[arch-general] IPTables DDoS
Hi, Can someone tell me how to use IPTables to prevent DDoS attacks? I'm sure IPTables has the relevant modules (limit, recent I think) after reading some docs, but still in doubt about its implementation. -- Regards, Nilesh Govindarajan Facebook: http://www.facebook.com/nilesh.gr Twitter: http://twitter.com/nileshgr Website: http://www.itech7.com VPS Hosting: http://j.mp/arHk5e
On Mon, Jul 19, 2010 at 12:13 PM, Nilesh Govindarajan <lists@itech7.com> wrote:
Hi, Can someone tell me how to use IPTables to prevent DDoS attacks? I'm sure IPTables has the relevant modules (limit, recent I think) after reading some docs, but still in doubt about its implementation.
DDoS? do you mean just DoS? i didn't think there was much you could do about a distributed attack; ip addresses are varying and unknown. C Anthony
On Mon, Jul 19, 2010 at 10:50 PM, C Anthony Risinger <anthony@extof.me> wrote:
On Mon, Jul 19, 2010 at 12:13 PM, Nilesh Govindarajan <lists@itech7.com> wrote:
Hi, Can someone tell me how to use IPTables to prevent DDoS attacks? I'm sure IPTables has the relevant modules (limit, recent I think) after reading some docs, but still in doubt about its implementation.
DDoS? do you mean just DoS?
i didn't think there was much you could do about a distributed attack; ip addresses are varying and unknown.
C Anthony
Yeah just DoS. Typo :O -- Regards, Nilesh Govindarajan Facebook: http://www.facebook.com/nilesh.gr Twitter: http://twitter.com/nileshgr Website: http://www.itech7.com VPS Hosting: http://j.mp/arHk5e
Am Mon, 19 Jul 2010 22:43:45 +0530 schrieb Nilesh Govindarajan <lists@itech7.com>:
Hi, Can someone tell me how to use IPTables to prevent DDoS attacks? I'm sure IPTables has the relevant modules (limit, recent I think) after reading some docs, but still in doubt about its implementation.
There's the --limit option against DoS attacks. A good iptables tutorial with some example scripts is here: http://www.frozentux.net/documents/iptables-tutorial/ Read at least the chapter "Limit match". Heiko
On Mon, Jul 19, 2010 at 11:14 PM, Heiko Baums <lists@baums-on-web.de> wrote:
Am Mon, 19 Jul 2010 22:43:45 +0530 schrieb Nilesh Govindarajan <lists@itech7.com>:
Hi, Can someone tell me how to use IPTables to prevent DDoS attacks? I'm sure IPTables has the relevant modules (limit, recent I think) after reading some docs, but still in doubt about its implementation.
There's the --limit option against DoS attacks.
A good iptables tutorial with some example scripts is here: http://www.frozentux.net/documents/iptables-tutorial/
Read at least the chapter "Limit match".
Heiko
Thanks a lot man. But I have a doubt (may sound quite weird, but I really don't know about it). Suppose I set this- iptables -I INPUT -m limit --limit 1/min --limit-burst 5 -j ACCEPT will this affect HTTP connections? Basically, how many packets is probably going to constitute one connection? What is the recommended setting for the same to prevent DoS? -- Regards, Nilesh Govindarajan Facebook: http://www.facebook.com/nilesh.gr Twitter: http://twitter.com/nileshgr Website: http://www.itech7.com VPS Hosting: http://j.mp/arHk5e
Am Mon, 19 Jul 2010 23:37:01 +0530 schrieb Nilesh Govindarajan <lists@itech7.com>:
Thanks a lot man. But I have a doubt (may sound quite weird, but I really don't know about it). Suppose I set this- iptables -I INPUT -m limit --limit 1/min --limit-burst 5 -j ACCEPT will this affect HTTP connections?
This hasn't anything to do with HTTP. It's a protocol layer below (TCP or UDP). I'd suggest adding -p tcp.
Basically, how many packets is probably going to constitute one connection? What is the recommended setting for the same to prevent DoS?
I'm not a security expert, but in the tutorial -m limit --limit 5/second --limit-burst 10/second is given as an example. Heiko
On Mon, Jul 19, 2010 at 1:07 PM, Nilesh Govindarajan <lists@itech7.com> wrote:
On Mon, Jul 19, 2010 at 11:14 PM, Heiko Baums <lists@baums-on-web.de> wrote:
Am Mon, 19 Jul 2010 22:43:45 +0530 schrieb Nilesh Govindarajan <lists@itech7.com>:
Hi, Can someone tell me how to use IPTables to prevent DDoS attacks? I'm sure IPTables has the relevant modules (limit, recent I think) after reading some docs, but still in doubt about its implementation.
There's the --limit option against DoS attacks.
A good iptables tutorial with some example scripts is here: http://www.frozentux.net/documents/iptables-tutorial/
Read at least the chapter "Limit match".
Heiko
Thanks a lot man. But I have a doubt (may sound quite weird, but I really don't know about it). Suppose I set this- iptables -I INPUT -m limit --limit 1/min --limit-burst 5 -j ACCEPT will this affect HTTP connections? Basically, how many packets is probably going to constitute one connection? What is the recommended setting for the same to prevent DoS?
i dont know a lot about DoS or proper settings, but the connection doesn't really depend on "packet count" or anything like that. [IIRC] a connection is established at the TCP level, and is kept alive at that level. HTTP 1.1 layer 7 "keep-alives" just keep the layer 4/5 TCP connection open. HTTP 1.0 clients may have trouble with connection limits if you have high request rates, as they must establish a new connection on each request (again IIRC, could be flawed). C Anthony
On Tue, Jul 20, 2010 at 12:01 AM, C Anthony Risinger <anthony@extof.me> wrote:
On Mon, Jul 19, 2010 at 1:07 PM, Nilesh Govindarajan <lists@itech7.com> wrote:
On Mon, Jul 19, 2010 at 11:14 PM, Heiko Baums <lists@baums-on-web.de> wrote:
Am Mon, 19 Jul 2010 22:43:45 +0530 schrieb Nilesh Govindarajan <lists@itech7.com>:
Hi, Can someone tell me how to use IPTables to prevent DDoS attacks? I'm sure IPTables has the relevant modules (limit, recent I think) after reading some docs, but still in doubt about its implementation.
There's the --limit option against DoS attacks.
A good iptables tutorial with some example scripts is here: http://www.frozentux.net/documents/iptables-tutorial/
Read at least the chapter "Limit match".
Heiko
Thanks a lot man. But I have a doubt (may sound quite weird, but I really don't know about it). Suppose I set this- iptables -I INPUT -m limit --limit 1/min --limit-burst 5 -j ACCEPT will this affect HTTP connections? Basically, how many packets is probably going to constitute one connection? What is the recommended setting for the same to prevent DoS?
i dont know a lot about DoS or proper settings, but the connection doesn't really depend on "packet count" or anything like that. [IIRC] a connection is established at the TCP level, and is kept alive at that level. HTTP 1.1 layer 7 "keep-alives" just keep the layer 4/5 TCP connection open. HTTP 1.0 clients may have trouble with connection limits if you have high request rates, as they must establish a new connection on each request (again IIRC, could be flawed).
C Anthony
So instead of using packet limiter, should I use connlimit module? But using connlimit module will block all connections after the max no. of conns are reached which isn't the desired behavior. I think using connlimit with the recent module will help. Any suggestions? -- Regards, Nilesh Govindarajan Facebook: http://www.facebook.com/nilesh.gr Twitter: http://twitter.com/nileshgr Website: http://www.itech7.com VPS Hosting: http://j.mp/arHk5e
Hello, On Mon, Jul 19, 2010 at 10:43:45PM +0530, Nilesh Govindarajan wrote:
Hi, Can someone tell me how to use IPTables to prevent DDoS attacks? I'm sure IPTables has the relevant modules (limit, recent I think) after reading some docs, but still in doubt about its implementation. The recent module is good for that: http://www.sollers.ca/blog/2008/iptables_recent http://www.google.com/search?q=iptables+recent I have in my fw script: " $TABLES -A limitations -m recent --name RECENT_FILTER --set $TABLES -A limitations -m recent --name RECENT_FILTER --rcheck --hitcount 6 -j recent_allowed_input $TABLES -A limitations --match limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "stuff: " $TABLES -A limitations -m recent --name RECENT_ALLOW --set $TABLES -A limitations -j DROP
$TABLES -A recent_allowed_input -m recent --name RECENT_ALLOW --update --seconds 300 -j ACCEPT $TABLES -A recent_allowed_input -m recent --name RECENT_FILTER --remove -j DROP " Then you can do smth like " $TABLES -A INPUT <....> -j limitations " to apply the rules. Vlad
On Tue, Jul 20, 2010 at 1:21 PM, vlad <vla@uni-bonn.de> wrote:
Hello,
The recent module is good for that: http://www.sollers.ca/blog/2008/iptables_recent http://www.google.com/search?q=iptables+recent I have in my fw script: " $TABLES -A limitations -m recent --name RECENT_FILTER --set $TABLES -A limitations -m recent --name RECENT_FILTER --rcheck --hitcount 6 -j recent_allowed_input $TABLES -A limitations --match limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "stuff: " $TABLES -A limitations -m recent --name RECENT_ALLOW --set $TABLES -A limitations -j DROP
$TABLES -A recent_allowed_input -m recent --name RECENT_ALLOW --update --seconds 300 -j ACCEPT $TABLES -A recent_allowed_input -m recent --name RECENT_FILTER --remove -j DROP " Then you can do smth like " $TABLES -A INPUT <....> -j limitations " to apply the rules.
Vlad
Looks good, do your HTTP users face any problem with it? -- Regards, Nilesh Govindarajan Facebook: http://www.facebook.com/nilesh.gr Twitter: http://twitter.com/nileshgr Website: http://www.itech7.com VPS Hosting: http://j.mp/arHk5e
On Tue, Jul 20, 2010 at 06:47:00PM +0530, Nilesh Govindarajan wrote:
On Tue, Jul 20, 2010 at 1:21 PM, vlad <vla@uni-bonn.de> wrote:
Hello,
The recent module is good for that: http://www.sollers.ca/blog/2008/iptables_recent http://www.google.com/search?q=iptables+recent I have in my fw script: " $TABLES -A limitations -m recent --name RECENT_FILTER --set $TABLES -A limitations -m recent --name RECENT_FILTER --rcheck --hitcount 6 -j recent_allowed_input $TABLES -A limitations --match limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "stuff: " $TABLES -A limitations -m recent --name RECENT_ALLOW --set $TABLES -A limitations -j DROP
$TABLES -A recent_allowed_input -m recent --name RECENT_ALLOW --update --seconds 300 -j ACCEPT $TABLES -A recent_allowed_input -m recent --name RECENT_FILTER --remove -j DROP " Then you can do smth like " $TABLES -A INPUT <....> -j limitations " to apply the rules.
Vlad
Looks good, do your HTTP users face any problem with it? Don't know. I use this only with ssh and music deamon. Simply try.
On Tue, Jul 20, 2010 at 6:55 PM, vlad <vla@uni-bonn.de> wrote:
On Tue, Jul 20, 2010 at 06:47:00PM +0530, Nilesh Govindarajan wrote:
On Tue, Jul 20, 2010 at 1:21 PM, vlad <vla@uni-bonn.de> wrote:
Hello,
The recent module is good for that: http://www.sollers.ca/blog/2008/iptables_recent http://www.google.com/search?q=iptables+recent I have in my fw script: " $TABLES -A limitations -m recent --name RECENT_FILTER --set $TABLES -A limitations -m recent --name RECENT_FILTER --rcheck --hitcount 6 -j recent_allowed_input $TABLES -A limitations --match limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "stuff: " $TABLES -A limitations -m recent --name RECENT_ALLOW --set $TABLES -A limitations -j DROP
$TABLES -A recent_allowed_input -m recent --name RECENT_ALLOW --update --seconds 300 -j ACCEPT $TABLES -A recent_allowed_input -m recent --name RECENT_FILTER --remove -j DROP " Then you can do smth like " $TABLES -A INPUT <....> -j limitations " to apply the rules.
Vlad
Looks good, do your HTTP users face any problem with it? Don't know. I use this only with ssh and music deamon. Simply try.
Friend, thanks a ton. I tested it with my IP itself, --hitcount 4. I coupled it with the state module, to check for new connections. It bans the IP for a minute when >4 requests are made parallely. -- Regards, Nilesh Govindarajan Facebook: http://www.facebook.com/nilesh.gr Twitter: http://twitter.com/nileshgr Website: http://www.itech7.com VPS Hosting: http://j.mp/arHk5e
On Mon, 2010-07-19 at 22:43 +0530, Nilesh Govindarajan wrote:
Hi, Can someone tell me how to use IPTables to prevent DDoS attacks? I'm sure IPTables has the relevant modules (limit, recent I think) after reading some docs, but still in doubt about its implementation.
I realize I am late to the party but I use something like the following to deal with DDoS attacks: while true; do clear; (echo "Current blocked hosts: " ; echo ; iptables -vnL INPUT | grep 'tcp dpt:80' | awk '{print $8}'); for i in $(tcpdump -i eth0 -nn -l -p -s0 -c 10000 dst host 192.168.100.68 and port 80 and 'tcp[13] & 2 = 2' 2>/dev/null| awk '{print $3 | "cut -d. -f1-4 | sort -t. -n -k1,1 -k2,2 -k3,3 -k4,4 | uniq -c | sort -n"}' | awk '{if ($1 > 100) print $2}'); do (iptables-save | grep $i >/dev/null) || (echo "Adding block for ip $i"; iptables -I INPUT -s $i -m tcp -p tcp --dport 80 -j DROP) ; done ; iptables -Z INPUT; sleep 10; for ip in $(iptables -vnL INPUT | grep 'tcp dpt:80' | awk '{if ($1 == 0) print $8}') ; do (echo "Deleting block on ip $ip" ; iptables -D INPUT -s $ip -m tcp -p tcp --dport 80 -j DROP) ; done ; done Obviously you have to tweak the tcpdump parameters to fit the attack but it's also self-healing. Once a host stops hitting the server the DROP rule is removed. It's more complex and only semi-automatic but when configured properly you can safely drop it in a screen session and set it and forget it. Cheers, Greg
participants (5)
-
C Anthony Risinger
-
Greg Bur
-
Heiko Baums
-
Nilesh Govindarajan
-
vlad