Anti-DDOS in Linux

Article Title: how to defend against DDOS attacks in Linux. Linux is a technology channel of the IT lab in China. It includes desktop applications, Linux system management, kernel research, embedded systems, open source, and other basic classification. squid also uses the port ing function to convert port 80, in fact, for general DDOS attacks, you can modify the parameters in/proc/sys/net/ipv4/tcp_max_syn_backlog. The default parameters are generally small and set to more than 8000, general DDOS attacks can be solved. If it reaches the timeout stage, set/proc/sys/net/ipv4/tcp_fin_timeout to a smaller value.
　
Everyone is discussing DDOS. I personally think there is no real solution at present. I just want to expand the buffer and defense capabilities and play a psychological tactic with hackers to see who sticks to the end, there are also many practices on the Internet, such as syncookies, which are complex points.
　
Sysctl-w net. ipv4.icmp _ echo_ignore_all = 1
　
Echo 1>/proc/sys/net/ipv4/tcp_syncookies
　
Sysctl-w net. ipv4.tcp _ max_syn_backlog = "2048"
　
Sysctl-w net. ipv4.tcp _ synack_retries = "3"
　
Iptables-a input-I eth0-p tcp -- syn-j syn-flood
　
# Limit 12 connections per second (burst to 24)
　
Iptables-A syn-flood-m limit -- limit 12/s -- limit-burst 24-j RETURN
　
In this case, you can try:
　
Iptbales-a forward-p tcp -- syn-m limit -- limit 1/s-j ACCEPT
　
VM service providers may be attacked by hackers during operation. Common attacks include SYN and DDOS attacks.
　
By changing the IP address, it is possible to find the attacked site to avoid the attack, but the service interruption takes a long time. Relatively thorough
　
The solution is to add a hardware firewall. However, hardware firewalls are expensive. You can consider using Linux
　
The firewall function provided by the system.
　
　　 1. resist SYN
　
SYN attacks use the three-way handshake principle of the TCP/IP protocol to send a large number of network packets that establish connections, but they are not actually
　
After establishing a connection, the network queue of the attacked server is fully occupied and cannot be accessed by normal users.
　
The Linux Kernel provides several SYN-related configurations. Run the following command:
　
Sysctl-a | grep syn
　
See:
　
Net. ipv4.tcp _ max_syn_backlog = 1024
　
Net. ipv4.tcp _ syncookies = 0
　
Net. ipv4.tcp _ synack_retries = 5
　
Net. ipv4.tcp _ syn_retries = 5
　
Tcp_max_syn_backlog is the length of the SYN queue, and tcp_syncookies are a function to determine whether to enable SYN cookies.
　
Function to prevent some SYN attacks. Tcp_synack_retries and tcp_syn_retries define SYN
　
Number of retries.
　
Increasing the length of the SYN queue can accommodate more network connections waiting for connection. Enabling the SYN Cookie function can block some
　
SYN attacks can also reduce the number of retries.
　
To adjust the preceding settings, follow these steps:
　
Increase the SYN queue length to 2048:
　
Sysctl-w net. ipv4.tcp _ max_syn_backlog = 2048
　
Enable the syn cookie function:
　
Sysctl-w net. ipv4.tcp _ syncookies = 1
　
Reduce the number of retries:
　
Sysctl-w net. ipv4.tcp _ synack_retries = 3
　
Sysctl-w net. ipv4.tcp _ syn_retries = 3
　
To maintain the preceding configuration during system restart, you can add the preceding command to the/etc/rc. d/rc. local file.
　
　　 2. Resist DDOS attacks
　
DDOS, distributed denial of access attack, refers to the hacker organization from different sources of many hosts, to common ports, such as 80,
　
25. Send a large number of connections, but these clients only establish connections, not normal access. Generally, the Apache configuration accepts connections.
　
A limited number (usually 256). These "fake" access will fill up Apache, and normal access will fail.
　
Linux provides a firewall tool called ipchains to shield connections from specific IP addresses or IP address segments to specific ports.
　
To use ipchains to defend against DDOS attacks, you must first use the netstat command to find the source address of the attack, and then use the ipchains command to block the attack.
　
Attack. One block is found.
　
* ** Enable the ipchains Function
　
First, check whether the ipchains service is set to auto start:
　
Chkconfig -- list ipchains
　
The output is generally:
　
Ipchains 0ff 1ff 2n 3n 4n 5n 6ff
　
If the column 345 is on, the ipchains service has been set to auto start.
　
If not, run the following command:
　
Chkconfig -- add ipchains
　
Set ipchains to auto start
　
Next, check whether the ipchains configuration file/etc/sysconfig/ipchains exists. If this file does not exist, ipchains
　
It does not take effect even if it is set to automatic start. The default ipchains configuration file is as follows:
　
　　

# Firewall configuration written by lokkit# Manual customization of this file is not recommended.# Note: ifup-post will punch the current nameservers through the# firewall; such entries will *not* be listed here.:input ACCEPT:forward ACCEPTutput ACCEPT-A input -s 0/0 -d 0/0 -i lo -j ACCEPT# allow http,ftp,smtp,ssh,domain via tcp; domain via udp-A input -p tcp -s 0/0 -d 0/0 pop3 -y -j ACCEPT-A input -p tcp -s 0/0 -d 0/0 http -y -j ACCEPT-A input -p tcp -s 0/0 -d 0/0 https -y -j ACCEPT-A input -p tcp -s 0/0 -d 0/0 ftp -y -j ACCEPT-A input -p tcp -s 0/0 -d 0/0 smtp -y -j ACCEPT-A input -p tcp -s 0/0 -d 0/0 ssh -y -j ACCEPT-A input -p tcp -s 0/0 -d 0/0 domain -y -j ACCEPT-A input -p udp -s 0/0 -d 0/0 domain -j ACCEPT# deny icmp packet#-A input -p icmp -s 0/0 -d 0/0 -j DENY# default rules-A input -p tcp -s 0/0 -d 0/0 0:1023 -y -j REJECT-A input -p tcp -s 0/0 -d 0/0 2049 -y -j REJECT-A input -p udp -s 0/0 -d 0/0 0:1023 -j REJECT-A input -p udp -s 0/0 -d 0/0 2049 -j REJECT-A input -p tcp -s 0/0 -d 0/0 6000:6009 -y -j REJECT-A input -p tcp -s 0/0 -d 0/0 7100 -y -j REJECT

　
If the/etc/sysconfig/ipchains file does not exist, you can use the above content to create it. After creation, start the ipchains service:
　
/Etc/init. d/ipchains start
　
* ** Use the netstat command to find the attack source
　
If the hacker attacks port 80 on the Web, view the IP address and port of the Client Connected to port 80. The command is as follows:
　
Netstat-an-t tcp | grep ": 80" | grep ESTABLISHED | awk '{printf "% s \ n", $5, $6}' | sort
　
Output:
　
161.2.8.9: 123 FIN_WAIT2
　
161.2.8.9: 124 FIN_WAIT2
　
61.233.85.253: 23656 FIN_WAIT2
　
......
　
The first column is the Client IP address and port, and the second column is the connection status.
　
If there are many connections from the same IP address (more than 50 connections) and they are continuous ports, it is likely to be an attack.
　
Http://bbs.92bbs.net/read-tid-31313.html
　
If you only want to view the established connection, run the following command:
　
Netstat-an-t tcp | grep ": 80" | grep ESTABLISHED | awk '{printf "% s \ n", $5, $6}' | sort
　
* ** Use ipchains to block attack sources
　
You can use ipchains to block attack sources in two ways. One is to add it to/etc/sysconfig/ipchains, and then restart
　
Ipchains service. The other is to directly use the ipchains command. After blocking, you may need to restart the attacked service,
　
Is an established attack connection invalid
　
* Add/etc/sysconfig/ipchains
　
Assume that the connection from 218.202.8.151 to 80 is blocked. Edit the/etc/sysconfig/ipchains file in the utput ACCEPT
　
Add the following lines:
　
-A input-s 218.202.8.151-d 0/0 http-y-j REJECT
　
Save the changes and restart ipchains:
　
/Etc/init. d/ipchains restart
　
If you want to block the entire network segment of 218.202.8, add:
　
-A input-s 218.202.8.0/255.255.255.0-d 0/0 http-y-j REJECT
　
* Directly use the command line
　
Add the/etc/sysconfig/ipchains file and restart the ipchains method,
　
Some connections may be drilled in. The most convenient method is to directly use the ipchains command.
　
If the connection from 218.202.8.151 to 80 is blocked, run the following command:
　
Ipchains-I input 1-p tcp-s 218.202.8.151-d 0/0 http-y-j REJECT
　
If you want to block the entire network segment of 218.202.8, run the following command:
　
Ipchains-I input 1-p tcp-s 218.202.8.0/255.255.255.0-d 0/0 http-y-j REJECT
　
Here,-I indicates insertion, input indicates rule connection, and 1 indicates adding to the first one.
　
You can edit a shell script to make it easier. The command is as follows:
　
Vi blockit
　
Content:
　
#! /Bin/sh
　
If [! -Z "$1"]; then
　
Echo "Blocking: $1"
　
Ipchains-I input 1-p tcp-s "$1"-d 0/0 http-y-j REJECT
　
Else
　
Echo "which ip to block? "
　
Fi
　
Save, and then:
　
Chmod 700 blockit
　
Usage:
　
. /Blockit 218.202.8.151
　
. /Blockit 218.202.8.0/255.255.255.0
　
The rules created by the preceding command line method will expire after the restart. You can use the ipchains-save command to print the rules:
　
Ipchains-save
　
Output:
　
　　

:input ACCEPT:forward ACCEPTutput ACCEPTSaving `input'.-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -i lo -j ACCEPT-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 110:110 -p 6 -j ACCEPT -y-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 80:80 -p 6 -j ACCEPT -y-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 22:22 -p 6 -j ACCEPT -y-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 88:88 -p 6 -j ACCEPT -y-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 89:89 -p 6 -j ACCEPT -y-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 90:90 -p 6 -j ACCEPT -y-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 91:91 -p 6 -j ACCEPT -y-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 8180:8180 -p 6 -j ACCEPT -y-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 443:443 -p 6 -j ACCEPT -y-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 21:21 -p 6 -j ACCEPT -y-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 25:25 -p 6 -j ACCEPT -y-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 22:22 -p 6 -j ACCEPT -y-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 53:53 -p 6 -j ACCEPT -y-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 9095:9095 -p 6 -j ACCEPT -y-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 8007:8007 -p 6 -j ACCEPT -y-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 53:53 -p 17 -j ACCEPT-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 0:1023 -p 6 -j REJECT -y-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 2049:2049 -p 6 -j REJECT -y-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 0:1023 -p 17 -j REJECT-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 2049:2049 -p 17 -j REJECT-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 6000:6009 -p 6 -j REJECT -y-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 7100:7100 -p 6 -j REJECT -yhttp://bbs.92bbs.net/read-tid-31313.html

　
You need to remove the "Saving 'input'." And save the other content to the/etc/sysconfig/ipchains file,
　
In this way, after the next restart, the created rules will take effect again.
　
　3. If iptables is used
　
In RH 8.0 and later versions, iptables is enabled to replace ipchains. The two are very similar and different.
　
* Enable iptables
　
If the iptables file does not exist in/etc/sysconfig/, you can create:
　
　　

# Firewall configuration written by lokkit# Manual customization of this file is not recommended.# Note: ifup-post will punch the current nameservers through the# firewall; such entries will *not* be listed here.*filter:INPUT ACCEPT [0:0]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [0:0]:RH-Lokkit-0-50-INPUT - [0:0]-A INPUT -j RH-Lokkit-0-50-INPUT-A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport ftp -j ACCEPT-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport ssh -j ACCEPT-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport http -j ACCEPT-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport smtp -j ACCEPT-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport pop3 -j ACCEPT-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport mysql -j ACCEPT-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2001 -j ACCEPT-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport domain -j ACCEPT-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport domain -j ACCEPT-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:1023 --syn -j REJECT-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2049 --syn -j REJECT-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 0:1023 -j REJECT-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 2049 -j REJECT-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 6000:6009 --syn -j REJECT-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 7100 --syn -j REJECTCOMMIT

　
The preceding configuration allows ftp, ssh, http, smtp, pop3, mysql, 2001 (Prim @ Hosting ACA port), and domain port.
　
* Start iptables
　
/Etc/init. d/iptables start
　
* Set iptables to auto start
　
Chkconfig -- level 2345 iptables on
　
* Use iptables to shield IP addresses
　
Iptables-I RH-Lokkit-0-50-INPUT 1-p tcp-m tcp-s 213.8.166.227 -- dport 80 -- syn-j REJECT
　
Note that the difference with ipchains is:
　
-The parameters of the rule name after I are different from those defined in ipchains. They are not uniform input, but defined in/etc/sysconfig/iptables.
　
-M tcp
　
The parameter of the specified port is -- dport 80.
　
More -- syn parameter, which can automatically detect sync attacks
　
Disable ping using iptables:
　
　　

-A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 6/min --limit-burst 2 -j ACCEPT-A INPUT -p icmp -m icmp --icmp-type 8 -j REJECT --reject-with icmp-port-unreachable

　
Allow an ip address to connect
　
-I RH-Firewall-1-INPUT 1-p tcp-m tcp-s 192.168.0.51 -- syn-j ACCEPT
　
Note: The specific port needs to be modified according to the network.