Find the answer to your Linux question:
Results 1 to 3 of 3
hello guys, I really need help on my dedicated debian server ( not a webserver ) We're experiencing a DDoS attack which overloads our RAM and CPU and eventually crashes ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jun 2012
    Posts
    2

    DDoS Attack Help ( incl. PCAP file )


    hello guys,

    I really need help on my dedicated debian server ( not a webserver )

    We're experiencing a DDoS attack which overloads our RAM and CPU and eventually crashes the server.

    I made a PCAP file during the attack with TCPDump. I uploaded it here because the extension isn't allowed on these forums mediafire.com/?g6xuahe36svvf85

    Also here are my IP-Tables. Can anyone help me defend against the attack, or atleast tell me what kind of attack it's about ?

    Thanks guys.


    IPTABLE===========

    *filter
    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    -A INPUT -p udp -f -j DROP
    -A INPUT -p icmp -j DROP
    -A INPUT -p tcp --syn --dport 3724 -m connlimit --connlimit-above 3 -j DROP
    -A INPUT -p tcp --syn --dport 8085 -m connlimit --connlimit-above 3 -j DROP
    -A INPUT -i lo -j ACCEPT
    -A INPUT -d 127.0.0.0/8 ! -i lo -j REJECT --reject-with icmp-port-unreachable
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    #-A INPUT -p tcp -m tcp --dport 3724 -j DROP
    -A INPUT -p tcp -m tcp --dport 3724 -m limit --limit 500/min --limit-burst 750 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 8085 -m limit --limit 500/min --limit-burst 750 -j ACCEPT
    -A INPUT -i eth0 -p tcp -m tcp --dport 3306 -j ACCEPT
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 58026 -j ACCEPT
    -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
    -A INPUT -j REJECT --reject-with icmp-port-unreachable
    -A FORWARD -j REJECT --reject-with icmp-port-unreachable
    -A OUTPUT -j ACCEPT
    COMMIT

  2. #2
    Linux Engineer
    Join Date
    Apr 2012
    Location
    Virginia, USA
    Posts
    899
    Open a ticket with your ISP/host and inform them. Not much you can do if you don't have a firewall.

  3. #3
    Just Joined!
    Join Date
    Jun 2012
    Posts
    2
    Well they say we have to null route traffic or send them IPs from people that send us bad traffic.

    Therefore I posted the file. I have firewall installed also, named, APF Firewall.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •