[colug-432] Diagnosing and blocking DDOS attacks

[DEEDSD at nationwide.com]

Thanks, Jeff and Russ.  I'll try it. His server is hosted at limestone networks, so the bandwidth hopefully is not an issue. 

Is there a way to tell if it is an icmp flood, or what?


----- Original Message -----
From: R P Herrold [herrold at owlriver.com]
Sent: 07/17/2011 07:52 PM AST
To: Central OH Linux User Group - 432xx <colug-432 at colug.net>
Subject: [colug-432] Diagnosing and blocking DDOS attacks



On Sun, 17 Jul 2011, DEEDSD at nationwide.com wrote:

> iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m recent
> --update --seconds 60 --hitcount 20 -j DROP
>
> I am curious as to if I leave off the --dport if the rule would apply to
> all ports.  I also wonder if I can block all traffic from a class B set of
> addresses - say if it is coming from a cloud.

out of order, yes, you can null route or drop any netmask you 
want

 	-s IP/CIDRmask
will permit you do specify such a range of IPs

 	--hitcount, as I recall, needs two lines -- one to 
count, and a second to actually do the dropping, but I may 
well be wrong here

The problem is, one assumes if it is being run across 
residential link, you are at the narrower end of the pipe, and 
traffic has to transit the pipe before being dropped .. and 
that still means the pipe is getting filled

TCPdump will tell you the source IP's for TCP based traffic 
that completes the three-way handshake (before that, so 
-called 'half-open' connections from forged initial source 
IP's are possible).  UDP traffic is trivially forgeable and 
not susceptible to detection of forged source addresses

But again, the problem is that if one is at the narrow end of 
the pipe, last hop measures cannot work well enough; to be 
effective your upstream has to null-route the offender

-- Russ herrold
_______________________________________________
colug-432 mailing list
colug-432 at colug.net
http://lists.colug.net/mailman/listinfo/colug-432