1

My server is undergoing a ddos attack with the traffic in my apache logs appearing like:

ip address - - [11/Apr/2013:01:01:04 -0600] "POST / HTTP/1.1" 416 31 "-" "Microsoft Internet Explorer"
ip address - - [11/Apr/2013:01:01:05 -0600] "POST / HTTP/1.1" 416 31 "-" "Microsoft Internet Explorer"
ip address - - [11/Apr/2013:01:01:05 -0600] "POST / HTTP/1.1" 416 31 "-" "Microsoft Internet Explorer"
ip address - - [11/Apr/2013:01:01:05 -0600] "POST / HTTP/1.1" 416 31 "-" "Microsoft Internet Explorer"
ip address - - [11/Apr/2013:01:01:05 -0600] "POST / HTTP/1.1" 416 31 "-" "Microsoft Internet Explorer"
ip address - - [11/Apr/2013:01:01:05 -0600] "POST / HTTP/1.1" 416 31 "-" "Microsoft Internet Explorer"

How can I block this with IP Tables? I am using:

-A INPUT -p tcp --dport 80 -m state --state NEW -m limit --limit 50/minute --limit-burst 200 -j DROP

but that doesn't appear to be doing anything. I think i need something along this line though.

thank you

Jenny D
  • 28,400
  • 21
  • 80
  • 117
dev
  • 111

3 Answers3

2

I'm not sure how you can do this in iptables, but I'd recommend you to have a look at OSSEC, which blocks repeated offenders automatically. You can also have a look at CloudFare, they also have a free package and are specialized at DDoS mitigation, as what you need to do is drop the traffic before it reaches you. If the address is just one IP address I would just drop it permanently.

I changed an iptable rule from here, have a look: 

iptables -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --set

iptables -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent   --update --seconds 60 --hitcount 50 -j DROP
Lucas Kauffman
  • 16,990
1

Without seeing all your iptables and some analysis showing that the rate does exceed the limits you specified it's impossible to say why this is happenning - for example, it may simply be that that you're getting lots of requests across a single connection.

Even if you are not using keepalives, a stateful firewall (on its own) is not a very effective tool for precenting DOS attacks. Traffic shaping helps - but this gets very complicated very quickly. There are some apache modules which support minimum bandwidth guarantee - which is a lot simpler to configure than kernel QOS. But I would recommend using fail2ban to block the IP addresses causing the problem.

symcbean
  • 23,767
  • 2
  • 38
  • 58
0

Several problems:

  1. Using a stateful firewall against dDoS is often a bad idea: you help the attacker by allowing him to allocate state (therefore memory) on your machine. The state module should be replaced by simply something like --tcp-flags SYN SYN
  2. The -j DROP at the end is an error, it means to drop all the packets that are below the thershold. It should be -j ACCEPT and have a DROP rule afterwards. (If you saw no effect, it may be because you have another ACCEPT rule later, or a general ACCEPT policy.)
  3. I prefer the hashlimit module, which can works with prefixes, not just individual IP addresses --tcp-flags SYN SYN -m hashlimit --hashlimit-name Web --hashlimit-above 3/second --hashlimit-mode srcip --hashlimit-burst 7 --hashlimit-srcmask 28 -j DROP
bortzmeyer
  • 3,991