Preventing a DDoS from China, a Great Firewall of China gone rogue?
Source: defendagainstddos.wordpress.com
On the 25th of January one of my sites was struggling to stay up, my “Dos Deflate” emails were popping into my inbox at a great frequency.
A quick run of the following command:
netstat -tn 2>/dev/null | grep :80 | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -nr | awk ‘{print $2}’
Gave me a list of addresses connected to the site. The number of addresses was way way above the number normally connected to the site. A site which although modestly doing 100,000s of page views per day will normally have only 300-500 port 80 connections at any one instance. This time however we had a 2 or 3 thousand.
A quick copy and paste into the following tool http://software77.net/geo-ip/multi-lookup/
(max 2000 ips per lookup) which is very usefully for bulk ip address to location lookups, yielded the following
1.26.199.253 # CN China 1.81.157.62 # CN China 1.83.168.34 # CN China 1.180.57.96 # CN China 1.26.201.167 # CN China 1.62.140.66 # CN China 1.189.82.78 # CN China 1.193.76.146 # CN China 1.26.241.209 # CN China 1.190.209.36 # CN China 1.189.162.213 # CN China 1.31.57.105 # CN China 1.62.17.196 # CN China 1.58.137.111 # CN China 1.83.229.4 # CN China 1.180.10.45 # CN China 1.180.5.200 # CN China 1.26.169.201 # CN China 1.180.187.10 # CN China 1.190.2.102 # CN China 1.25.134.125 # CN China 1.62.161.233 # CN China 1.182.28.181 # CN China (And on and on)
We clearly had an issue with China, but a quick log in to Google Analytics indicated almost no real-time traffic visiting the site.
Due to the sheer volume of connections for the next 45 mins, I was regularly running this command pasting into excel, then bulk iptabling the the ip address as well as the 65,000 neighbouring addresses.
sudo iptables -A INPUT -s 59.56.0.0/16 -m comment –comment “China IP” -j DROP sudo iptables -A INPUT -s 1.26.0.0/16 -m comment –comment “China IP” -j DROP
etc etc.