How to stop Small DDOS attacks
Nodaways seems that every script kid is able to produce a soft DDOS attack, happily they are small and limited so they cant saturate your DNS unless they really know what they are doing.
This is a more or less step by step guide intended for begginers to help stabilize the linux server and prevent further attacks.
There are some basic settings you should have already implemented in your linux server as part of security 101 but this is not always the case and also it is not enough.
Questions and Answers:
- Limiting the ammount of concurrent connections from the same IP address to your Server.
- Identifying the offending IP.
- And kill the Ongoing TCP Connections with TCPKILL.
- Or use Cutter to kill the connections on any port/Network interface.
- Drop it With Iptables.
- Make the DROP Persistant after a reboot. (iptables save and restore)
- Basic Iptables-save trouble shoot.
- Stop Start Iptables
This article assumes you have root access to your linux BOX / Server, the IP addresses shown in this guide are randomly generated and in no case are offending connections.
Q. How to limit the ammount of concurrent connections from the same IP address.
A. Something to do as default is to limit using IPTABLES (linux firewall) the ammount of connections from the same IP in a short time (why would an user hook 150 times to your port 80 ?)
This will prevent the simpler DDOS attacks.
- In order to do so; you need to apply the following rule:
iptables -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 10 -j DROP
iptables-save >/etc/iptables.up.rules
The first line will Watch the IP connecting to your eth0 interface.
The second line will Check if the connection is new within the last 60 seconds and if the packet flow is higher than ten and if so it will drop the connection.
the third line will Make the rules persistant in case of a reboot (at least in debian, you may need to specify another patch or file where the rules are stored for loading at boot time)
Q. How to identify the IP that is attacking you
A. In order to verify the number of concurrent connections from all clients that are connected to your linux Box
- Issue the following command.
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
It will show a list of the current active connections by IP address and the offending IP is usually the one with a high number of connections:
1 127.0.0.1
1 Address
1 servers)
132 201.119.167.193
In the example above the first number is the number of connections followed by the Originating IP address, the results of the netstat command used are sorted by number of connections so your offender is usually at the end, (note that there maybe several offending IPs most of the times from anonymous proxies)
In this case the offending IP is the one with 132 connections.
Now we need to Kill those connections to stabilize our linux server and create an IPTABLES rule to DROP those address.
Q. How to disconnect clients from your network interfaces.
A1. Killing the the connections with TCPKILL:
- TCPKILL is part of dsniff a tools suite for linux to sniff network traffic for cleartext insecurities
This package contains several tools to listen to and create network traffic:
- arpspoof – Send out unrequested (and possibly forged) arp replies.
- dnsspoof – forge replies to arbitrary DNS address / pointer queries on the Local Area Network.
- dsniff – password sniffer for several protocols.
- filesnarf – saves selected files sniffed from NFS traffic.
- macof – flood the local network with random MAC addresses.
- mailsnarf – sniffs mail on the LAN and stores it in mbox format.
- msgsnarf – record selected messages from different Instant Messengers.
- sshmitm – SSH monkey-in-the-middle. proxies and sniffs SSH traffic.
- sshow – SSH traffic analyser
- tcpkill – kills specified in-progress TCP connections.
- tcpnice – slow down specified TCP connections via “active” traffic shaping.
- urlsnarf – output selected URLs sniffed from HTTP traffic in CLF.
- webmitm – HTTP / HTTPS monkey-in-the-middle. transparently proxies.
- webspy – sends URLs sniffed from a client to your local browser.
What interests us here is TCPKILL first we need to install dsniff, in linux distribution: Debian we do:
apt-get install dsniff
Then we run:
tcpkill host xxx.xxx.xxx.xxx
where xxx… is replaced with the identified offending IP address.
A2. Another method to Kill the offending connections inmediatly is using CUTTER
- Cutter will send packets to both ends of a TCP/ip connection to terminate it nicely. It is designed to be used in a Linux router to disconnect unwanted connections.
To install Cutter we issue the following command:
apt-get install cutter
Once installed we run Cutter with the arguments:
cutter
So we replace with our linux box IP address, with the listening port in the server, and with the offending IP
After using TCPKILL or CUTTER The process count should be reduced drastically now and the server’s memory usage lowered to nice numbers. (Our linux server is stabilized now)
Finally we need to Block the offending IP address in our Firewall (IPtables rule).
Q. How do I block an IP address or subnet under Linux using IPTABLES?
A. In order to block an IP on your Linux server you need to use iptables tools (administration tool for IPv4 packet filtering and NAT) and netfilter firewall. To block IP address you need to type iptables command as follows:
- Syntax to block an IP address under Linux
iptables -A INPUT -s xxx.xxx.xxx.xxx -j DROP
Replace XXX.XXX… with the actual IP address. For example if you wish to block ip address 163.235.144.110 for whatever reason then type command as follows:
iptables -A INPUT -s 163.235.144.110 -j DROP
If you have IP tables firewall script, add above rule to your script.
If you just want to block access to one port from an ip 163.235.144.110 to port 25 then type command:
iptables -A INPUT -s 163.235.144.110 -p tcp --destination-port 25 -j DROP
The above rule will drop all packets coming from IP 65.55.44.100 to port mail server port 25.
But the DROP will not be inmediate and may need a server restart if there are already connections from the offending IP.
This scenario is common with script kiddies trying to DDOS your server.
Q. How do I make sure the IPs banned will remain banned after a server restart.
A. To do that in linux distribution: Debian
- Issue the following commands:
iptables-save > /etc/iptables.up.rules
iptables-restore < /etc/iptables.up.rules
The first line will save in the file iptables.up.rules in the etc folder the current active rule set
The second one will reload the saved rules in memory (this is just to check there are no errors in the file)
Q. iptables-restore returns the following error after adding rules: “iptables-restore: line XX failed” where line XX contains a “COMMIT” argument.
A. this error is usually caused by a manually edited config file for iptables, all rule set must be generated using the iptables-save command else you get the error when you try to restore.
- The simplest solution for this is:
Add rules using:
iptables -A your_rule_here
Get the rule set from memory with:
iptables -L > file.txt
Edit file.txt with your favorite *nix editor, add in the first line:
#/bin/bash
Do a search of “-A” and replace with “iptables -A”
Save file.txt to file.sh
chmod x file.sh
run
./file.sh
do an iptables-save as per previous answer and try to iptables-restore
Your rules now should be nicely loaded and the dreaded error of the COMMIT argument must be gone.
Q. iptables stop and restart.
A. Shall you need stop iptables for testing and others use the following commands: (Warning do a save of your rules before hand)
# # Delete all rules # iptables -F iptables -t nat -F # # Delete all chains # iptables -X iptables -t nat -X
Source: rockdio.org