-1

Im under a DDOS attack that target http server, i try iptables and other measures but nothing seems to work. Here is part of access_log:

https://pastebin.com/6JFKmUi8

Lot of connections but iptables won't stop the attack, there is my iptables rules:

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -s 147.135.37.113 -j ACCEPT

iptables -A INPUT -f -j DROP
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

iptables -N LOG_AND_DROP

iptables -N PORT21
iptables -A PORT21 -m recent --set --name lp21
iptables -A PORT21 -m recent --update --seconds 30 --hitcount 3 --name lp21 -j DROP
iptables -A PORT21 -m recent --update --seconds 300 --hitcount 10 --name lp21 -j LOG_AND_DROP

iptables -N PORT22
iptables -A PORT22 -m recent --set --name lp22
iptables -A PORT22 -m recent --update --seconds 30 --hitcount 3 --name lp22 -j DROP
iptables -A PORT22 -m recent --update --seconds 300 --hitcount 10 --name lp22 -j LOG_AND_DROP

iptables -N PORT80
iptables -A PORT80 -m recent --set --name lp80
iptables -A PORT80 -m recent --update --seconds 30 --hitcount 20 --name lp80 -j LOG_AND_DROP

iptables -N PORT443
iptables -A PORT443 -m recent --set --name lp433
iptables -A PORT443 -m recent --update --seconds 30 --hitcount 20 --name lp443 -j LOG_AND_DROP

iptables -N PORT10000
iptables -A PORT10000 -m recent --set --name lp10000
iptables -A PORT10000 -m recent --update --seconds 30 --hitcount 20 --name lp10000 -j LOG_AND_DROP

iptables -N PORT6900
iptables -A PORT6900 -m recent --set --name lp6900
iptables -A PORT6900 -m recent --update --seconds 30 --hitcount 10 --name lp6900 -j LOG_AND_DROP
iptables -A PORT6900 -m recent --update --seconds 50 --hitcount 20 --name lp6900 -j LOG_AND_DROP

iptables -N PORT6121
iptables -A PORT6121 -m recent --set --name lp6121
iptables -A PORT6121 -m recent --update --seconds 30 --hitcount 10 --name lp6121 -j LOG_AND_DROP
iptables -A PORT6121 -m recent --update --seconds 50 --hitcount 20 --name lp6121 -j LOG_AND_DROP

iptables -N PORT5121
iptables -A PORT5121 -m recent --set --name lp5121
iptables -A PORT5121 -m recent --update --seconds 30 --hitcount 10 --name lp5121 -j LOG_AND_DROP
iptables -A PORT5121 -m recent --update --seconds 50 --hitcount 20 --name lp5121 -j LOG_AND_DROP

iptables -A INPUT -p icmp --icmp-type echo-request -m hashlimit --hashlimit-name pings --hashlimit-mode srcip --hashlimit 10/min --hashlimit-burst 10 --hashlimit-htable-expire 30000 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 5/min -j LOG --log-prefix "[Pings]"
iptables -A INPUT -p icmp -j DROP

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A INPUT -p tcp --dport 21 -m state --state NEW -j PORT21
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j PORT22
iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j PORT80
iptables -A INPUT -p tcp --dport 443 -m state --state NEW -j PORT443
iptables -A INPUT -p tcp --dport 10000 -m state --state NEW -j PORT10000

iptables -A INPUT -p tcp --dport 6900 -m state --state NEW -j PORT6900
iptables -A INPUT -p tcp --dport 6121 -m state --state NEW -j PORT6121
iptables -A INPUT -p tcp --dport 5121 -m state --state NEW -j PORT5121

iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

iptables -A INPUT -p tcp --dport 80 -m hashlimit --hashlimit-name p80 --hashlimit-mode srcip --hashlimit 50/min --hashlimit-burst 100 --hashlimit-htable-expire 10000 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -m hashlimit --hashlimit-name p443 --hashlimit-mode srcip --hashlimit 50/min --hashlimit-burst 100 --hashlimit-htable-expire 10000 -j ACCEPT
iptables -A INPUT -p tcp --dport 10000 -m hashlimit --hashlimit-name p10000 --hashlimit-mode srcip --hashlimit 50/min --hashlimit-burst 100 --hashlimit-htable-expire 10000 -j ACCEPT

iptables -A INPUT -p tcp --dport 6900 -j ACCEPT
iptables -A INPUT -p tcp --dport 6121 -j ACCEPT
iptables -A INPUT -p tcp --dport 5121 -j ACCEPT

iptables -A LOG_AND_DROP -m limit --limit 10/min -j LOG --log-prefix "[Log]"
iptables -A LOG_AND_DROP -j DROP

#iptables -A INPUT -m limit --limit 10/min -j LOG --log-prefix "[Default]"
iptables -A INPUT -d 147.135.37.113 -j DROP

Any advice will be welcomed. I try everything but nothing works.

Hermenegildo Gonzalez
  • 1

3 Answers3

1

Talk to your provider (looks like OVH) about their anti-ddos protections on your system. Not all, but most of the reputable providers have ways they can help you with this. Aside from that, you might consider doing a fancy fail2ban rule that watches your web server logs for any client hitting that foro url and just automagically adding a IPTables rule for them. Aside from that, you can put something there ... perhaps a very small 1 byte file? Or put your webserver behind something like cloudflare or some other CDN service. Most of that traffic can be dealt with a handful of ways and it shouldn't put that much stress on your server or on you. Watch out for logfiles filling up your filesystem though! That can create a whole other problem that nobody wants.

check out this for more information on using fail2ban to protect apache from DoS attacks: https://apache.tutorials24x7.com/blog/protect-apache-from-brute-force-and-ddos-attacks-using-fail2ban

t3ln3t
  • 379
  • 1
  • 7
  • I tried to use fail2ban to mitigate DDoS attack. It is unusable for this. For example, when you start/stop or reload it (which you will do often for DDoS), it first *unbans* everybody, and then bans again afterwards. This process takes around a hour in case you have 20000+ addresses banned, not very promising! Actually fail2ban is quite low quality software, despite its popularity, even for the problem it is designed to solve. – Nikita Kipriyanov Aug 30 '21 at 07:31
  • If you have 20,000+ addresses in your ban lists, fail2ban is not an appropriate solution! You need a hardware solution that does this. CiscoGuard or whatever they replaced that product with. Most UNIX/Linux software starts to hiccup when you have that number of text entries in lists. Postfix and sendmail moved to compiled DBs and hashes 20 years ago because text files couldn't be parsed quickly. – t3ln3t Aug 30 '21 at 18:08
  • No, dedicated hardware is not needed. Remember, any "dedicated hardware" like that is nothing more than grossly overpriced ancient silicon running some clever software. If you manage to run such software on the same computer, that'll work fine. For example, if you are going to block something using linux netfilter, use ipset (which uses bitmaps or hashes, i.e. a "software CAM") , and the main problem is how to fill ipset. fail2ban hardly can help. The problem is, if you have "exhaustive" DDoS, you certainly *will* have 20000+ addresses to ban, so fail2ban won't help with such DDoS. – Nikita Kipriyanov Aug 31 '21 at 06:03
  • Thanks. I will try fail2ban, and yes Cloudflare help. The http logs are disabled while the attack continues. – Hermenegildo Gonzalez Sep 02 '21 at 14:38
0

The problem solved with this simple iptables (maybe the other rules were too messy)

iptables -A INPUT -i eno1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eno1 -m state --state INVALID -j DROP
iptables -A INPUT -i eno1 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
iptables -A INPUT -i eno1 -p tcp -m tcp --dport 21 -m state --state NEW -j ACCEPT
iptables -A INPUT -i eno1 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
iptables -A INPUT -i eno1 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
iptables -A INPUT -i eno1 -p icmp -j ACCEPT
iptables -A INPUT -i eno1 -j DROP

The attacks keep coming but don't colapse the server.

Hermenegildo Gonzalez
  • 1
  • per your logs, the DDOS seems unwanted http(s) requests. I don't understand how these rules which also allow http(s) would mitigate the attack. but you problem is solved, it's the more important ! – exeral Sep 02 '21 at 15:53
0

Couple of things comes to my mind:

  1. You could use string-match with iptables:

iptables -A INPUT -m string --algo bm --string "GET /foro" -j DROP

or if possible in your system, with TARPIT

iptables -A INPUT -m string --algo bm --string "GET /foro" -j TARPIT

  1. Instead of using fail2ban, make your own script which scans for logs last 1000 lines for example and blocks matches with ipsets. Add this to your iptables script:
  • ipset destroy toilet
  • ipset -N toilet iphash
  • ipset flush toilet

Then use your script to add ip addresses which you want to block to text file. Eventually you just need to loop all the ip addresses to that toilet-list.

  • ipset -A toilet "$ipaddress"

Using ipset and especially masks are much more efficient way than blocking ip addresses. I have around 20 000 addresses blocked and around 200 networks.

You might get some ideas of my very very messy script. https://pastebin.com/4v5se0kh

I know it is messy, but it works for me much faster and is much easier than fail2ban. I named that script suc2ban. You just need to find your own matches for your logfile (you probably have apache access.log, instead of my example which uses auth.log).

Limalski
  • 1