-1

I am facing a DDOS attack from a few hundred IP addresses, all of them coming from various cities in India and have the same organization: "................ for GPRS Service". (I'm not mentioning the whole name).

The attack started around 5 hours ago and it consists on hundreds of IP addresses that open 1 to 5 connections (as opposed to one or a few IPs making thousands of connections). The IP addresses are coming from a wide range of subnets.

Is there a way to tell the firewall to block the internet provider of the remote IPs, at least until the problem is solved?

ToX 82
  • 119

2 Answers2

1

Finally, I have found a way to mitigate (and finally solve) the problem:

After some investigation I found out that the attack was directed to my web server's IP address and not to a single website. Since that IP address was actually responding with the default apache page, I have replaced that page with a PHP 302 redirect, pointing to a random (fake) domain. Eventually, all of the connections disappeared and all of my websites are now running smoothly since a couple of hours

ToX 82
  • 119
0

If the IPs are in the same country or a few countries, you could directly configure iptables to block subnets that originate from India (or whichever countries you choose), while you ride out the DDOS attack, and remove the rules later once it's over.

The trick is getting a list of subnets that apply to your attackers.

You can use this handy tool: https://www.ip2location.com/free/visitor-blocker

It can generate rules for a variety of firewalls, including iptables, which can be saved as and run as a bash script. The tool also supports server applications such as Apache.

Keep in mind that if this is a botnet attacking you, the IPs could rapidly change and be comprised of clients in many countries. Trying to keep up might be a fruitless effort and you'd be better off installing fail2ban.