Linux uses iptables to mitigate DDoS and CC attack configurations

Source: Internet
Author: User
Tags ack iptables

Mitigating DDoS attacks

#防止SYN攻击, lightweight prevention

Iptables-n Syn-flood
Iptables-a input-p tcp–syn-j Syn-flood
Iptables-i syn-flood-p tcp-m limit–limit 3/s–limit-burst 6-j return
Iptables-a syn-flood-j REJECT

#防止DOS太多连接进来, you can allow the external network card to each IP up to 15 initial connections, over the discarded

Iptables-a input-i eth0-p tcp–syn-m connlimit–connlimit-above 15-j DROP
Iptables-a input-p tcp-m state–state established,related-j ACCEPT

#用Iptables缓解DDOS (same argument as above)

Iptables-a input-p tcp--syn-m limit--limit 12/s--limit-burst 24-j ACCEPT
Iptables-a forward-p tcp--syn-m limit--limit 1/s-j ACCEPT

Mitigating CC attacks

When the Apache site is hit by a serious cc attack, we can use Iptables to prevent the Web server from being cc-attacked and automatically masking attack IPs.

1. System Requirements

(1) LINUX kernel version: 2.6.9-42ELSMP or 2.6.9-55ELSMP (other kernel versions need to recompile the kernel, more cumbersome, but also achievable).
(2) iptables version: 1.3.7

2. Installation

Install the kernel modules corresponding to the iptables1.3.7 and system kernel versions Kernel-smp-modules-connlimit

3. Configure the corresponding iptables rules

Examples are as follows:

(1) Control the maximum number of concurrent connections for a single IP
Iptables-i input-p TCP--dport 80-m connlimit--connlimit-above 25-j REJECT #允许单个IP的最大连接数为25个

#早期iptables模块不包含connlimit, you need to compile the load yourself,

(2) control the number of new connections allowed for a single IP at a certain time (such as 60 seconds)

Iptables-a input-p TCP--dport 80-m recent--name bad_http_access--update--seconds--hitcount 30-j
Iptables-a input-p TCP--dport 80-m recent--name bad_http_access--set-j ACCEPT

#单个IP在60秒内只允许最多新建30个连接

Real-time view of the number of connections established by the simulated attack client

Watch ' Netstat-an | grep:21 | grep < attack ip>| Wc-l

To view the number of packets that simulate an attack client being DROP

Watch ' Iptables-l-n-v | grep < attack ip>

Add another: Configure firewalls to prevent Syn,ddos attacks


[Root@m176com ~]# Vim/etc/sysconfig/iptables
Add the following lines to the Iptables
#anti Syn,ddos
-A Forward-p TCP--syn-m limit--limit 1/s--limit-burst 5-j ACCEPT
-A Forward-p TCP--tcp-flags syn,ack,fin,rst rst-m limit--limit 1/s-j ACCEPT
-A forward-p ICMP--icmp-type echo-request-m limit--limit 1/s-j ACCEPT
Description
First line: Allow up to 5 new connections per second
Second line: Prevent various port scans
Third line: Ping flood attack (ping of Death)
Can be adjusted or closed as needed
Reboot firewall
[Root@m176com ~]#/etc/init.d/iptables Restart
Block an IP
# iptables-i Input-s 192.168.0.1-j DROP

How to prevent others ping me??
# iptables-a Input-p icmp-j DROP
Prevent synchronization Pack Floods (Sync Flood)
# iptables-a forward-p tcp--syn-m limit--limit 1/s-j
Prevent various port scans
# iptables-a forward-p tcp--tcp-flags syn,ack,fin,rst rst-m limit--limit 1/s-j ACCEPT
Ping flood Attack (ping of Death)
#iptables-A forward-p ICMP--icmp-type echo-request-m limit--limit 1/s-j

# NMAP FIN/URG/PSH
# iptables-a input-i eth0-p tcp--tcp-flags all fin,urg,psh-j DROP

# Xmas Tree
Iptables-a input-i eth0-p tcp--tcp-flags all all-j DROP

# Another Xmas Tree
# iptables-a input-i eth0-p tcp--tcp-flags all syn,rst,ack,fin,urg-j DROP

# Null Scan (possibly)
Iptables-a input-i eth0-p tcp--tcp-flags all none-j DROP

# Syn/rst
# iptables-a input-i eth0-p tcp--tcp-flags syn,rst syn,rst-j DROP

# Syn/fin--Scan (possibly)
# iptables-a input-i eth0-p tcp--tcp-flags syn,fin syn,fin-j DROP
# #限制对内部封包的发送速度
#iptables-A input-f-M limit--limit 100/s--limit-burst 100-j ACCEPT

# #限制建立联机的转
#iptables-A forward-f-M limit--limit 100/s--limit-burst 100-j ACCEPT

A nice firewall code.
#####################################################

-A input-f-m limit--limit 100/sec--limit-burst 100-j ACCEPT

-A input-p tcp-m tcp--tcp-flags syn,rst,ack syn-m limit--limit 20/sec--limit-burst 200-j

ACCEPT

-A input-p udp-m UDP--dport 138-j DROP

-A input-p udp-m UDP--dport 137-j DROP

-A input-p tcp-m tcp--dport 1068-j DROP

-A input-p icmp-m limit--limit 12/min--limit-burst 2-j DROP

-A forward-f-m limit--limit 100/sec--limit-burst 100-j ACCEPT

-A forward-p tcp-m tcp--tcp-flags syn,rst,ack syn-m limit--limit 20/sec--limit-burst 200

-j ACCEPT

-A forward-p tcp-m tcp--dport 445-j DROP

-A forward-p udp-m UDP--dport 138-j DROP

-A forward-p udp-m UDP--dport 137-j DROP

-A forward-p tcp-m tcp--dport 1068-j DROP

-A forward-p tcp-m tcp--dport 5554-j DROP

-A forward-p icmp-j DROP

:P rerouting ACCEPT [986,908:53,126,959]

:P ostrouting ACCEPT [31,401:2,008,714]

: OUTPUT ACCEPT [30,070:1,952,143]

-A postrouting-p tcp-m tcp--dport 445-j DROP

#####################################################

Iptables Firewall Example

#!/bin/bash
#
# The interface that connect Internet

# echo
echo "Enable IP forwarding ..."
Echo 1 >/proc/sys/net/ipv4/ip_forward
echo "Starting iptables rules ..."

Iface= "Eth0"

# include module
Modprobe Ip_tables
Modprobe Iptable_nat
Modprobe ip_nat_ftp
Modprobe Ip_nat_irc
Modprobe Ip_conntrack
Modprobe ip_conntrack_ftp
Modprobe Ip_conntrack_irc
Modprobe Ipt_masquerade


# init
/sbin/iptables-f
/sbin/iptables-x
/sbin/iptables-z
/sbin/iptables-f-T NAT
/sbin/iptables-x-T NAT
/sbin/iptables-z-T NAT

/sbin/iptables-x-T Mangle

# drop All
/sbin/iptables-p INPUT DROP
/sbin/iptables-p FORWARD ACCEPT
/sbin/iptables-p OUTPUT ACCEPT
/sbin/iptables-t nat-p prerouting ACCEPT
/sbin/iptables-t nat-p postrouting ACCEPT
/sbin/iptables-t nat-p OUTPUT ACCEPT


/sbin/iptables-a input-f-M limit--limit 100/sec--limit-burst 100-j ACCEPT
/sbin/iptables-a input-p tcp-m tcp--tcp-flags syn,rst,ack syn-m limit--limit--

Limit-burst 200-j ACCEPT

/sbin/iptables-a input-p icmp-m limit--limit 12/min--limit-burst 2-j DROP

/sbin/iptables-a forward-f-M limit--limit 100/sec--limit-burst 100-j ACCEPT
/sbin/iptables-a forward-p tcp-m tcp--tcp-flags syn,rst,ack syn-m limit--limit--

Limit-burst 200-j ACCEPT


# Open Ports
/sbin/iptables-a input-i $IFACE-P TCP--dport 21-j ACCEPT
/sbin/iptables-a input-i $IFACE-P TCP--dport 22-j ACCEPT
/sbin/iptables-a input-i $IFACE-P TCP--dport 25-j ACCEPT
/sbin/iptables-a input-i $IFACE-P TCP--dport 53-j ACCEPT
/sbin/iptables-a input-i $IFACE-p UDP--dport 53-j ACCEPT
/sbin/iptables-a input-i $IFACE-P TCP--dport 80-j ACCEPT
/sbin/iptables-a input-i $IFACE-P TCP--dport 100-j ACCEPT
/sbin/iptables-a input-i $IFACE-P TCP--dport 113-j ACCEPT


# Close Ports
Iptables-i input-p UDP--dport 69-j DROP
Iptables-i input-p TCP--dport 135-j DROP
Iptables-i input-p UDP--dport 135-j DROP
Iptables-i input-p TCP--dport 136-j DROP
Iptables-i input-p UDP--dport 136-j DROP
Iptables-i input-p TCP--dport 137-j DROP
Iptables-i input-p UDP--dport 137-j DROP
Iptables-i input-p TCP--dport 138-j DROP
Iptables-i input-p UDP--dport 138-j DROP
Iptables-i input-p TCP--dport 139-j DROP
Iptables-i input-p UDP--dport 139-j DROP
Iptables-i input-p TCP--dport 445-j DROP
Iptables-i input-p UDP--dport 445-j DROP
Iptables-i input-p TCP--dport 593-j DROP
Iptables-i input-p UDP--dport 593-j DROP
Iptables-i input-p TCP--dport 1068-j DROP
Iptables-i input-p UDP--dport 1068-j DROP
Iptables-i input-p TCP--dport 4444-j DROP
Iptables-i input-p UDP--dport 4444-j DROP
Iptables-i input-p TCP--dport 5554-j DROP
Iptables-i input-p TCP--dport 1434-j DROP
Iptables-i input-p UDP--dport 1434-j DROP
Iptables-i input-p TCP--dport 2500-j DROP
Iptables-i input-p TCP--dport 5800-j DROP
Iptables-i input-p TCP--dport 5900-j DROP
Iptables-i input-p TCP--dport 6346-j DROP
Iptables-i input-p TCP--dport 6667-j DROP
Iptables-i input-p TCP--dport 9393-j DROP

Iptables-i forward-p UDP--dport 69-j DROP
Iptables-i forward-p TCP--dport 135-j DROP
Iptables-i forward-p UDP--dport 135-j DROP
Iptables-i forward-p TCP--dport 136-j DROP
Iptables-i forward-p UDP--dport 136-j DROP
Iptables-i forward-p TCP--dport 137-j DROP
Iptables-i forward-p UDP--dport 137-j DROP
Iptables-i forward-p TCP--dport 138-j DROP
Iptables-i forward-p UDP--dport 138-j DROP
Iptables-i forward-p TCP--dport 139-j DROP
Iptables-i forward-p UDP--dport 139-j DROP
Iptables-i forward-p TCP--dport 445-j DROP
Iptables-i forward-p UDP--dport 445-j DROP
Iptables-i forward-p TCP--dport 593-j DROP
Iptables-i forward-p UDP--dport 593-j DROP
Iptables-i forward-p TCP--dport 1068-j DROP
Iptables-i forward-p UDP--dport 1068-j DROP
Iptables-i forward-p TCP--dport 4444-j DROP
Iptables-i forward-p UDP--dport 4444-j DROP
Iptables-i forward-p TCP--dport 5554-j DROP
Iptables-i forward-p TCP--dport 1434-j DROP
Iptables-i forward-p UDP--dport 1434-j DROP
Iptables-i forward-p TCP--dport 2500-j DROP
Iptables-i forward-p TCP--dport 5800-j DROP
Iptables-i forward-p TCP--dport 5900-j DROP
Iptables-i forward-p TCP--dport 6346-j DROP
Iptables-i forward-p TCP--dport 6667-j DROP
Iptables-i forward-p TCP--dport 9393-j DROP

/sbin/iptables-a input-i $IFACE-M state--state Related,established-j ACCEPT
/sbin/iptables-a input-i $IFACE-M state--state New,invalid-j DROP


# Drop Ping
/sbin/iptables-a input-p icmp-j DROP

/sbin/iptables-i input-s 222.182.40.241-j DROP

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.