iptables rule to stop DDOS

Question

My server is undergoing a ddos attack with the traffic in my apache logs appearing like:

ip address - - [11/Apr/2013:01:01:04 -0600] "POST / HTTP/1.1" 416 31 "-" "Microsoft Internet Explorer"
ip address - - [11/Apr/2013:01:01:05 -0600] "POST / HTTP/1.1" 416 31 "-" "Microsoft Internet Explorer"
ip address - - [11/Apr/2013:01:01:05 -0600] "POST / HTTP/1.1" 416 31 "-" "Microsoft Internet Explorer"
ip address - - [11/Apr/2013:01:01:05 -0600] "POST / HTTP/1.1" 416 31 "-" "Microsoft Internet Explorer"
ip address - - [11/Apr/2013:01:01:05 -0600] "POST / HTTP/1.1" 416 31 "-" "Microsoft Internet Explorer"
ip address - - [11/Apr/2013:01:01:05 -0600] "POST / HTTP/1.1" 416 31 "-" "Microsoft Internet Explorer"

How can I block this with IP Tables? I am using:

-A INPUT -p tcp --dport 80 -m state --state NEW -m limit --limit 50/minute --limit-burst 200 -j DROP

but that doesn't appear to be doing anything. I think i need something along this line though.

thank you

score 2 · Answer 1 · answered Apr 11 '13 at 07:41

2

I'm not sure how you can do this in iptables, but I'd recommend you to have a look at OSSEC, which blocks repeated offenders automatically. You can also have a look at CloudFare, they also have a free package and are specialized at DDoS mitigation, as what you need to do is drop the traffic before it reaches you. If the address is just one IP address I would just drop it permanently.

I changed an iptable rule from here, have a look:

iptables -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --set

iptables -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent   --update --seconds 60 --hitcount 50 -j DROP

answered Apr 11 '13 at 07:41

Lucas Kauffman

16,818
9
57
92

as i block the ip addresses, the traffic continues from new ones. i think they are spoofing the return address. i'll check out OSSEC and let you know. – dev Apr 11 '13 at 13:24
1

If they are spoofing the address, you need to get a service that scrubs the packets before they reach you. You can't mitigate this with iptables if they are spoofing the IPs. – Lucas Kauffman Apr 11 '13 at 13:52
not even with ratelimit? – dev Apr 18 '13 at 06:01

score 1 · Answer 2 · answered Apr 11 '13 at 10:16

1

Without seeing all your iptables and some analysis showing that the rate does exceed the limits you specified it's impossible to say why this is happenning - for example, it may simply be that that you're getting lots of requests across a single connection.

Even if you are not using keepalives, a stateful firewall (on its own) is not a very effective tool for precenting DOS attacks. Traffic shaping helps - but this gets very complicated very quickly. There are some apache modules which support minimum bandwidth guarantee - which is a lot simpler to configure than kernel QOS. But I would recommend using fail2ban to block the IP addresses causing the problem.

answered Apr 11 '13 at 10:16

symcbean

19,931
1
29
49

would it help if we set the limit to 2/sec? you can see from the traffic above that more than 2 per second are flying in. a stateful firewall is all i have at this point. i'll check out fail2ban, and let you know – dev Apr 11 '13 at 13:23
You'll likely break your legitimate traffic with 2/s – symcbean Apr 11 '13 at 15:16

score 0 · Answer 3 · answered Apr 14 '13 at 15:50

Several problems:

Using a stateful firewall against dDoS is often a bad idea: you help the attacker by allowing him to allocate state (therefore memory) on your machine. The state module should be replaced by simply something like --tcp-flags SYN SYN
The -j DROP at the end is an error, it means to drop all the packets that are below the thershold. It should be -j ACCEPT and have a DROP rule afterwards. (If you saw no effect, it may be because you have another ACCEPT rule later, or a general ACCEPT policy.)
I prefer the hashlimit module, which can works with prefixes, not just individual IP addresses --tcp-flags SYN SYN -m hashlimit --hashlimit-name Web --hashlimit-above 3/second --hashlimit-mode srcip --hashlimit-burst 7 --hashlimit-srcmask 28 -j DROP

i tried this: iptables -A droplist -p tcp --tcp-flags SYN SYN -m hashlimit --hashlimit-name badguys --hashlimit-above 3/second --hashlimit-burst 7 --hashlimit-srcmask 28 -j DROP and it completely blocked me out of my box. any ideas? — dev, Apr 18 '13 at 06:01

iptables rule to stop DDOS

3 Answers3