0
Sometimes on a server of mine, there is unsolicited incoming traffic (mix of random ports & random protocols beyond tcp/udp/icmp also) which starts peaking at 1 to 2 GBit/s while the outgoing remains normal (which usually is zero/negligible). I noticed that if I leave it as it is, it takes 5-10 mins to subside. But if I turn the network off using:
ifdown eth0
and turn it up after a minute, the menace is mostly gone. But cutting off net access like this isn't really ideal for a server and was wondering whether a rule like:
iptables -I INPUT -i eth0 -j DROP
iptables -I OUTPUT -i eth0 -j DROP
(with some exceptions in the firewall) is equivalent to the ifdown in this context? Will it have the same effect? If yes, which iptables table (raw?) would be best for blocking all the traffic.
Thanks.
Sam
Posted 2019-03-09T05:58:39.020
Reputation: 21
1If it were a DDoS it wouldn’t stop because you shut the interface down. So we’re making some assumptions here that don’t really add up. Therefore, without a proper diagnosis of what is actually happening it’s not possible to say if setting firewall rules will do the same thing as bouncing the interface. The two things are not the same. [edit] your post and explain why you think it is a DDoS. What diagnostic procedures did you use to come to that conclusion? Also explain your network configuration. – Appleoddity – 2019-03-09T06:09:09.060
1What @Appleoddity said. On top of that: even if you establish firewall rules that drop the packets, the packets still eat bandwidth on the wire to the interface, and CPU time to drop them. The only reasonable thing would be to ask your ISP for help. – tink – 2019-03-09T08:47:11.383
Are you sure that there is really an external attack, or is this maybe a malfunction with your router or some other device on your local network? – harrymc – 2019-03-09T17:10:22.763