Find the answer to your Linux question:
Page 1 of 2 1 2 LastLast
Results 1 to 10 of 11
Like Tree2Likes
During last 4 days, my machine's is under flooding. Today i install ntop. I make SS (in attachments) Right now i have 8 pages of that. Few hours ago there ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Aug 2012
    Posts
    5

    How to block flooding?


    During last 4 days, my machine's is under flooding. Today i install ntop. I make SS (in attachments)
    Right now i have 8 pages of that. Few hours ago there were 16 pages.
    They attacking machine on randomly port. I block UDP traffic on those ports, but they keep attacking. Sometimes those attacks increase ping. How to block them forever, till now i ban over 800 000 IP's.
    Machine info:
    Debian 6.0.4
    iptables
    Using for game hosting.

    Thank's in advance!
    Sorry for my bad english.
    Attached Images Attached Images

  2. #2
    Linux Newbie
    Join Date
    Jun 2012
    Location
    SF Bay area
    Posts
    162
    If I read that right, you're currently running a config that's blocking 800,000 IP addresses and whoever is attacking your system is just moving to new IP space and continue to harass you? I think you might need to flip your access control model from "allow all, except this 800,000+ IP's" to something like "deny all, except for this list of whitelistes IP's" instead. It's a pain of course, since you'll need people that want to use your system to register first and get added to your whitelist. And even then you'll probably find some IP blocks which are dynamically used by ISP's which you'll add and then have to back out.

    But if the people really are able to attack your system from that many origin IP's (or at least fake it), then it might be worth the pain.

    Also, I'd recommend moving the IP filtering from the server to the networking gear in front of it. I think it's preferable to block the garbage as close to the edge or your network as possible.
    AngelDeaD likes this.

  3. #3
    Just Joined!
    Join Date
    Aug 2012
    Posts
    5
    I have ban over 800,000 ip's, but the new one keep flooding. How to setup automatic ban for them and how to find out which port they are flooding?
    I am only able to access my machine via internet, i can't walk to the her.

  4. #4
    Just Joined! Quantum's Avatar
    Join Date
    Jun 2009
    Location
    Seattle, Ecotopia
    Posts
    22
    Quote Originally Posted by AngelDeaD View Post
    I am only able to access my machine via internet, i can't walk to the her.
    This sentence doesn't make sense.

    Someone is going to alot of trouble for you. The whole point of a good DDoS is that there are so many source IPs involved that it's impossible to block them easily. You could try blocking net blocks - eg a /24 for every IP you see - but if the traffic comes from (say) a residential ISP it means you end up blocking legitimate users from that ISP.

    The other issue if it's UDP traffic is that the source addresses are probably spoofed anyway. It depends on the network infrastructure at the attacking end, but it's often easy to send traffic with spoofed source addresses. Even if the site admin's gateway routers are configured to drop "out of subnet" traffic (as mine are), that still gives the attacker a block to use - hence the suggestion to drop netblocks rather than individual IPs. If neither the site admin nor their ISP apply any source filtering, then in effect the attacker has the full IPv4 address range to throw at you.

    I've read articles about the effect this has on high profile sites - especially bookmakers' sites. According to the article I read a while ago, they can expect a DDoS attack shortly before a big event followed by an extortion demand - ie "this is what we can do, give us <some large amount of cash> or we take you down in the run up to <large sports event>". It avoided details, but the article went on to say they've developed way of dealing with it - which I suspect involve a lot of available bandwidth, a lot of server capacity, and automated systems to detect 'non-human' access patterns and block the source addresses.

    And of course, whatever you do at your site - you've already had the traffic using up your inbound bandwidth. That can only be avoided with assistance from your upstream ISP - ie it means filtering before the traffic comes down your access pipe.
    AngelDeaD likes this.

  5. #5
    Just Joined!
    Join Date
    Aug 2012
    Posts
    5
    @Quantum-It's mean, i don't have that computer at my home, it's dedicated machine in datacentar, so far away of my home.
    I block few more ip's (not over 50) It's stopped. I will try to setup apf.

    Thank's you both.

  6. #6
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Instead of tring to block these manually why not automate it and use Fail2ban

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  7. #7
    Just Joined!
    Join Date
    Aug 2012
    Posts
    5
    @Lazydog
    I think it's not possible. It's game hosting machine, there are players who non stop sending request's.

    Anyway /var/log/apache2/error.log is empty.

  8. #8
    Just Joined! Quantum's Avatar
    Join Date
    Jun 2009
    Location
    Seattle, Ecotopia
    Posts
    22
    Quote Originally Posted by Lazydog
    Instead of tring to block these manually why not automate it and use Fail2ban
    Well; if the attacker is using an unlimited number of IPs, AngelDeaD could fail2ban a million, and they would still keep coming.

    Please re-read my prior post. And look up LOIC.

  9. #9
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Quote Originally Posted by AngelDeaD View Post
    @Lazydog
    I think it's not possible. It's game hosting machine, there are players who non stop sending request's.

    Anyway /var/log/apache2/error.log is empty.
    It is possible if you setup your firewall correctly. Besides fail2ban doesn't look at your error.log to determine what ip's to block.


    Quote Originally Posted by Quantum View Post
    Well; if the attacker is using an unlimited number of IPs, AngelDeaD could fail2ban a million, and they would still keep coming.

    Please re-read my prior post. And look up LOIC.
    You are correct. There is no real good answer to the problem only steps one can take and hope that it goes away. There are many ways to block someone site. The best is to tie up the available band width, which seems to be the issue here. As you state it is impossible to block them as they just change the ip address and keep on coming. Thus your suggestion to have the ISP block them is not going to help either as they are not going to block millions of ip addresses.

    @AngelDeaD

    I would suggest telling your games that you are taking the system off line. Then take it off line and wait about a week. Once off line ask your ISP for a new ip address. Check your logs to see who hasn't played in a while as one of them might be your attacker. You might have made them mad at you some how thus the attack. When you bring the system up again you should not see the attack. Then start allowing groups of people back on the system. If the attacks don't start again you are good, but word could always get back to the person who is running the attacks and he could start again.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  10. #10
    Just Joined! Quantum's Avatar
    Join Date
    Jun 2009
    Location
    Seattle, Ecotopia
    Posts
    22
    Or; you could drop all incoming UDP except what you absolutely need. Tuff to ask ISP to do that, but he may have an advanced router that can do it another way.

Page 1 of 2 1 2 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •