preventing a DoS

shira · Tux's lil' helper Joined: 27 Aug 2002 Posts: 122

my server has been DoSed twice in the last week and I can't afford this kind of downtime

I looked at iptraf during one of these and I didn't see any large ammounts of packets moving

iptraf did not log a lot of icmp movement and all the movement on the other protocols was me shelled in

could you all offer me some advice on how to
a. prevent this kind of thing using iptables or some other software like this
b. find the doofus whos doing this

I would really appreciate any help you can give, I really don't need to null route my server again to keep it from getting hammered

shira · Tux's lil' helper Joined: 27 Aug 2002 Posts: 122

any recommendations of stuff to block or kernel options to change?

meowsqueak · Posted: Thu Oct 16, 2003 8:41 pm Post subject:

If you configure your firewall to ignore ICMP (ping) requests it makes it invisible to ping. This can fool some subnet scans into thinking you don't exist. It isn't hard to work around, but it can stop a lot of clueless script kiddies from targetting you. It's a start.

ozonator · Posted: Thu Oct 16, 2003 9:30 pm Post subject:

For protection against a SYN flood kind of DoS attack, iptables might help. There are 'limit' options for matching packets, which can be used to limit the rate at which packets will match a rule. You'll need to have support for the 'limit' match in your netfilter kernel config; check for Networking options -> IP: Netfilter configuration -> limit match support.

As an example, this might do the trick for reducing the effectiveness of a typical SYN flood:

devon · l33t Joined: 23 Jun 2003 Posts: 943

How did you log onto your server during the DoS attack? Console or some admin-network? Are you sure you were the target and not collateral damage?

If the badguy has a lot of bandwidth, all he/she has to do is saturate your link. I have seen >100Mbps attacks and know others have seen larger. Did you contact your network provider during the attacks? Or are you the network provider? Do you do any Netflow/sFlow sampling?

shira · Tux's lil' helper Joined: 27 Aug 2002 Posts: 122

well I implemented a firewall that uses that syn code and the icmp code but it still wasn't too successful

I've learned that the person attacking us is using infected hosts to do his/her dirty work so ipbanning and such is not an option

is there anything else that I can do to block other types of attacks?

I logged into my server using very slow ssh
we are the target
we contacted the isp during the attack and had our ip null routed

I do not know what netflow/sflow is

sschlueter · Posted: Fri Oct 24, 2003 1:25 pm Post subject: Re: preventing a DoS

sschlueter · Posted: Fri Oct 24, 2003 1:28 pm Post subject:

jaalex · n00b Joined: 22 Oct 2003 Posts: 39

I use the Monmotha iptables firewall script. It has a lot of neat rate limiting features. Along with the right kernel patches you can stop almost any DoS that doesn't fill your network pipe.

You can get the monmotha script by doing

shira · Tux's lil' helper Joined: 27 Aug 2002 Posts: 122

is there any way to prevent the pipe filling attacks

I'm pretty sure that's what we're getting hit with

we don't have direct access to the router so it'd difficult to null route our selves when we're attacked

jaalex · n00b Joined: 22 Oct 2003 Posts: 39

IF your getting hit with an attack from upstream that consumed all the bandwidth on your link from your ISP the only way to stop that is to have the ISP block the traffic. Depending on your SLA and contract with the ISP they might or might not be willing to do this.

Jason
_________________
No Matter Where You Go, There You Are

sschlueter · Posted: Fri Oct 24, 2003 5:52 pm Post subject:

shira · Tux's lil' helper Joined: 27 Aug 2002 Posts: 122

ya, I didn't see a bunch of traffic in iptraf and yet our line got saturated at 10mbps

fimblo · Posted: Fri Oct 24, 2003 9:21 pm Post subject: Re: Upstream DOS Attack