Using UFW to completely block internet provider

Question

I am facing a DDOS attack from a few hundred IP addresses, all of them coming from various cities in India and have the same organization: "................ for GPRS Service". (I'm not mentioning the whole name).

The attack started around 5 hours ago and it consists on hundreds of IP addresses that open 1 to 5 connections (as opposed to one or a few IPs making thousands of connections). The IP addresses are coming from a wide range of subnets.

Is there a way to tell the firewall to block the internet provider of the remote IPs, at least until the problem is solved?

All on just a few subnets? `ufw deny from 10.0.0.0/24` or similar — ivanivan, May 31 '18 at 15:45
No, unfortunately they are coming from several subnets... from 5.90.x to 223.238.x, according to what I've seen in my list... it's now more than 2000 different ip addresses — ToX 82, May 31 '18 at 15:48

score 1 · Answer 1 · answered May 31 '18 at 21:07

1

Finally, I have found a way to mitigate (and finally solve) the problem:

After some investigation I found out that the attack was directed to my web server's IP address and not to a single website. Since that IP address was actually responding with the default apache page, I have replaced that page with a PHP 302 redirect, pointing to a random (fake) domain. Eventually, all of the connections disappeared and all of my websites are now running smoothly since a couple of hours

answered May 31 '18 at 21:07

ToX 82

119
1
5

Who did you redirect to? Something that actually exists? Kinda feel sorry for them.... – ivanivan Jun 01 '18 at 00:46
LOL no, it was a non existent domain. Well TBH, I've initially set it to the "attacking" indian ISP, appending a "?there-is-a-ddos-coming-from-you" parameter, but eventually I've switched to a non existent domain after a few minutes. I've felt sorry for them too, even if a few hundred requests per second is not a big deal for an ISP's website, apparently :) – ToX 82 Jun 01 '18 at 06:14

score 0 · Answer 2 · 2018-06-01T12:49:18.567

0

If the IPs are in the same country or a few countries, you could directly configure iptables to block subnets that originate from India (or whichever countries you choose), while you ride out the DDOS attack, and remove the rules later once it's over.

The trick is getting a list of subnets that apply to your attackers.

You can use this handy tool: https://www.ip2location.com/free/visitor-blocker

It can generate rules for a variety of firewalls, including iptables, which can be saved as and run as a bash script. The tool also supports server applications such as Apache.

Keep in mind that if this is a botnet attacking you, the IPs could rapidly change and be comprised of clients in many countries. Trying to keep up might be a fruitless effort and you'd be better off installing fail2ban.

edited Jun 01 '18 at 12:49

answered May 31 '18 at 17:52

Thanks for the suggestion, I have tried to do that but unfortunately that didn't solve the problem. To be honest most of the IP addresses that were attacking me were reported to be from India (according to http://ip-whois-lookup.com), but they weren't in ip2location's list... could that be because the attack was coming from a mobile ISP? – ToX 82 May 31 '18 at 21:01
You'd have to do some analysis on the IP list to determine which subnets you'd need to block. No online list is going to be perfect. I would recommend manipulating the IP list (in MS Excel, for example) to change the last octet to '0' and add the iptables commands around them. Honestly if I were in your shoes, I'd install fail2ban instead. It's specifically designed for mitigating DDOS attacks. You're never going to be able to keep up if this is a rapidly changing botnet. The IPs could come from anywhere. – Jun 01 '18 at 12:45

Using UFW to completely block internet provider

2 Answers2