[colug-432] Diagnosing and blocking DDOS attacks
jeff.stebelton at gmail.com
Sun Jul 17 19:16:28 EDT 2011
In my opinion, if he's saturating your connection, doesn't matter what
traffic you drop at the endpoint. Only real way to mitigate a DDoS is
through your upstream provider, who would null route the traffic. By the
time it reaches you, it's too late.
On Sun, Jul 17, 2011 at 6:47 PM, <DEEDSD at nationwide.com> wrote:
> My son has set up a CentOS game server, serving MineCraft stuff.
> Some players were being nasty, and got banned. Of course one of the people
> that got banned has a malicious friend, who has been launching
> denial-of-service attacks. The guy logs into their forums as a generic
> user, leaves a message stating that he will now launch a DOS, and the attack
> begins and lasts for a couple hours. My son thinks that this guy is running
> stuff from the Amazon cloud, but he likely has no idea.
> My son's server is running pretty current CentOS with IPTables.
> My question is how to figure out what kind of DOS attack is being used, and
> how to thwart it... I am guessing if I make it more difficult to attack,
> the guy might get bored and move on.
> In the research I have done, it appears that I can set up IPTables rules
> for certain port and make them drop requests...
> iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m recent
> --update --seconds 60 --hitcount 20 -j DROP
> I am curious as to if I leave off the --dport if the rule would apply to
> all ports. I also wonder if I can block all traffic from a class B set of
> addresses - say if it is coming from a cloud.
> I doubt it would cure the issue, but it may lessen the impact.
> Can anyone direct me to some good resources?
> colug-432 mailing list
> colug-432 at colug.net
Jeff Stebelton GCFW GCIA GCIH CEH
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the colug-432