One of our clients was attacked in Saturday, our network monitoring shows a 6 consecutive hours of huge abnormal traffic, we immediately contacted the customer, did not get a response, we modify and limit the customer's VPS, so that individual VPS attacks will not affect the entire server and other VPS users, we have been keeping this VPS for the open state (though always under attack), the attack lasted 24 hours, the Sunday attack continues, we can not tolerate, but still unable to contact the customer, we to the customer site, another person responsible for asking if we need to intervene to help solve, the person who promised immediately after we put into with DDoS The battle (our dynamic scan masks bad IP, now the client site has been restored.) The whole process is interesting and you will have time to write another blog to describe it later. Login to Customer VPS The first thing is to check the current connection and IP, from China's large number of IP constantly encroach on 80 ports, typical of DDoS. So the first thing is to cut off the source of the attack, since the attack only 80 ports, there are many ways to cut off, directly shut down the Web server, directly with the firewall/iptables cut off 80 ports or close all connections, the VPS network switched off, a ip,⋯, and so on. Because the source of the attack at home, so we decided to cut off all the visits from the country, so that looks like the site is the wall rather than attacked, to help maintain the glorious image of the customer's website, then how to block the IP from a particular country?
It's easy to go to IPDeny to download a list of IP addresses in country code, such as download Cn.zone:
Copy Code code as follows:
# wget Http://www.ipdeny.com/ipblocks/data/countries/cn.zone
With all the IP addresses of the country, it's easy to block these IPs, write a script to read Cn.zone files line by row and add to Iptables:
Copy Code code as follows:
#!/bin/bash
# block traffic from a specific country
# Written by vpsee.com
Country= "CN"
Iptables=/sbin/iptables
Egrep=/bin/egrep
If ["$ (id-u)"!= "0"]; Then
echo "You must be root" 1>&2
Exit 1
Fi
Resetrules () {
$IPTABLES-F
$IPTABLES-T Nat-f
$IPTABLES-T Mangle-f
$IPTABLES-X
}
Resetrules
For C in $COUNTRY
Todo
country_file= $c. Zone
ips=$ ($EGREP-V "^#|^$" $country _file)
For IP in $IPS
Todo
echo "Blocking $ip"
$IPTABLES-A input-s $ip-j DROP
Done
Done
Exit 0
Good IP and bad IP are blocked off, this method of course not clever, shielding IP also did not solve the problem of attack, but is the first step to solve the problem, shielding the source of the attack after we have bandwidth, time and mood to check the security of the VPS. Published a network traffic map of our customers attacked, at 18 to 0 point all bandwidth is occupied by attack traffic, when customers can not login VPS, visitors can not access the site: