Re: Watched a DDoS attack for hours and couldn't do much :S

Linux Netfilter discussions
 help / color / mirror / Atom feed

From: Danny <dineshg@hostway.com>
To: admin@antiproxy.com, netfilter@lists.netfilter.org
Subject: Re: Watched a DDoS attack for hours and couldn't do much :S
Date: Mon, 27 Nov 2006 13:33:39 +0530	[thread overview]
Message-ID: <456A9BDB.4030605@hostway.com> (raw)
In-Reply-To: <1164609380.21896.14.camel@srv1.iihs.net>

Hey !

also : what does 'netstat -s -t' show ?


Danny

AntiProxy wrote:
> Dear all,
>
>
> One of my servers was hit by a DDoS attack earlier today,
> and the pattern was different to these i've seen before.
>
> netstat doesn't show any TCP or UDP connections in any state.
>
> however, TCPDUMP shows the following (i'm posting a few lines of
> millions): 
> 00:51:08.279876 IP 199.28.0.228.1136 > My.Victim.IP.1060: S 3605427625:3605427625(0) win 16384 <mss 1460,nop,[bad opt]>
> 00:51:08.279905 IP My.Victim.IP.1060 > 199.28.0.228.1136: R 0:0(0) ack 3605427626 win 0
> 00:51:08.279945 IP 202.227.64.177.1027 > My.Victim.IP.1277: S 361765779:361765779(0) win 16384 <mss 1460,nop,[bad opt]>
> 00:51:08.279977 IP My.Victim.IP.1277 > 202.227.64.177.1027: R 0:0(0) ack 361765780 win 0
> 00:51:08.280014 IP 205.22.254.231.1080 > My.Victim.IP.1036: S 1599573484:1599573484(0) win 16384 <mss 1460,nop,[bad opt]>
> 00:51:08.280043 IP My.Victim.IP.1036 > 205.22.254.231.1080: R 0:0(0) ack 1599573485 win 0
> 00:51:08.280082 IP 202.238.89.100.1137 > My.Victim.IP.1158: S 3844747271:3844747271(0) win 16384 <mss 1460,nop,[bad opt]>
> 00:51:08.280111 IP My.Victim.IP.1158 > 202.238.89.100.1137: R 0:0(0) ack 3844747272 win 0
> 00:51:08.280152 IP 210.16.241.153.1074 > My.Victim.IP.1273: S 2749255844:2749255844(0) win 16384 <mss 1460,nop,[bad opt]>
> 00:51:08.280182 IP My.Victim.IP.1273 > 210.16.241.153.1074: R 0:0(0) ack 2749255845 win 0
> 00:51:08.280220 IP 202.37.165.2.1143 > My.Victim.IP.1106: S 1963715017:1963715017(0) win 16384 <mss 1460,nop,[bad opt]>
> 00:51:08.280250 IP My.Victim.IP.1106 > 202.37.165.2.1143: R 0:0(0) ack 1963715018 win 0
> 00:51:08.280289 IP 211.225.4.65.1043 > My.Victim.IP.1031: S 1558151020:1558151020(0) win 16384 <mss 1460,nop,[bad opt]>
> 00:51:08.280426 IP 199.75.254.153.1258 > My.Victim.IP.1026: S 1190926252:1190926252(0) win 16384 <mss 1460,nop,[bad opt]>
> 00:51:08.280496 IP 199.250.149.61.1099 > My.Victim.IP.1111: S 2527588092:2527588092(0) win 16384 <mss 1460,nop,[bad opt]>
> 00:51:08.280633 IP 210.155.122.67.1078 > My.Victim.IP.1248: S 1669627316:1669627316(0) win 16384 <mss 1460,nop,[bad opt]>
> 00:51:08.280710 IP 199.43.54.188.1144 > My.Victim.IP.1167: S 4133488145:4133488145(0) win 16384 <mss 1460,nop,[bad opt]>
> 00:51:08.280908 IP 211.231.52.59.1100 > My.Victim.IP.1107: S 3438491552:3438491552(0) win 16384 <mss 1460,nop,[bad opt]>
> 00:51:08.280976 IP 198.0.6.165.1172 > My.Victim.IP.1036: S 1294249773:1294249773(0) win 16384 <mss 1460,nop,[bad opt]>
> 00:51:08.281114 IP 211.86.244.159.1268 > My.Victim.IP.1186: S 3158078860:3158078860(0) win 16384 <mss 1460,nop,[bad opt]>
> 00:51:08.281189 IP 210.137.244.254 > My.Victim.IP: icmp 36: time exceeded in-transit
> 00:51:08.281265 IP 202.93.103.38 > My.Victim.IP: icmp 36: 202.93.103.38 tcp port 1046 unreachable
> 00:51:08.281334 IP 129.228.28.125.1135 > My.Victim.IP.1068: S 4066000806:4066000806(0) win 16384 <mss 1460,nop,[bad opt]>
>
> what does it tell you?
>
> the only thing that shows up in my syslog is the following:
> Nov 27 05:52:30 iihs kernel: martian source My.Victim.IP from 0.0.0.0, on dev eth0
> Nov 27 05:52:30 iihs kernel: ll header: 00:50:fc:29:94:2d:00:14:f2:89:bb:1c:08:00
> Nov 27 05:52:32 iihs kernel: martian source My.Victim.IP from 0.0.0.0, on dev eth0
> Nov 27 05:52:32 iihs kernel: ll header: 00:50:fc:29:94:2d:00:14:f2:89:bb:1c:08:00
> Nov 27 05:52:39 iihs kernel: martian source My.Victim.IP from 0.0.0.0, on dev eth0
>
> although my IPTABLES script should have logged the DDoS..
>
> following is a snippet of my IPTables script:
>
> $IPTABLES -F
> $IPTABLES -F -t nat
> $IPTABLES -F -t mangle
> $IPTABLES -F -t filter
> $IPTABLES -X SRC_FILTER
> $IPTABLES -N SRC_FILTER
> $IPTABLES -A INPUT -m state --state INVALID -j DROP
> $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A INPUT -m state --state NEW -p TCP --tcp-flags ! ALL SYN -j DROP
>
> # had this bit from before.. i just noticed it's in the FORWARD chain, so i doubt it does anything in my setup
> $IPTABLES -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
> $IPTABLES -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
> $IPTABLES -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
> $IPTABLES -A FORWARD -d 216.133.73.152/32 -p tcp --syn -m limit --limit 20/minute -j ACCEPT
>
> #i added this yesterday during an attack, but it didn't do anything:
> $IPTABLES -X syn-flood
> $IPTABLES -N syn-flood
> $IPTABLES -A syn-flood -m limit --limit 10/second --limit-burst 15 -j RETURN
> $IPTABLES -A syn-flood -j LOG --log-prefix "SYN flood: "
> $IPTABLES -A syn-flood -j DROP
>
> The system has one NIC with 24 virtual interfaces (24 IPs)
> no NAT is being done, the public IPs are assigned directly to the interfaces.
>
> it runs Debian Sarge (Stable), 2.6.8-2-k7 kernel, IPTables v1.2.11-10 debian package
>
> any help would really be appreciated!
>
> Regards,
>
> AntiProxy
>
>
>
>

next prev parent reply	other threads:[~2006-11-27  8:03 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2006-11-27  6:36 Watched a DDoS attack for hours and couldn't do much :S AntiProxy
2006-11-27  7:59 ` Danny
2006-11-27  8:03 ` Danny [this message]
2006-11-27 17:15   ` AntiProxy
     [not found] <200611270803.kAR81k2Y030892@mail3.jubileegroup.co.uk>
2006-11-27  8:38 ` G.W. Haywood
2006-11-27 17:16   ` AntiProxy
2006-11-27 18:57     ` Taylor, Grant

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=456A9BDB.4030605@hostway.com \
    --to=dineshg@hostway.com \
    --cc=admin@antiproxy.com \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox