In my opinion, if he's saturating your connection, doesn't matter what traffic you drop at the endpoint. Only real way to mitigate a DDoS is through your upstream provider, who would null route the traffic. By the time it reaches you, it's too late. <br>
<br><div class="gmail_quote">On Sun, Jul 17, 2011 at 6:47 PM, <span dir="ltr"><<a href="mailto:DEEDSD@nationwide.com">DEEDSD@nationwide.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<font face="sans-serif" size="2">My son has set up a CentOS game server,
serving MineCraft stuff.</font>
<br>
<br><font face="sans-serif" size="2">Some players were being nasty, and got
banned. Of course one of the people that got banned has a malicious
friend, who has been launching denial-of-service attacks. The guy
logs into their forums as a generic user, leaves a message stating that
he will now launch a DOS, and the attack begins and lasts for a couple
hours. My son thinks that this guy is running stuff from the Amazon
cloud, but he likely has no idea.</font>
<br>
<br><font face="sans-serif" size="2">My son's server is running pretty current
CentOS with IPTables.</font>
<br>
<br><font face="sans-serif" size="2">My question is how to figure out what
kind of DOS attack is being used, and how to thwart it... I am guessing
if I make it more difficult to attack, the guy might get bored and move
on.</font>
<br>
<br><font face="sans-serif" size="2">In the research I have done, it appears
that I can set up IPTables rules for certain port and make them drop requests...</font>
<br>
<br><font face="sans-serif" size="2">iptables -I INPUT -p tcp --dport 25
-i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount
20 -j DROP</font>
<br>
<br><font face="sans-serif" size="2">I am curious as to if I leave off the
--dport if the rule would apply to all ports. I also wonder if I
can block all traffic from a class B set of addresses - say if it is coming
from a cloud.</font>
<br>
<br><font face="sans-serif" size="2">I doubt it would cure the issue, but
it may lessen the impact.</font>
<br>
<br><font face="sans-serif" size="2">Can anyone direct me to some good resources?</font>
<br>
<br><font face="sans-serif" size="2">Thanks!</font>
<br>
<br><font face="sans-serif" size="2">Dallas</font><br>_______________________________________________<br>
colug-432 mailing list<br>
<a href="mailto:colug-432@colug.net">colug-432@colug.net</a><br>
<a href="http://lists.colug.net/mailman/listinfo/colug-432" target="_blank">http://lists.colug.net/mailman/listinfo/colug-432</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br>Jeff Stebelton GCFW GCIA GCIH CEH <br><br>