DDoS counter-measures (Rules)

Linux Netfilter discussions
 help / color / mirror / Atom feed

* DDoS counter-measures (Rules)
@ 2003-04-05  5:12 zito.pol
  0 siblings, 0 replies; only message in thread
From: zito.pol @ 2003-04-05  5:12 UTC (permalink / raw)
  To: netfilter

Hi folks,
I am new in list and I am need help with some extra IPTABLES DDoS/DoS rules.

I am receiving a large volume of packets... in other words... I am been
dosed.

The IP_FRAG OUTPUT:
[**] MISC Tiny Fragments [**]
04/03-03:03:24.131192 < l/l len: 0 l/l type: 0x200 0:0BBBB
pkt type:0x0 proto: 0x800 len:0x2C
200.182.128.30 -> 200.164.250.204 ICMP TTL:39 TOS:0x0 ID:67 IpLen:20 DgmLen:28
MF
Frag Offset: 0x0680 Frag Size: 0xFFFFF988
55 55 55 55 55 55 55 55 UUUUUUUU

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=

[**] MISC Tiny Fragments [**]
04/03-03:03:27.251702 < l/l len: 0 l/l type: 0x200 0:0BBBB
pkt type:0x0 proto: 0x800 len:0x2C
200.182.128.30 -> 200.164.250.204 ICMP TTL:39 TOS:0x0 ID:69 IpLen:20 DgmLen:28
MF
Frag Offset: 0x039C Frag Size: 0xFFFFFC6C
55 55 55 55 55 55 55 55 UUUUUUUU

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=

[**] MISC Tiny Fragments [**]
04/03-03:03:37.406839 < l/l len: 0 l/l type: 0x200 0:0BBBB
pkt type:0x0 proto: 0x800 len:0x2C
200.182.128.30 -> 200.164.250.204 ICMP TTL:39 TOS:0x0 ID:75 IpLen:20 DgmLen:28
MF
Frag Offset: 0x0D01 Frag Size: 0xFFFFF307
55 55 55 55 55 55 55 55 UUUUUUUU

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
----------------------------------------------------------

The ICMP_ECHO OUTPUT:
[**] ICMP Large ICMP Packet [**]
04/03-03:04:07.018622 < l/l len: 0 l/l type: 0x200 0:0BBBB
pkt type:0x0 proto: 0x800 len:0x7560
200.182.128.30 -> 200.164.250.204 ICMP TTL:39 TOS:0x0 ID:89 IpLen:20 DgmLen:30032

Type:8 Code:0 ID:131 Seq:0 ECHO
00 07 2C A6 55 55 55 55 55 55 55 55 55 55 55 55 ..,.UUUUUUUUUUUU
55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 UUUUUUUUUUUUUUUU... UUUUUUUUUUUUUUUUU...
UUUUUUUU...
VERY LARGE OUTPUT (2.44 MB)
----------------------------------------------------------

Well, I need help with it... need one counter-measure... this box is one
old Pentium 2 with 512KB of band (ADSL), serving access to other 2 machines
(IPTABLES + NAT).

Any help is wellcome (some extra iptables rules too).

Best regards...
Joao Carlos
BOMPREÇO SYSTEM ADMINISTRATOR

PS: Sorry to my poor english, I am brazilian and in my country this type
of information is very hard to obtain.




------------------------------------------
Use o melhor sistema de busca da Internet
Radar UOL - http://www.radaruol.com.br





^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2003-04-05  5:12 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-04-05  5:12 DDoS counter-measures (Rules) zito.pol

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox