Home Linux Community Forums Linux Distributions Red Hat Help me. My server is attacked DDoS

Help me. My server is attacked DDoS

Link to this post 02 Dec 09

Here are the recommended modifications.
[li]Lines 15-17 are missing the -j flag.[/li]
[li]OUPUT in line 16 should be OUTPUT[/li]
[li]Put line 17 at the end of the script, your don't want the packets to be dropped until they are evaluated[/li]
[li]You don't want to mindlessly accept all icmp packets, you want to drop specific ones to resist DOS attacks via icmp, replace line 21 with the following lines.

# Allow pings 4 per minute to block ping DOS attacks
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -m limit --limit 4/m -j ACCEPT

# Allow all echo replies including destination unreachable and time exceeded
$IPTABLES -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT

# Block all other icmp traffic
[li]Place the following after line 21:

# Allow all response traffic
Make the following in line 30 to enable the blocking of the specified addresses:

for ADD in $(tail -n 500 /var/log/message|grep IP=|cut -d "=" -f 5|cut -d " " -f 1|sort|uniq)


There can be other recommendations such as making the script modular and adding specific chains per packet type to reduce the amount of rules a packet must pass through. But with the following recommendations the firewall script should do what you want including blocking the addresses that are found with the evaluation of the for script that I gave you, however you may want to modify the script to grab only the info that was displayed in the original log file that you produced.

Who we are ?

The Linux Foundation is a non-profit consortium dedicated to the growth of Linux.

More About the foundation...

Frequent Questions

Join / Linux Training / Board