As always Im learning the more advanced features of iptables. Lately I have been using the ttl, string, and length matches. Here are some examples:

String Match

Suppose you have a site under a get, cc, or other http attack. Lets say they are hitting GET index.php. Here is what you can do, may be only a temp fix as attacker will change up when he catches on but you can rename index.php, change teh directory index and make a string match like this.

iptables -I INPUT -j DROP -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 -m string –algo bm –string “index.php”

Make sure oyu put these in the beginning of your rules.

Also I noticed that some bots have a fatal flaw of using double slashes when attacking a site this way. When this happens you dont have to rename anything and can simply block whatever they are requesting with double quotes. Example:

iptables -I INPUT -j DROP -p tcp -s 0.0.0.0/0 -m string –algo bm –string “//trade/?a=forgot_password”

Now as far as the algo arg on these, Im not totally sure but using bm has not failed for me yet.

For the next rules, the way to find out these values is to run a tcpdump as so

tcpdump -nn -vvv host atatckedip

TTL Match

Another flaw some bots have when they attack is they all have the same or similar ttl value in their packets. Now when you do this you need to test and make sure you are not blocking legit packets. First do a tcpdump of the attacked ip, see if you see a pattern in the ttl or if they are all the same or just a few numbers apart. Then make sure your ip is not whitelisted form your firewall. Do a tcpdump but this time grepping your ip as you visit and jump around the attacked site. If you see the same ttl values as the attacking bots most likely using this rule will block legit traffic but if they are different then here goes. For example, you do a dump and all bots have a ttl of 111 you add a rule like this:

iptables -A INPUT -p tcp  -s 0.0.0.0/0 -d attackedip -m ttl –ttl 111 -j DROP

Then of course with this as well as any other rule you insert make sure oyu are not blocking legit traffic by testing the site yourself and even have otehrs test it for you.

Length Match

you find out the length of the packets same as you do the ttl, if you notice a patetrn and they are different then the legit packlets you can add a rule like this. You can specify on length or a range of lengths.

iptables -A INPUT -p tcp -d attackedip -m length –length 40:48 -j DROP

I have spent the last 3 years working on this. Different configurations, different datacenters, etc; The first thing you will need is a good network. The best ddos protected network I have seen is staminus.

First is to choose your OS. Unless you are real good writing firewall scripts for BSD I would stay away from it. Its very secure and great for shell boxes but there isn’t many tools out there for managing dos plus not many docs or howtos in general for any BSD distro. I have found that the best all around distro for this type of webhosting is centos or fedora. Control panel doesn’t matter because in order to have a good dos resistant box you are gonna need some good hardware if you are going to be hosting multiple sites. Directadmin or Cpanel is best. At least 2 gb ram and any good dual core processor preferably xeon or core2duo.

continue reading "How to setup a ddos-resistant web hosting server"

So I always have used some dos deflate features to monitor dos in my servers, just the netstat command. This one:

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

Today, got a syn flood coming through, low bandwidth, etc. Each ip connecting under the tracking limit for csf. So I tweaked the netstat command a lil bit and I was able to see what ips were sending syn and how many times. Like this:

netstat -ntu | grep SYN_RECV | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr
So I figured it would be very handy to ban ips sending over so many SYN_RECV connections at once. So I took dos deflate and tweaked it a lil. Made this to work with csf. Only problem on csf is there is no unban command, only whitelist so I just had it do csf -d again on the unban command, This would give an error and would not unban the ip but you really dont need to unban it so soon.

With apf it works perfectly on unbanning. Works just like dos deflate but bans syn flooders not connection flooders. You could even use this along with dos deflate. I am using it along side of csf and the connection tracking feature no problem.

For the CSF version:

To install:

wget http://nix101.com/synd/install.sh ; sh install.sh

To uninstall

wget http://nix101.com/synd/uninstall.synd ; chmod 755 uninstall.synd ; ./uninstall.synd

For the Apf and Generic Iptables version:

wget http://nix101.com/synd-apf/install.sh ; sh install.sh

To uninstall

wget http://nix101.com/synd-apf/uninstall.synd ; chmod 755 uninstall.synd ; ./uninstall.synd

Now as far as lisence, copywrite and how medialayer will react for me basically copying their script and adding a few features I dont know. But lets hope they dont care too much.

Ideal usage is to leave the limit on 10 for syn connections.

On apf, do whatever ban time you want. On the csf version it doesnt matter as it will not unban anyway. Still working on that. But with syn floods it isnt a good ideal to do timed bans plus the likelihood of legit users getting banned is pretty slim but it can happen.

Hope this helps someone.