[colug-432] Diagnosing and blocking DDOS attacks
Jeff Stebelton
jeff.stebelton at gmail.com
Sun Jul 17 19:16:28 EDT 2011
In my opinion, if he's saturating your connection, doesn't matter what
traffic you drop at the endpoint. Only real way to mitigate a DDoS is
through your upstream provider, who would null route the traffic. By the
time it reaches you, it's too late.
On Sun, Jul 17, 2011 at 6:47 PM, <DEEDSD at nationwide.com> wrote:
> My son has set up a CentOS game server, serving MineCraft stuff.
>
> Some players were being nasty, and got banned. Of course one of the people
> that got banned has a malicious friend, who has been launching
> denial-of-service attacks. The guy logs into their forums as a generic
> user, leaves a message stating that he will now launch a DOS, and the attack
> begins and lasts for a couple hours. My son thinks that this guy is running
> stuff from the Amazon cloud, but he likely has no idea.
>
> My son's server is running pretty current CentOS with IPTables.
>
> My question is how to figure out what kind of DOS attack is being used, and
> how to thwart it... I am guessing if I make it more difficult to attack,
> the guy might get bored and move on.
>
> In the research I have done, it appears that I can set up IPTables rules
> for certain port and make them drop requests...
>
> iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m recent
> --update --seconds 60 --hitcount 20 -j DROP
>
> I am curious as to if I leave off the --dport if the rule would apply to
> all ports. I also wonder if I can block all traffic from a class B set of
> addresses - say if it is coming from a cloud.
>
> I doubt it would cure the issue, but it may lessen the impact.
>
> Can anyone direct me to some good resources?
>
> Thanks!
>
> Dallas
> _______________________________________________
> colug-432 mailing list
> colug-432 at colug.net
> http://lists.colug.net/mailman/listinfo/colug-432
>
>
--
Jeff Stebelton GCFW GCIA GCIH CEH
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.colug.net/pipermail/colug-432/attachments/20110717/1eb75f00/attachment.html
More information about the colug-432
mailing list