Scribd
Upload
369 views3 pages

Anti DDoS With Iptables and Ipt

The document describes iptables rules to defend against a distributed denial of service (DDoS) attack using SYN flooding and GET requests from around 1600 IP addresses. It creates chains to filter attacks, drops fragmented and invalid packets, limits new connections to 100 per second from each IP, and logs and blocks IPs that trigger the rules multiple times within a timeout period. The full iptables script is also provided.

Uploaded by

Son Tran Hong Nam
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
369 views3 pages

Anti DDoS With Iptables and Ipt

The document describes iptables rules to defend against a distributed denial of service (DDoS) attack using SYN flooding and GET requests from around 1600 IP addresses. It creates chains to filter attacks, drops fragmented and invalid packets, limits new connections to 100 per second from each IP, and logs and blocks IPs that trigger the rules multiple times within a timeout period. The full iptables script is also provided.

Uploaded by

Son Tran Hong Nam
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 3

Anti DDoS with iptables and ipt_recent

In these days Ive been attacked with a syn flood plus a GET flood requests.
There was ~1600 different IP that compose the botnet that was attacking, so I write some lines of
iptables in order to keep the attack under control.
Below you can find the entire micro script Ive made, and after that an explanation line per line
about what they do.
Clear all existent rules on the firewall.
iptables -F
iptables -X
Create the three new chains that we are going to use in order to filter the attack
iptables -N ATTACKED
iptables -N ATTK_CHECK
iptables -N SYN_FLOOD
For any new incoming packet we check if the packet is a syn or not, if not, we simply drop
it.
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
We drop fragmented packets.
iptables -A INPUT -f -j DROP
Drop XMAS packets.
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
Drop NULL packets.
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
Any incoming tcp packets will be forwarded in the SYN_FLOOD chain.
iptables -A INPUT -p tcp --syn -j SYN_FLOOD
We use module hashlimit to create a database of the single istance ip in order to drop any
packet from any ip that exceed 100 packet per second, and keep it in the database for 3600
seconds.

iptables -A SYN_FLOOD -p tcp --syn -m hashlimit --hashlimit 100/sec --hashlimit-burst 3


--hashlimit-htable-expire 3600 --hashlimit-mode srcip --hashlimit-name synflood -j ACCEPT
Any other packets that are not matched as syn flood will be forwarded in ATTK_CHECK
chain.
iptables -A SYN_FLOOD -j ATTK_CHECK
Accept legitimate traffic.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
With recent module, we can create a database in /proc/net/xt_recent/ called BANNED,
which contains all the ips matched in the rules below. We keep it for 1800 seconds, if in this
window time we dont receive any other match from that specific ip, we remove it.
iptables -A INPUT -p tcp -m tcp --dport 80 -m recent --update --seconds 1800 --name BANNED
--rsource -j DROP
All new packet with destination port 80 are forwarded to ATTK_CHECK chain.
iptables -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ATTK_CHECK
We setup the logging options for the chain ATTACKED and lets drop any packet in that
chain putting the source ip in the database /proc/net/xt_recent/BANNED.
iptables -A ATTACKED -m limit --limit 5/min -j LOG --log-prefix "IPTABLES (Rule
ATTACKED): " --log-level 7
iptables -A ATTACKED -m recent --set --name BANNED --rsource -j DROP
Defining a new database in /proc/net/xt_recent called ATTK for the incoming packet that
are not already matched as an attack.
iptables -A ATTK_CHECK -m recent --set --name ATTK
If an IP match 20 times in 180 seconds we mark it as attacker, we put in database ATTK
and we forward it to chain ATTACKED.
iptables -A ATTK_CHECK -m recent --update --seconds 180 --hitcount 20 --name ATTK
--rsource -j ATTACKED
If an IP match 6 times in 60 seconds we mark it as attacker, again we put it in database
ATTK and we forward it to chain ATTACKED.
iptables -A ATTK_CHECK -m recent --update --seconds 60 --hitcount 6 --name ATTK --rsource

-j ATTACKED
We permit the rest of the traffic that could be almost completely legitimate.
iptables -A ATTK_CHECK -j ACCEPT
Shell scripts
#!/bin/bash
iptables -F
iptables -X
iptables -N ATTACKED
iptables -N ATTK_CHECK
iptables -N SYN_FLOOD
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables -A INPUT -f -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --syn -j SYN_FLOOD
iptables -A SYN_FLOOD -p tcp --syn -m hashlimit --hashlimit 100/sec --hashlimit-burst 3
--hashlimit-htable-expire 3600 --hashlimit-mode srcip --hashlimit-name synflood -j ACCEPT
iptables -A SYN_FLOOD -j ATTK_CHECK
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80 -m recent --update --seconds 1800 --name BANNED
--rsource -j DROP
iptables -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ATTK_CHECK
iptables -A ATTACKED -m limit --limit 5/min -j LOG --log-prefix "IPTABLES (Rule
ATTACKED): " --log-level 7
iptables -A ATTACKED -m recent --set --name BANNED --rsource -j DROP
iptables -A ATTK_CHECK -m recent --set --name ATTK
iptables -A ATTK_CHECK -m recent --update --seconds 180 --hitcount 20 --name ATTK
--rsource -j ATTACKED
iptables -A ATTK_CHECK -m recent --update --seconds 60 --hitcount 6 --name ATTK --rsource
-j ATTACKED
iptables -A ATTK_CHECK -j ACCEPT

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy