing on my servers occasionally so my server becomes the target in that case.
Quote:
Originally Posted by business_kid
Why not block that entire array of unallocated (or allocated & unallocated)?
Quote:
Originally Posted by teckk
Block the whole thing 34.64.0.0/10
Unless you need something in that range.
It won't help when he is using all kind of spoofed IPs from dozens of random ISPs (Russian, German, etc.) and other big providers (Hetzner, OVH, Google Cloud, etc.)
Quote:
Originally Posted by JJJCR
try iptables:
Have you explored fail2ban?
Yes, but this won't be able to detect those attacks after researching about fail2ban as it doesn't log that kind of traffic.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.