4

I have a Debian Linux server which runs a few online game services. I have some competitors in this area and I think one of them is behind the DDoS attacks.

I have full access to the router, so I set a few connection rules in Winbox which can detect and drop the DDoSer IP addresses but I think it's not the best way to prevent an attack.

ddos graph

filter rules

These are some source ip addresses (all from port 53)

  • 38.111.134.26
    41.78.27.213
    66.232.92.39
    66.232.92.43
    66.243.192.11
    67.43.55.110
    67.43.55.111
    67.50.161.103
    67.59.80.28
    67.118.192.2
    69.27.136.10
    69.27.136.12
    69.27.211.200
    69.31.186.27
    74.114.48.151
    116.199.220.101
    203.87.92.4
    203.161.128.249
    203.161.159.10
    206.51.97.91
    206.158.2.91
    209.240.96.6

Is there any method to prevent or trace a DDoS attack?

S.L. Barth
  • 5,486
  • 8
  • 38
  • 47
tomas
  • 41
  • 2
  • There are some steps you can take, but in general DDoS attacks are best 'prevented' by having more network capabilities than the DDoS has. – Kevin Jan 23 '15 at 14:51
  • 1
    As far as preventing goes, see http://security.stackexchange.com/questions/241/how-can-a-software-application-defend-against-dos-or-ddos/254#254 http://security.stackexchange.com/questions/114/what-techniques-do-advanced-firewalls-use-to-protect-againt-dos-ddos and http://security.stackexchange.com/questions/73369/how-do-major-sites-prevent-ddos . As far as tracing to the source of the attack goes, hopefully someone else can provide a good answer. – Jonathan Jan 23 '15 at 15:26
  • 4
    Sadly, tracing the source of such attack may be difficult since usually bots are used, ie. malware software which contaminated innocent people's machines and are remotely controlled (usually passing through one or several relays to ensure better anonymity of the actual source). Such setup provides both a better anonymity for the attack source and a better bandwidth thanks to the number of unwillingly "volunteers" machines being used. – WhiteWinterWolf Jan 23 '15 at 16:06
  • 8
    These are most likely spoofed source IPs anyway. –  Jan 23 '15 at 17:28

3 Answers3

4

No - There is no useful way to trace the source of such an attack. A DDoS will come from hundreds or thousands of machines, probably in multiple countries, and probably all unwittingly victims of an attacker.

But yes - you can prevent such an attack. You have 3 possible solutions:

  • Change IP addresses, so you aren't the target any more.
  • Buy more bandwidth so your pipe is bigger than the total bandwidth aimed at you.
  • Buy the services of a DDoS mitigation provider.
Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
  • 2
    To buy more bandwidth is an endless race I played and we are condamned to loose. A botnet of PC connected in China at 10 Mbit/s will always outperform the biggest connection an enterprise can buy :(. On the other hand, a few intelligent rules (toward the typical `deny all`) in a router helped me to survive a few DOS. – dan Aug 18 '16 at 16:50
2

You won't be efficient at hunting the IP sources addresses of a moving botnet. They can change quickly, and using udp they don't even need to be the right ones.

I guess that when the source port is 53/udp, the destination port isn't 53/udp. But this is hidden on purpose on your screen capture.

I will also make the assumption that you are not running your own DNS server and are using your provider's one.

I suggest to use more efficient filtering to outperform your attacker in this case. Just enter the following rule on your router:

# just let pass the legitimate 53/udp traffic
permit udp ••my_official_DNS_servers•• port 53 ••my_server_IP_address•• port 53
# deny anything else which is error or attack
deny udp any any port 53
deny udp any port 53 any

And if your router manage it, turn off source routing.

dan
  • 3,033
  • 14
  • 34
0

These IP's are probably spoofed as pointed by user42178.

This is probably a "DNS Amplification Attack" which used for DDoS. You can see that the IP's say 116.199.220.101 are DNS servers.

I think a Firewall rule suggested by daniel Azuelos which drops all the UDP packets with Source port 53 ,with the exception of your Official DNS servers (static IP's like 8.8.8.8/8.8.4.4) will do some help.

Nevertheless, you need to get more bandwidth. This solution only helps you save your Server resources. You can talk to your ISP as well to block the traffic at their Infrastructure and save your bandwidth.

Sravan
  • 1,158
  • 5
  • 14