I'm getting DoS'ed

Question

For a few days my internet started being very slow. I checked my router logs and guess what! In the log where it is a record of DoS attacks it showed something like

|Description                 |Count|  Last Occurence  | Target| Source     |

|TCP- or UDP-based Port Scan |  3  |  [current date]  |[local ip]|83.170.92.186.80|

I think from my observations that is when the DoSer hooks up his IP to mine (or something like that, basically means available to attack)

When I do netstat -an in Terminal and my internet is very slow it says something like this:

Proto Recv-Q Send-Q  Local Address          Foreign Address        (state)    
tcp4       0      0  (local ip).58188      83.170.92.186.80       SYN_SENT   
tcp4       0      0  (local ip).58187      83.170.92.186.80       SYN_SENT   
tcp4       0      0  (local ip).58186      83.170.92.186.80       SYN_SENT   
tcp4       0      0  (local ip).58185      83.170.92.186.80       SYN_SENT   
tcp4       0      0  (local ip).58184      83.170.92.186.80       SYN_SENT   
tcp4       0      0  (local ip).58183      83.170.92.186.80       SYN_SENT   
tcp4       0      0  (local ip).58182      83.170.92.186.80       SYN_SENT   
tcp4       0      0  (local ip).58181      83.170.92.186.80       SYN_SENT   
tcp4       0      0  (local ip).58180      83.170.92.186.80       SYN_SENT

While when its not being attacked:

Proto Recv-Q Send-Q  Local Address          Foreign Address        (state)  
tcp4       0      0  (local ip).58292      83.170.92.186.80       FIN_WAIT_2   
tcp4       0      0  (local ip).58275      83.170.92.186.80       FIN_WAIT_2  
tcp4       0      0  (local ip).58265      83.170.92.186.80       ESTABLISHED   
tcp4       0      0  (local ip).58264      83.170.92.186.80       ESTABLISHED    
tcp4       0      0  (local ip).58263      83.170.92.186.80       ESTABLISHED    
tcp4       0      0  (local ip).58262      83.170.92.186.80       ESTABLISHED    
tcp4       0      0  (local ip).58261      83.170.92.186.80       ESTABLISHED     
tcp4       0      0  (local ip).58255      83.170.92.186.80       FIN_WAIT_2   
tcp4       0      0  (local ip).58254      83.170.92.186.80       FIN_WAIT_2  
tcp4       0      0  (local ip).58238      83.170.92.186.80       ESTABLISHED   
tcp4       0      0  (local ip).58071      83.170.92.186.80       FIN_WAIT_2  
tcp4       0      0  (local ip).58061      83.170.92.186.80       FIN_WAIT_2

Somehow that IP is hooked up to my internet so at any time it can DoS me. When it says SYS_SENT it shows my internet is under attack. Can anyone help?

score 5 · Answer 1 · answered Mar 05 '14 at 22:20

Contact your ISP. You can't fix this problem yourself, but they might be able to help. And it's in their best interests to do so, even moreso than yours. (After all, it's their network that's carrying this load, using up bandwidth for all their clients.)

Tim Jonas · Answer 2 · 2014-03-06T03:32:55.693

This should do the trick. This will only allow 5 connections per Host/IP. Downside to this that for example if 10 users where connecting to your site through the same proxy server only 5 of them would be able to connect. Also enabling syn cookies could halt the attack too without affecting users using the same proxy. Here is how to limit number of connections from the same host.

iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 5 -j REJECT
service iptables save

This is how to enable syn cookies.

nano /etc/sysctl.conf the add net.ipv4.tcp_syncookies = 1 to the bottom of the file. Then run sysctl -p to enforce changes.

also see my other post at http://security.stackexchange.com/questions/42618/how-to-protect-tomcat-7-against-slowloris-attack that will also fix your issue — Tim Jonas, Mar 06 '14 at 05:41

I'm getting DoS'ed

2 Answers2