Find the answer to your Linux question:
Page 1 of 2 1 2 LastLast
Results 1 to 10 of 13
how can we protect our network from DDoS attacks. can we do this through iptables or some other firewall just like vyatta etc...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Apr 2008
    Posts
    15

    linux security


    how can we protect our network from DDoS attacks. can we do this through iptables or some other firewall just like vyatta etc

  2. #2
    Linux Enthusiast meton_magis's Avatar
    Join Date
    Oct 2006
    Location
    arizona
    Posts
    699
    can you be more specific? are you currently experiencing DDoS attacks, or wanting to prevent their use?

    a DDoS attack can take many forms. You could be the target of a DDoS by a botnet repeatedly making HTTP requests, and you can't do a thing about it other than shutting off your webserver. Most attacks of this scale are ususaly targeting large, high profile sites (like microsoft, google, or SCO .... but they deserved it. )

    iptables could stop certain types of DoS attacks, but it just depends.
    New to the internet, technical forums, or the hacker / open source community??
    Read this to learn good posting habits http://www.catb.org/~esr/faqs/smart-questions.html

    RHCE for RHEL version 5
    RHCT for RHEL version 4

  3. #3
    Just Joined!
    Join Date
    Apr 2008
    Posts
    15
    Quote Originally Posted by meton_magis View Post
    can you be more specific? are you currently experiencing DDoS attacks, or wanting to prevent their use?

    a DDoS attack can take many forms. You could be the target of a DDoS by a botnet repeatedly making HTTP requests, and you can't do a thing about it other than shutting off your webserver. Most attacks of this scale are ususaly targeting large, high profile sites (like microsoft, google, or SCO .... but they deserved it. )

    iptables could stop certain types of DoS attacks, but it just depends.
    i am a network administrator i want to prevent my system from such attacks

  4. #4
    Linux Enthusiast meton_magis's Avatar
    Join Date
    Oct 2006
    Location
    arizona
    Posts
    699
    I'd say don't worry about it. A DDoS (distributed denial of service) attack is not trivial to setup. To be at risk of this, you mostly have to piss off the wrong person / group.

    I would still recomend you use a firewall to drop packets from all ports that you are not using, block all access into a system that you don't use (I.E., if you don't need to SSH to a server as root, deny it in your /etc/ssh/sshd_config, if you use a keypair for authentication, which I recomend, don't allow password authentication,) and keep your software updated (use your package manager.)

    There are of course more ways that people try to crack systems, but as long as you don't piss anyone off, or hold a database with credit card numbers or SSNs, you're not going to be a high profile target, and most people will give up after a brute force script fails. If you DO have sensitive data, hire someone who knows what they're doing. Saving a buck here will cost you in lawsuits later.
    New to the internet, technical forums, or the hacker / open source community??
    Read this to learn good posting habits http://www.catb.org/~esr/faqs/smart-questions.html

    RHCE for RHEL version 5
    RHCT for RHEL version 4

  5. #5
    Just Joined! DT0X's Avatar
    Join Date
    Nov 2008
    Location
    Southwest UK
    Posts
    31
    Not entirely sure what some of the above posts are about, but to answer your question iftikhar you could use a utility like "fail2ban" to block requests from specific IPs on the fly if they make too many http / ssh / other protocol requests within a predetermined timeframe.

    It will analyse log files etc and modify your firewall (netfilter/iptables) rules interactively to block people for a set timeout period, its very useful.

    For more info: fail2ban.org

  6. #6
    Linux Enthusiast meton_magis's Avatar
    Join Date
    Oct 2006
    Location
    arizona
    Posts
    699
    Quote Originally Posted by DT0X View Post
    Not entirely sure what some of the above posts are about, but to answer your question iftikhar you could use a utility like "fail2ban" to block requests from specific IPs on the fly if they make too many http / ssh / other protocol requests within a predetermined timeframe.

    It will analyse log files etc and modify your firewall (netfilter/iptables) rules interactively to block people for a set timeout period, its very useful.

    For more info: fail2ban.org
    that is a brute force attack, not a DDoS
    New to the internet, technical forums, or the hacker / open source community??
    Read this to learn good posting habits http://www.catb.org/~esr/faqs/smart-questions.html

    RHCE for RHEL version 5
    RHCT for RHEL version 4

  7. #7
    Just Joined! DT0X's Avatar
    Join Date
    Nov 2008
    Location
    Southwest UK
    Posts
    31
    that is a brute force attack, not a DDoS
    And this is an irrelevant statement that still isnt helping towards solving his problem - fail2ban is a step in the right direction - if youre receiving multiple queries from the botnet or a close packed range of IPs (like what happens in a DDOS attack) then it will help you out.

    Another method is to write your own script to monitor your httpd processes and log files and alert you of suspicious behaviour - if you start seeing a heavy load, get on the system and start sorting things out (or have some automated process to do it for you - say other scripts to kill off httpd processes)

    There are plenty of linux guides out there for that sort of thing ^

  8. #8
    Just Joined!
    Join Date
    Apr 2008
    Posts
    15
    i work in an online university and we have more than 70000 students on line.we can not stop http requests of our students.then how we differentiate an attack and normal requests.

  9. #9
    Just Joined! DT0X's Avatar
    Join Date
    Nov 2008
    Location
    Southwest UK
    Posts
    31
    You tweak the rules - you can set all the requests coming from within your trusted IP range (i.e. the IP range of your uni / other trusted connections such as VPN) to not be filtered by your rules.

    Also have a look at DNS blacklists and botnet blacklists as people you can definitively ban.

    Another more extreme approach is that if you know all the traffic to your webservers / other services is going to originate in for example the UK and US, then you could block all traffic coming from other geographic locations thus ruling out the chance of being DoSd from botnets originating in other countries. Its not a fix all but it can help to narrow down your problems - but then you are denying legitimate users from other countries access to your services, every silver lining has a cloud!

  10. #10
    Just Joined!
    Join Date
    Apr 2008
    Posts
    15
    infact we are distance learning university and our students are spread in many countries, other than this other people also can visit our web site for information and students visit the web site for thier assignments quizis etc. please guide in this scenerio how can we protect our web servers. thanks

Page 1 of 2 1 2 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •