Re: Detecting a DOS attack on my iptables firewall
From: Tim Haynes (usenet-20041213_at_stirfried.vegetable.org.uk)
Date: 12/13/04
- Next message: Bruno Wolff III: "Re: DNS server behind a firewall"
- Previous message: Tim Haynes: "Re: Rootkit and system malfunction, reinstall from scratch?"
- In reply to: Jeff Franks: "Detecting a DOS attack on my iptables firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 13 Dec 2004 17:30:27 +0000
"Jeff Franks" <jfranks1970@charter.net> writes:
> Thanks for all the help on my previous issues. I'm finding that this
> IPTABLES firewall rocks! VERY configurable and customizable.
>
> I am having occasional trouble with a person (or persons) trying to
> shutdown my game server by flooding the game port with packets. I can
> pull up the ip_conntrack file and determine who it is. Then I can drop
> all incoming traffic from that IP or subnet. It works great.
>
> Is there a method that I can use to determine when I am being flooded?
It's traditional to use rate-limiting to fix this sort of thing, for which
iptables has the limit module - see what happens if a packet traverses
these rules:
iptables -A INPUT -p udp --dport 1234 -m state --state NEW \
-m limit --limit 5/sec -j ACCEPT
iptables -A INPUT -p udp --dport 1234 -m state --state NEW \
-j DROP
The main problem with this is it's not possible to tie it down to N
packet/s per IP#; you'll have to look around to see if there's such a
module for iptables anywhere.
> It manually takes me about 10 minutes to determine what IP/Range I need
> to block. I am hoping I can find a method to run a script every minute or
> so that checks the port and autoblocks if it determines there is a
> problem.
>
> Ideas?
What do you do by hand to find the offenders? Hints:
awk '/dport=1234/ {print $5}' < /proc/net/ip_conntrack | \
sed 's/src=//' | sort | uniq -c | sort -n | tail
That might be a start; then you can grab the worst offenders with more than
a handful of connections and add them to a game_active_rate_offenders chain
in iptables, from a script, easily enoguh. (Note that I suggest a specific
chain for the purpose of folks who've been found out by this script - you
might detect abusers by other means, and you don't want to be adding the
same IP#s to the list every minute, nor do you want to flush out the list
including other folks - see, chains are your fwend :)
~Tim
--
Sapere aude |piglet@stirfried.vegetable.org.uk
|http://spodzone.org.uk/cesspit/
- Next message: Bruno Wolff III: "Re: DNS server behind a firewall"
- Previous message: Tim Haynes: "Re: Rootkit and system malfunction, reinstall from scratch?"
- In reply to: Jeff Franks: "Detecting a DOS attack on my iptables firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
