[colug-432] Diagnosing and blocking DDOS attacks

Jeff Stebelton jeff.stebelton at gmail.com
Sun Jul 17 19:16:28 EDT 2011

In my opinion, if he's saturating your connection, doesn't matter what
traffic you drop at the endpoint. Only real way to mitigate a DDoS is
through your upstream provider, who would null route the traffic. By the
time it reaches you, it's too late.

On Sun, Jul 17, 2011 at 6:47 PM, <DEEDSD at nationwide.com> wrote:

> My son has set up a CentOS game server, serving MineCraft stuff.
> Some players were being nasty, and got banned.  Of course one of the people
> that got banned has a malicious friend, who has been launching
> denial-of-service attacks.  The guy logs into their forums as a generic
> user, leaves a message stating that he will now launch a DOS, and the attack
> begins and lasts for a couple hours.  My son thinks that this guy is running
> stuff from the Amazon cloud, but he likely has no idea.
> My son's server is running pretty current CentOS with IPTables.
> My question is how to figure out what kind of DOS attack is being used, and
> how to thwart it...  I am guessing if I make it more difficult to attack,
> the guy might get bored and move on.
> In the research I have done, it appears that I can set up IPTables rules
> for certain port and make them drop requests...
> iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m recent
> --update --seconds 60 --hitcount 20 -j DROP
> I am curious as to if I leave off the --dport if the rule would apply to
> all ports.  I also wonder if I can block all traffic from a class B set of
> addresses - say if it is coming from a cloud.
> I doubt it would cure the issue, but it may lessen the impact.
> Can anyone direct me to some good resources?
> Thanks!
> Dallas
> _______________________________________________
> colug-432 mailing list
> colug-432 at colug.net
> http://lists.colug.net/mailman/listinfo/colug-432

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.colug.net/pipermail/colug-432/attachments/20110717/1eb75f00/attachment.html 

More information about the colug-432 mailing list