DDoS and other attacks vs iptables (Anti-DDoS security in iptables)

Avoid an attack DDoS with iptables It has many ways to do it, by packet size, by connection limit, etc. Here we will see how, in an easy, intuitive and well explained way we will achieve the objective, as well as stop other annoying attacks on our servers.

# Iptables

IPT="/sbin/iptables"
ETH="eth0"

#Todo el tráfico syn
$IPT -P INPUT DROP
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p tcp ! --syn -j REJECT --reject-with tcp-reset
$IPT -A INPUT -m state --state INVALID -j DROP
$IPT -P OUTPUT DROP
$IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -p tcp ! --syn -j REJECT --reject-with tcp-reset
$IPT -A OUTPUT -m state --state INVALID -j DROP
$IPT -P FORWARD DROP
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -p tcp ! --syn -j REJECT --reject-with tcp-reset
$IPT -A FORWARD -m state --state INVALID -j DROP
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
$IPT -A FORWARD -i lo -o lo -j ACCEPT

#Cuando sube la carga
$IPT -A INPUT -p tcp --syn -j REJECT --reject-with icmp-port-unreachable

#La que mejor va
$IPT -N syn-flood
$IPT -A syn-flood -m limit --limit 100/second --limit-burst 150 -j RETURN
$IPT -A syn-flood -j LOG --log-prefix "SYN flood: "
$IPT -A syn-flood -j DROP

#Igual que el de arriba pero muy raw
$IPT -N syn-flood
$IPT -A INPUT -i eth0:2 -p tcp --syn -j syn-flood
$IPT -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
$IPT -A syn-flood -j DROP
$IPT -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 1/sec -j ACCEPT
$IPT -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j ACCEPT

#Descartar paquetes mal formados
$IPT -N PKT_FAKE
$IPT -A PKT_FAKE -m state --state INVALID -j DROP
$IPT -A PKT_FAKE -p tcp --dport 80 --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
$IPT -A PKT_FAKE -p tcp --dport 80 --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -A PKT_FAKE -p tcp --dport 80 --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A PKT_FAKE -p tcp --dport 80 ! --syn -m state --state NEW -j DROP
$IPT -A PKT_FAKE -f -j DROP
$IPT -A PKT_FAKE -j RETURN

#Syn-flood
$IPT -N syn-flood
$IPT -A INPUT -i eth+ -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j syn-flood
$IPT -A FORWARD -i eth+ -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j syn-flood
$IPT -A syn-flood -m limit --limit 4/s --limit-burst 16 -j RETURN
$IPT -A syn-flood -m limit --limit 75/s --limit-burst 100 -j RETURN -A syn-flood -j LOG --log-prefix "SYN FLOOD " --log-tcp-sequence --log-tcp-options --log-ip-options -m limit --limit 1/second
$IPT -A syn-flood -j DROP

#Requiere módulo "recent"
modprobe ipt_recent
$IPT -A INPUT -p tcp --dport 80 -m state --state NEW -m recent --set
$IPT -A INPUT -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 10 --hitcount 10 -j DROP

# explicación:
# Se añade cada ip que se conecte a la tabla de recent
# Por por cada ip en la tabla de recent si hace mas de x hits en x segundos, se dropea.
$IPT -I INPUT -p tcp --syn -m recent --set
$IPT -I INPUT -p tcp --syn -m recent --update --seconds 10 --hitcount 30 -j DROP

#UDP Flood
$IPT -A OUTPUT -p udp -m state --state NEW -j ACCEPT
$IPT -A OUTPUT -p udp -m limit --limit 100/s -j ACCEPT
$IPT -A OUTPUT -p udp -j DROP

What it does is count the number of SYN packets (TCP connection start) for each IP address in the last 10 seconds. If it reaches 30, it discards that packet so the connection will not be established (TCP will retry several times, when it drops below the limit it can be set).

#Evitando Layer7 DoS limitando a 80 la máxima cantidad de conexiones
$IPT -A INPUT -p tcp --dport 80 -m hashlimit --hashlimit-upto 50/min --hashlimit-burst 80 --hashlimit-mode srcip --hashlimit-name http -j ACCEPT
$IPT -A INPUT -p tcp --dport 80 -j DROP

#Permitir el ping, pero a 1 paquete por segundo, para evitar un ataque ICMP Flood
$IPT -A INPUT -p icmp -m state --state NEW --icmp-type echo-request -m limit --limit 1/s --limit-burst 1 -j ACCEPT
$IPT -A INPUT -p icmp -j DROP

#Evitando que escaneen la máquina
$IPT -A INPUT -i $ETH -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE –j DROP
$IPT -A INPUT -i $ETH -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN –j DROP
$IPT -A INPUT -i $ETH -p tcp -m tcp --tcp-flags SYN,RST SYN,RST –j DROP
$IPT -A INPUT -i $ETH -p tcp -m tcp --tcp-flags FIN,RST FIN,RST –j DROP
$IPT -A INPUT -i $ETH -p tcp -m tcp --tcp-flags ACK,FIN FIN –j DROP
$IPT -A INPUT -i $ETH -p tcp -m tcp --tcp-flags ACK,URG URG –j DROP

Here is the script in our Paste: Paste.DesdeLinux.net (Previous script)

References:


14 comments, leave yours

Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.

  1.   KZKG ^ Gaara said

    And this is why I put a tutorial before DDoS attacks 😉
    To put / explain the reason or problem (previous tutorial), and also give you the solution (this tutorial) 🙂

    1.    diazepam said

      perfect.

  2.   koratsuki said

    Children's candy ...

  3.   Hugo said

    Good article.

    My two cents:

    In the case of UDP packets, there is no SYN flag because it is a protocol without state control. However, paradoxically, the NEW and ESTABLISHED states do exist because iptables internally carries tables for this purpose.

    On the other hand, in my opinion it is better to use a DROP destination instead of REJECT, for two reasons: firstly, with a reject one is giving information to a possible attacker, and also the computer is using part of its connectivity to send notification to the attacking team.

    Another thing is that in the case of the ICMP protocol (and in general) it is convenient to regulate both requests and responses, because we are probably interested at some point in pinging ourselves, and by enabling this functionality, someone could use a botnet and falsify the From the source address, do an endless ping to many of these compromised PCs, and the responses would go to our server, collapsing it if no limits were imposed.

    I usually allow ICMP types 0,3,8,11 and 12 with an input limit of one per second and a burst of two or four maximum, and everything else is left to DROP.

    Actually, except for the TCP protocol that can be regulated better, all the others should be protected with an anti-DDoS measure by means of a recent type match. Regarding this, as a curiosity, the author of this module likes to place the update first and then the set.

    Iptables is really very flexible and powerful, so far the only thing that I have proposed to do and I have not achieved it yet (although I am close to achieving it), is to enable the psd module to avoid portscans, but even with everything I have learned about this tool, I don't think I have even scratched the surface yet. 😉

    Anyway, in this world you always have to study.

  4.   koratsuki said

    Good points Hugo, on file for our glossary: ​​D, as always, learning ...

    1.    Hugo said

      By the way, I already got the psd module to work for me. The problem was that it initially depended on a kernel functionality that was deprecated along with patch-o-matic, so it was removed from the built-in modules in netfilter by default. So now in Debian to use the psd extension, first you have to do this:


      aptitude -RvW install iptables-dev xtables-addons-{common,source} module-assistant
      module-assistant auto-install xtables-addons-source

      It can then be used normally, according to the instructions:

      man xtables-addons

      1.    away said

        Hugo, why don't you publish an iptables.sh with your suggestions to improve the script of this post (which is good) including psd

        Thank you

  5.   nelson said

    Excellent article, excellent iptables and excellent explanation from @hugo. I am becoming more and more convinced that I still have a lot to learn.

  6.   koratsuki said

    It's not you alone, at least me ... I'm missing a million ... 😀

  7.   Miguel Angel said

    Hello everyone, and thanks for the contribution, but the truth is that we are desperate, we do not know what to do now, and we come to you for this iptables that we know that you are experts in systems.
    I am the leader of a community in Spain of counter strike source and we are one of the few who are still barely standing, we are receiving constant attacks from the machine and other attacks at intervals of time, the constant removes little but lages the server a little but the one that is of time does more damage. Our machine is mounted on a 6.2 centos
    and we have the tcadmin to control the servers. You could make us a configuration that could stop this type of attack even a little, it is that we are already desperate,
    and we do not know who to turn to, we know that there are two botnets, one homemade and the other paid for time and force. We have been thus enduring brutal attacks of this type for almost a year, if you could help us we would be eternally grateful because it is unsustainable now, I love to configure servers like hoobie, and I am not a child that I assure you but this is a lot for me. If you want my ts3 to talk or anything I would love you to help us so we would post here the results and everything that was resolved for the good of many people, it would be the most visited blog of the year that I assure you because it is incredible how it annoys these attacks ddos. Since we tried to configure it on our own and blocked access to the machine, we had to format it from the bios so imagine how we are.
    I send a cordial greeting. And my congratulations for the missing blog, many people have one that was updated with this one. -Miguel Angel-

    1.    KZKG ^ Gaara said

      Hello how are you 🙂
      Write to my email, we will be happy to help you 😀 -» kzkggaara[@]desdelinux[.]net

  8.   ArthurShelby said

    Hello guys, until now that I'm working, take this script, very good by the way ... just one doubt: Does the «recent» module not reduce performance?

    Greetings - Thank you / Who like you?

  9.   Jose tapia said

    Excellent contribution my friend, I will put you in the references of a tutorial video that we are mounting, a hug from Costa Rica

  10.   Cristian Ivory Reinoso said

    Hello,

    Can't use the script on multiple ports?
    I have a game server and I get attacks to both the web and the game server ports.

    A greeting.