Linux.com

Home Linux Community Forums Linux Distributions Red Hat Help me. My server is attacked DDoS

Help me. My server is attacked DDoS

Link to this post 28 Nov 09

I want to write a Script, it use to ati DDoS but i'm a newbie i can't do it.
I have a log file http://www.mediafire.com/?yz2njlm0kzj . I want to read a DDos's IP address from log file, after that i want to add that IP to Firewall . I can do it by handicraft but i want a script, it can autorun every 5 min on my server.

Thank .

Link to this post 29 Nov 09

Distributed Denial of Service attacks are hard to subvert because they are meant to tie up your system with answering unnecessary requests and they are meant to flood your internet connection effectively limiting outside communications. Now depending on the protocol, port and service that is attacked you can modify your firewall to drop the packets which will lower the stress on your system but it won't help with your internet connection.

Now by looking at your log it appears they these are not traditional DDOS attacks, it is only various systems trying to utilize your proxy server. The simplest way would be to find out the port used for your proxy and set the traffic to allow only your trusted ip addresses, then drop all other traffic on that port.

I wrote a quick script below that will allow you to view the unique ip addresses from your log.

cat Log_dos.txt|grep IP=|cut -d "=" -f 5|cut -d " " -f 1|sort|uniq

Link to this post 30 Nov 09

You wrote command, but it only have IP from log file. Can you help to add DDos's IP to iptable file for me ?

Link to this post 30 Nov 09

I did not include the command to add it the ip addresses to your block list for the following reasons:
[ul][li]Some of the IP addresses may be valid, but only you should able able to asses that[/li]
[li]The structure of your iptables firewall may be nonstandard[/li]
[li]Hopefully you use a default deny all at the end of your firewall list and if that is the case newly appended rules will never be tested[/li]
[li]I do not know the port and protocols used for the connections based off of the log file that you shared[/li][/ul]

Your best bet for a clean firewall script would be to setup rules for that port that first alllow trusted IP addresses then deny all other requests for that service so that you don't have to focus on a per address basis to deny hosts.

Now if you just want to blindly apply a rule for blocking all of those addresses on all ports and protocols (this is not recommended) then you can use this command.

for ADD in $(cat Log_dos.txt|grep IP=|cut -d "=" -f 5|cut -d " " -f 1|sort|uniq)
do iptables -A INPUT -p ALL -s $ADD -j DENY
done

If you do not maintain an external list of all ip addresses that have been added to the deny list then this command will cause issues with duplicate rules for single ip addresses, additionally failure to use an external list will limit your ability to reinstate the rules if you system is restarted.

Link to this post 01 Dec 09

Thank you very much. I will try to work.

Link to this post 01 Dec 09

Hi mfillpot,
This is my config for iptables

######## iptables_Firewall.sh cript
#!/bin/sh
IPTABLES=/sbin/iptables

######### Init values
INTERNAL_INTERFACE="eth5"
INTERNAL_ADDR="192.168.1.10"
EXTERNAL_INTERFACE="eth4"
EXTERNAL_ADDR="222.255.237.87"

######### Pre-config
$IPTABLES -F FORWARD ## reset FORWARD chain
$IPTABLES -F INPUT ## reset INPUT chain
$IPTABLES -F OUTPUT ## reset OUTPUT chain
$IPTABLES -P FORWARD DROP ## Default FORWARD chain is DROP
$IPTABLES -P OUPUT ACCEPT ## Default OUTPUT chain is ACCEPT
$IPTABLES -P INPUT DROP ## Default INPUT chain is DROP

######## Rules

$IPTABLES -A INPUT -p icmp -j ACCEPT

#$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p icmp -icmp-type echo-request -m limit --limit 5/s -j ACCEPT


## Drop all ips DOS
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -s 58.186.103.244 -d $EXTERNAL_ADDR -j DROP
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -s 222.255.77.119 -d $EXTERNAL_ADDR -j DROP
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -s 58.186.217.54 -d $EXTERNAL_ADDR -j DROP

## Permit these UDP ports

$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -s 0/0 -d $EXTERNAL_ADDR -p udp --dport 5060 -m limit --limit 4/s -j ACCEPT
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -s 0/0 -d $EXTERNAL_ADDR -p udp --dport 5080 -m limit --limit 4/s -j ACCEPT
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -s 0/0 -d $EXTERNAL_ADDR -p udp --dport 53 -m limit --limit 4/s -j ACCEPT

$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -s 0/0 -d $EXTERNAL_ADDR -p udp -j ACCEPT


## Permit SSH
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
$IPTABLES -A INPUT -i lo -p all -j ACCEPT

## Internal interface : Permit all
$IPTABLES -A INPUT -i $INTERNAL_INTERFACE -s 0/0 -p all -j ACCEPT

Please help me include your script into it to anti DOS. Everytime this script is run, it will reset iptables.
Pls note, in Log_dos.txt, ips dos are ips which request more than 5 times per second. Log_dos.txt is a part copy of /var/log/message . We will write a script to filter ips dos base on message file. This file is very large so we will use tail -n 500 /var/log/message instead of. Please help.

Thank you very much.

Who we are ?

The Linux Foundation is a non-profit consortium dedicated to the growth of Linux.

More About the foundation...

Frequent Questions

Join / Linux Training / Board