I am running a bunch of Centos servers with some media applications and I keep getting what I think is a DDOS attacks. I have the enabled tcp_syncookies and the problem still exists

My iptables is setup to block everything that isn't necessary as far as I know but we need to allow incoming information on port 1935 and that is where it is happening.

Is there anything we can do to fix this issue or at least stop my machine from crashing and going down because of this

Any help is appreciated.

See where the traffic comes from. Do you need to accept traffic from the whole Internet?

My spam went way down when I banned some ISPs in Russia and South America.

Is there an easy way or log file to check to find out what IP its coming from and then what is the process to ban that ip or range? Sorry for the probably really simple question this is pretty new to me

To add to this, traffic that comes on this port can be wordwide, its just users accessing a program... so with that in mind I could block the IP from this attack once I find it but I don't want to limit any legitimate users.

What "media applications" exactly?


Does the application only require that port? And post output from this please: That may help us help you write appropriate rules.

It is a wowza media server actually, which the default port is 1935 for streaming... I am wondering if there is a way to limit traffic so these mass amounts will be dropped but not normal traffic. Below is my iptables-save command for review. The other option is to potentially change port 1935 if you think that would help.

# Generated by iptables-save v1.4.7 on Sat Sep 7 13:25:21 2013
*nat
:PREROUTING ACCEPT [6389:823552]
:POSTROUTING ACCEPT [1587:651103]
:OUTPUT ACCEPT [1587:651103]
COMMIT
# Completed on Sat Sep 7 13:25:21 2013
# Generated by iptables-save v1.4.7 on Sat Sep 7 13:25:21 2013
*mangle
:PREROUTING ACCEPT [88609432:34866104895]
:INPUT ACCEPT [88607125:34865599695]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [92757422:180810014794]
:POSTROUTING ACCEPT [92757422:180810014794]
COMMIT
# Completed on Sat Sep 7 13:25:21 2013
# Generated by iptables-save v1.4.7 on Sat Sep 7 13:25:21 2013
*filter
:INPUT DROP [1289:120704]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [92757422:180810014794]
-A INPUT -s (source IP) -p udp -m udp --dport 1934 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1935 -j ACCEPT
-A INPUT -s (Source IP) -p tcp -m tcp --dport 8085 -j ACCEPT
-A INPUT -s (source IP) -p tcp -m tcp --dport 8084 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1935 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 1 --connlimit-mask 32 -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -f -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
COMMIT
# Completed on Sat Sep 7 13:25:21 2013

Try this:

Thank you thats awesome hopefully that will stop all issues we are having I really appreciate it. One question though it won't let me add the rule with two ports being specified, should I just take out the second --dport 1935 after the --syn?

It might not but at least now you've got an early warning if connections reach the threshold. Might need adjustment or exclusions if you have a busy server or if you encounter mass requests from one IP address. May be difficult to gauge what actually would be legitimate proxy users.


Yes, my mistake. I'll edit it out of my previous post.