Trying to drop a DDoS attack using TTL and Length in iptables July 18th, 2011
Considering that there is a fairly big amount of DDoS attacks going around and not so many free tools available to work against this on a server level everyone will try to get the best of what he has available and why not use IPtables if you are on a Unix server.
Trying to check for an easy way to stop a DDoS attack and do not involve php or such scripts i ended up learning something about IPtables and that is that it is fairly simple to use TTL and Length of packets to stop or at least bring down to a reasonable amount an attack. This does not work all the time but for the last two times worked pretty well and this because of the bots that are being used to tun the attack.
As a first thing we should try and find out a few IPs that are being used to attack the server and this can easy be done using netstat like:
netstat -tn --inet 2>/dev/null | grep ":80" | \ awk '/tcp[\ ]*[0-9]+[\ ]*[0-9]+[\ ]+[^\ ]+[\ ]*[^\ ]*/ {print $5}' | \ cut -d":" -f1 | sort | uniq -c | sort -n
or more simple:
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
The IPs with a high connections number(eg. over 150) can be considered as being part of the attack even if a big intensity attack will make you see IPs with over 600-700 connections. Read the rest of this entry »
