1

Recently my server has been hit with DDoS's coming from the Great Chinese Firewall.

As per the advice in one of the replies in mod_security block requests by http-host header, and the advice in https://mattwilcox.net/web-development/unexpected-ddos-blocking-china-with-ipset-and-iptables/ i've been trying to use IPTables to block redirected DDoS traffic coming from the Great Firewall of China by blocking requests with the "Bittorrent" string and simply blocking all IPs from China by using the up to date IP list at http://www.ipdeny.com/ipblocks/data/countries/cn.zone.

My firewall looks like this.

*filter

#  Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -j REJECT

#  Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#  Block anything from China
#  These rules are pulled from ipset's china list
#  The source file is at /etc/cn.zone (which in turn is generated by a shell script at /etc/block-china.sh )
-A INPUT -p tcp -m set --match-set china src -j DROP

#  Block bittorent
-A INPUT -p tcp --dport 80 -m string --algo bm --string "Bittorrent" --to 1000 -j DROP
-A INPUT -p tcp --dport 80 -m string --algo bm --string "GET /announce" --to 1000 -j DROP

#  Limit connection speed to avoid DDOS
-A INPUT -p tcp --dport 80 -m state --state NEW -m limit --limit 50/minute --limit-burst 200 -j ACCEPT

#  Allow all outbound traffic - you can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

#  Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

#  Allow SSH connections
#
#  The -dport number should be the same port number you set in sshd_config
#
-A INPUT -p tcp -m state --state NEW --dport 2222 -j ACCEPT

#  Allow ping
-A INPUT -p icmp -j ACCEPT

#  Log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

#  Drop all other inbound - default deny unless explicitly allowed policy
-A INPUT -j DROP
-A FORWARD -j DROP

COMMIT

However, the firewall doesn't seem to be working at all. Chinese IPs still flood the Apache logs, and the "Bittorrent" strings still show up in the Apache logs too. I seem to be getting flooded by IPs not in the ban list (how accurate is the list from ipdeny?) and the IPtables string regex doesn't seem to be working at all since logs like the following still come through.

110.255.172.42 - - [26/Apr/2015:18:05:41 +1200] "GET /announce.php?info_hash=M%3A%89%E1%86%9D%60%A7I%23%D6%99r%04%D7t%06%5F%A6%CC&peer_id=%2DSD0100%2D%E9%B1%EF%11A%CC%FB%94%EDl%23%8A&ip=101.28.113.60&port=8644&uploaded=1503508047&downloaded=1503508047&left=0&numwant=200&key=9253&compact=1 HTTP/1.0" 410 225 "-" "Bittorrent"

Also, http://www.blockedinchina.net/ still shows my website as accessible within China.

Running sudo iptables -L gives me:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
REJECT     all  --  anywhere             127.0.0.0/8          reject-with icmp-port-unreachable
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
DROP       tcp  --  anywhere             anywhere             match-set china src
DROP       tcp  --  anywhere             anywhere             tcp dpt:http STRING match  "Bittorrent" ALGO name bm TO 1000
DROP       tcp  --  anywhere             anywhere             tcp dpt:http STRING match  "GET /announce" ALGO name bm TO 1000
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http state NEW limit: avg 50/min burst 200
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:2222
ACCEPT     icmp --  anywhere             anywhere
LOG        all  --  anywhere             anywhere             limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
DROP       all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Anyone know why my firewall might not be working?

Community
  • 1
Projectile Fish
  • 131
  • 3
  • 1
    Are you running a Bit torrent tracker server?, Have you tried [this advise](http://engineering.bittorrent.com/2015/01/29/a-note-on-the-ddos-attacks/) – squareborg Apr 26 '15 at 06:40
  • There's no Bittorrent software on my server. I've done what it says already in that link, however it's not just Bittorrent spam coming in, it's also requests for other random URLS, which is why I just want to block all of China now. – Projectile Fish Apr 26 '15 at 06:48
  • 1
    use `iptables -nvL --line-numbers` instead of -L and check the packets counters. Your bittorent/announce rules never catch anything because the packets in which the strings are get accepted before by the ESTABLISHED rule... remember TCP handschake? – Zimmi Apr 27 '15 at 09:46
  • Ah yes this was the main problem, these match rules need to go before the established rule. That said the bittorrent one still doesn't work, but the annouce one does. The China rule wasn't working due to a bug in the script which didn't create the cn.zone file properly, but now works perfectly. Though oddly blockedinchina still shows my site as accessible. – Projectile Fish Apr 29 '15 at 09:51

1 Answers1

2

I faced with same problem, so this works at my web-server:

iptables -I INPUT -m string --string "announce.php" --algo kmp --to 65535 -j TARPIT

I've added this rule at the top. You cat use DROP instead of TARPIT(yes, I'm a bad and forced сhinese to suffer :-D).

Maxiko
  • 474
  • 2
  • 8