Join Log in
Score:-1
Hermenegildo Gonzalez avatar Server

DDOS Attack to http server and iptables doesn't help (i have access_log)

in flag
Hermenegildo Gonzalez

Im under a DDOS attack that target http server, i try iptables and other measures but nothing seems to work. Here is part of access_log:

https://pastebin.com/6JFKmUi8

Lot of connections but iptables won't stop the attack, there is my iptables rules:

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -s 147.135.37.113 -j ACCEPT

iptables -A INPUT -f -j DROP
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

iptables -N LOG_AND_DROP

iptables -N PORT21
iptables -A PORT21 -m recent --set --name lp21
iptables -A PORT21 -m recent --update --seconds 30 --hitcount 3 --name lp21 -j DROP
iptables -A PORT21 -m recent --update --seconds 300 --hitcount 10 --name lp21 -j LOG_AND_DROP

iptables -N PORT22
iptables -A PORT22 -m recent --set --name lp22
iptables -A PORT22 -m recent --update --seconds 30 --hitcount 3 --name lp22 -j DROP
iptables -A PORT22 -m recent --update --seconds 300 --hitcount 10 --name lp22 -j LOG_AND_DROP

iptables -N PORT80
iptables -A PORT80 -m recent --set --name lp80
iptables -A PORT80 -m recent --update --seconds 30 --hitcount 20 --name lp80 -j LOG_AND_DROP

iptables -N PORT443
iptables -A PORT443 -m recent --set --name lp433
iptables -A PORT443 -m recent --update --seconds 30 --hitcount 20 --name lp443 -j LOG_AND_DROP

iptables -N PORT10000
iptables -A PORT10000 -m recent --set --name lp10000
iptables -A PORT10000 -m recent --update --seconds 30 --hitcount 20 --name lp10000 -j LOG_AND_DROP

iptables -N PORT6900
iptables -A PORT6900 -m recent --set --name lp6900
iptables -A PORT6900 -m recent --update --seconds 30 --hitcount 10 --name lp6900 -j LOG_AND_DROP
iptables -A PORT6900 -m recent --update --seconds 50 --hitcount 20 --name lp6900 -j LOG_AND_DROP

iptables -N PORT6121
iptables -A PORT6121 -m recent --set --name lp6121
iptables -A PORT6121 -m recent --update --seconds 30 --hitcount 10 --name lp6121 -j LOG_AND_DROP
iptables -A PORT6121 -m recent --update --seconds 50 --hitcount 20 --name lp6121 -j LOG_AND_DROP

iptables -N PORT5121
iptables -A PORT5121 -m recent --set --name lp5121
iptables -A PORT5121 -m recent --update --seconds 30 --hitcount 10 --name lp5121 -j LOG_AND_DROP
iptables -A PORT5121 -m recent --update --seconds 50 --hitcount 20 --name lp5121 -j LOG_AND_DROP

iptables -A INPUT -p icmp --icmp-type echo-request -m hashlimit --hashlimit-name pings --hashlimit-mode srcip --hashlimit 10/min --hashlimit-burst 10 --hashlimit-htable-expire 30000 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 5/min -j LOG --log-prefix "[Pings]"
iptables -A INPUT -p icmp -j DROP

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A INPUT -p tcp --dport 21 -m state --state NEW -j PORT21
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j PORT22
iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j PORT80
iptables -A INPUT -p tcp --dport 443 -m state --state NEW -j PORT443
iptables -A INPUT -p tcp --dport 10000 -m state --state NEW -j PORT10000

iptables -A INPUT -p tcp --dport 6900 -m state --state NEW -j PORT6900
iptables -A INPUT -p tcp --dport 6121 -m state --state NEW -j PORT6121
iptables -A INPUT -p tcp --dport 5121 -m state --state NEW -j PORT5121

iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

iptables -A INPUT -p tcp --dport 80 -m hashlimit --hashlimit-name p80 --hashlimit-mode srcip --hashlimit 50/min --hashlimit-burst 100 --hashlimit-htable-expire 10000 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -m hashlimit --hashlimit-name p443 --hashlimit-mode srcip --hashlimit 50/min --hashlimit-burst 100 --hashlimit-htable-expire 10000 -j ACCEPT
iptables -A INPUT -p tcp --dport 10000 -m hashlimit --hashlimit-name p10000 --hashlimit-mode srcip --hashlimit 50/min --hashlimit-burst 100 --hashlimit-htable-expire 10000 -j ACCEPT

iptables -A INPUT -p tcp --dport 6900 -j ACCEPT
iptables -A INPUT -p tcp --dport 6121 -j ACCEPT
iptables -A INPUT -p tcp --dport 5121 -j ACCEPT

iptables -A LOG_AND_DROP -m limit --limit 10/min -j LOG --log-prefix "[Log]"
iptables -A LOG_AND_DROP -j DROP

#iptables -A INPUT -m limit --limit 10/min -j LOG --log-prefix "[Default]"
iptables -A INPUT -d 147.135.37.113 -j DROP

Any advice will be welcomed. I try everything but nothing works.

275
3 + 0
Score:1
t3ln3t avatar Server
in flag
t3ln3t

Talk to your provider (looks like OVH) about their anti-ddos protections on your system. Not all, but most of the reputable providers have ways they can help you with this. Aside from that, you might consider doing a fancy fail2ban rule that watches your web server logs for any client hitting that foro url and just automagically adding a IPTables rule for them. Aside from that, you can put something there ... perhaps a very small 1 byte file? Or put your webserver behind something like cloudflare or some other CDN service. Most of that traffic can be dealt with a handful of ways and it shouldn't put that much stress on your server or on you. Watch out for logfiles filling up your filesystem though! That can create a whole other problem that nobody wants.

check out this for more information on using fail2ban to protect apache from DoS attacks: https://apache.tutorials24x7.com/blog/protect-apache-from-brute-force-and-ddos-attacks-using-fail2ban

0 + 4
Nikita Kipriyanov avatar
za flag
Nikita Kipriyanov
I tried to use fail2ban to mitigate DDoS attack. It is unusable for this. For example, when you start/stop or reload it (which you will do often for DDoS), it first *unbans* everybody, and then bans again afterwards. This process takes around a hour in case you have 20000+ addresses banned, not very promising! Actually fail2ban is quite low quality software, despite its popularity, even for the problem it is designed to solve.
0
Reply
t3ln3t avatar
in flag
t3ln3t
If you have 20,000+ addresses in your ban lists, fail2ban is not an appropriate solution! You need a hardware solution that does this. CiscoGuard or whatever they replaced that product with. Most UNIX/Linux software starts to hiccup when you have that number of text entries in lists. Postfix and sendmail moved to compiled DBs and hashes 20 years ago because text files couldn't be parsed quickly.
0
Reply
Nikita Kipriyanov avatar
za flag
Nikita Kipriyanov
No, dedicated hardware is not needed. Remember, any "dedicated hardware" like that is nothing more than grossly overpriced ancient silicon running some clever software. If you manage to run such software on the same computer, that'll work fine. For example, if you are going to block something using linux netfilter, use ipset (which uses bitmaps or hashes, i.e. a "software CAM") , and the main problem is how to fill ipset. fail2ban hardly can help. The problem is, if you have "exhaustive" DDoS, you certainly *will* have 20000+ addresses to ban, so fail2ban won't help with such DDoS.
0
Reply
Hermenegildo Gonzalez avatar
in flag
Hermenegildo Gonzalez
Thanks. I will try fail2ban, and yes Cloudflare help. The http logs are disabled while the attack continues.
0
Reply
Score:0
Limalski avatar Server
id flag
Limalski

Couple of things comes to my mind:

  1. You could use string-match with iptables:

iptables -A INPUT -m string --algo bm --string "GET /foro" -j DROP

or if possible in your system, with TARPIT

iptables -A INPUT -m string --algo bm --string "GET /foro" -j TARPIT

  1. Instead of using fail2ban, make your own script which scans for logs last 1000 lines for example and blocks matches with ipsets. Add this to your iptables script:
  • ipset destroy toilet
  • ipset -N toilet iphash
  • ipset flush toilet

Then use your script to add ip addresses which you want to block to text file. Eventually you just need to loop all the ip addresses to that toilet-list.

  • ipset -A toilet "$ipaddress"

Using ipset and especially masks are much more efficient way than blocking ip addresses. I have around 20 000 addresses blocked and around 200 networks.

You might get some ideas of my very very messy script. https://pastebin.com/4v5se0kh

I know it is messy, but it works for me much faster and is much easier than fail2ban. I named that script suc2ban. You just need to find your own matches for your logfile (you probably have apache access.log, instead of my example which uses auth.log).

0 + 0
Score:0
Hermenegildo Gonzalez avatar Server
in flag
Hermenegildo Gonzalez

The problem solved with this simple iptables (maybe the other rules were too messy)

iptables -A INPUT -i eno1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eno1 -m state --state INVALID -j DROP
iptables -A INPUT -i eno1 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
iptables -A INPUT -i eno1 -p tcp -m tcp --dport 21 -m state --state NEW -j ACCEPT
iptables -A INPUT -i eno1 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
iptables -A INPUT -i eno1 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
iptables -A INPUT -i eno1 -p icmp -j ACCEPT
iptables -A INPUT -i eno1 -j DROP

The attacks keep coming but don't colapse the server.

0 + 1
exeral avatar
lk flag
exeral
per your logs, the DDOS seems unwanted http(s) requests. I don't understand how these rules which also allow http(s) would mitigate the attack. but you problem is solved, it's the more important !
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.