DDoS - How to detect an attacker IP address

Question

Someone keep attacking my server, but unfortunately I've switched my OS to the FreeBSD, as I've earlier used Debian 5.0 Lenny, and none of netstat or tcpdump commands I used on Debian, works on FreeBSD.

So how can I detect attacker IP address so I could block this guy in the firewall?

Eh? http://nixdoc.net/man-pages/FreeBSD/netstat.1.html and http://www.manpages.info/freebsd/tcpdump.1.html Maybe install with the package manager? — Jeff Ferland, Mar 09 '12 at 16:36
Define attack - surely you can find out what service is being abused without netstat/tcpdump ? — thinice, Mar 09 '12 at 16:50
@jefferland: I think it would use the ports collection on FreeBSD to install missing applications. — Bart Silverstrim, Mar 09 '12 at 16:52

score 6 · Answer 1 · answered Mar 09 '12 at 19:01

By definition/design... a DDoS is not coming from a single IP address. DDoS = Distributed Denial of Service. In short... a large bot-net is typically used to attack a single target, being controlled by a single attacker that potentially could be anywhere in the world. Unfortunately, simply blocking the IPs of the attacker's bots will not solve your headaches. In many cases, your "smaller" internet connection simply cannot keep up with the HUGE amount of traffic generated by such an attack. Even dropping the data coming in, your bandwidth was still consumed. In those instances, your headaches go away when the attacker discontinues his attack. Such an attack must be dealt with by your ISP in order to do anything about it.

score 1 · Answer 2 · answered Mar 09 '12 at 17:04

1

Whilst not the answer you might be looking for, I think what you are trying to do is going to be unmanageable.

If your system is exposed to the internet, it will get attacked. It might be coming from 1.2.3.4 today, but if you block that address, it could be 2.3.4.5 attacking you the following day. You will end up with a massive unmanageable list of IP addresses that are likely to be dynamically assigned anyway.

Instead of blacklisting "bad" IP addresses, why not use a default deny all rule, and whitelist good IP addresses and services that you do actually want to expose to the internet?

answered Mar 09 '12 at 17:04

Bryan

7,538
15
68
92

its not possible since I got an game server. – Cyclone Mar 09 '12 at 17:50
That is definitely possible. Use a default deny rule but white-list the ports that your game server uses, you don't have to white-list IP addresses too, you can white-list a service (port) and/or IP addresses. It really would help though if you defined what you mean by `attack` in your question, are we talking attacking a vulnerability, or attempts to attack potential vulnerabilities, or just some users misbehaving on your game server? – Bryan Mar 10 '12 at 10:42

score 0 · Accepted Answer · answered Mar 09 '12 at 19:53

Attackers also often use spoofed adresses. Probably what you are looking for is sockstat.

There also is the accf Kernel module, which might help you depending on what your applications are.

I'd also recommend using pf. You could build something along the lines of:

table <bruteforce> persist
pass in proto tcp from any to any port ssh flags S/SA keep state \
    (source-track rule, max-src-conn-rate 2/10, overload <bruteforce> flush global)
block drop in quick from <bruteforce> to any
block out quick from any to <bruteforce>

Stateful Tracking will be your friend

DDoS - How to detect an attacker IP address

3 Answers3