Results 1 to 10 of 13

Thread: Attack on server

Hybrid View

Previous Post Previous Post   Next Post Next Post
  1. 9th September 2017, 18:58 #1
    DaWe
    DaWe is offline
    Private
    Join Date
    Mar 2014
    Location
    Czech Republic
    Posts
    11
    Thanks
    1
    Thanked 2 Times in 1 Post
    Quote Originally Posted by Mitch View Post
    Rate limiting via iptables might work better with that amount of traffic.

    e.g.
    PHP Code:
    iptables -N QUERY-BLOCK
    iptables     -A QUERY-BLOCK -m recent --set --name blocked-hosts -j DROP
    iptables     -N QUERY-CHECK
    iptables     -A QUERY-CHECK -p udp -m string ! --string "getstatus" --algo bm --from 32 --to 41 -RETURN
    iptables -A QUERY-CHECK -m recent --update --name blocked-hosts --seconds 30 --hitcount 1 -j DROP
    iptables     -A QUERY-CHECK -m hashlimit --hashlimit-mode srcip --hashlimit-name getstatus --hashlimit-above 15/second -j QUERY-BLOCK
    iptables     -A INPUT -p udp --dport 27960:29000 -j QUERY-CHECK 
    You could also try to only allow valid traffic e.g.

    PHP Code:
    iptables -P INPUT DROP
    iptables     -P FORWARD DROP
    iptables     -P OUTPUT ACCEPT
    iptables     -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP # syn flood
    iptables -A INPUT -m state --state INVALID -j DROP
    iptables     -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP # bogus TCP Flags
    iptables -A INPUT -i lo -j ACCEPT
    iptables     -A INPUT -p icmp -j ACCEPT
    iptables     -A INPUT -p udp -m udp --dport 28960 -j ACCEPT
    # ACCEPT all ports (+ used protocol) you are using for incoming traffic
    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # accepts traffic requested by your server 
    Hello, I'm not home right now.. I will test it tomorrow and let u know if it helped. Thanks
    Reply With QuoteReply With Quote
  2. 9th September 2017, 22:08 #2
    Mitch
    Mitch is offline
    Global Mossaderator Mitch's Avatar
    Join Date
    Nov 2012
    Posts
    654
    Thanks
    204
    Thanked 450 Times in 305 Posts
    Quote Originally Posted by DaWe View Post
    Hello, I'm not home right now.. I will test it tomorrow and let u know if it helped. Thanks
    You can also dump part of the traffic to a file and analyse it using Wireshark.
    Then you can find out with what kind of traffic your server is flooded with.

    PHP Code:
    tcpdump -G 60 -W 1 -i eth0 'port 28960' -w output.pcap 
    Reply With QuoteReply With Quote
  3. 10th September 2017, 09:44 #3
    IzNoGoD
    IzNoGoD is offline
    Assadministrator IzNoGoD's Avatar
    Join Date
    Aug 2012
    Posts
    1,718
    Thanks
    17
    Thanked 1,068 Times in 674 Posts
    Quote Originally Posted by Mitch View Post
    You can also dump part of the traffic to a file and analyse it using Wireshark.
    Then you can find out with what kind of traffic your server is flooded with.

    PHP Code:
    tcpdump -G 60 -W 1 -i eth0 'port 28960' -w output.pcap 
    does that capture udp?
    "Does not work" is an error report for a bug between keyboard and chair.

    All hail Artie Effem
    Reply With QuoteReply With Quote
  4. 10th September 2017, 10:37 #4
    Mitch
    Mitch is offline
    Global Mossaderator Mitch's Avatar
    Join Date
    Nov 2012
    Posts
    654
    Thanks
    204
    Thanked 450 Times in 305 Posts
    Quote Originally Posted by IzNoGoD View Post
    does that capture udp?
    Yes, the name is misleading.

    https://en.wikipedia.org/wiki/Tcpdump
    It allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is attached.
    Reply With QuoteReply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules