Use iptables firewall to defend against ddos and cc attacks
Source: Internet
Author: User
In IDCs, hardware firewalls are usually used to prevent DDOS and CC attacks. IPtables can provide good protection for a small amount of attacks. 1. firewall enabling/disabling in Linux Command 1) permanently effective. it will not be enabled after restart: chkconfigiptableson disabled: chkconfigiptablesoff2) effective immediately, in IDCs, hardware firewalls are usually used to prevent DDOS and CC attacks. IPtables can provide good protection for a small amount of attacks.
1. enable/disable firewall commands in Linux
1) it takes effect permanently and will not be restored after restart
Enable: chkconfig
IptablesOn
Close: chkconfig iptables off
2) takes effect immediately and recovers after restart
Enable: service iptables start
Disable: service iptables stop
You can use the preceding command to enable or disable other services in Linux.
When the firewall is enabled, make the following settings to enable the relevant ports,
Modify the/etc/sysconfig/iptables file and add the following content:
-A RH-Firewall-1-INPUT-m state? StateNEW-m tcp-p tcp? Dport 80-j ACCEPT
-A RH-Firewall-1-INPUT-m state? StateNEW-m tcp-p tcp? Dport 22-j ACCEPT
II. anti-DDOS script
# Lightweight prevention against SYN attacks
Iptables-N syn-flood (if your firewall is configured with ": syn-flood? [0: 0] "This item is not allowed because it is repeated)
Iptables-a input-p tcp? Syn-j syn-flood
Iptables-I syn-flood-p tcp-m limit
? Limit 3/s? Limit-burst 6
-J RETURN
Iptables-A syn-flood-j REJECT
# Prevent too many DOS connections. you can allow up to 15 initial connections from each IP address of the Internet Nic, exceeding the limit of discarding
Iptables-a input-I eth0-p tcp? Syn-m connlimit
? Connlimit-above 15-j DROP
Iptables-a input-p tcp-m state
? State ESTABLISHED, RELATED-j ACCEPT
# Use Iptables to defend against DDOS attacks (the parameters are the same as those above)
Iptables-a input-p tcp? Syn-m limit? Limit 12/s
? Limit-burst 24-j ACCEPT
Iptables-a forward-p tcp? Syn-m limit
? Limit 1/s-j ACCEPT
######################################## ################# Or directly add the following information in the firewall iptables file: # Comments
-N syn-flood (if your firewall is configured with ": syn-flood? [0: 0] "This item is not allowed because it is repeated)
-A input-p tcp? Syn-j syn-flood
-I syn-flood-p tcp-m limit? Limit 3/s? Limit-burst 6-jRETURN
-A syn-flood-j REJECT
# DDOS one ip of 15 link
-A input-I eth0-p tcp? Syn-m connlimit? Connlimit-above 15-jDROP
-A input-p tcp-m state? State ESTABLISHED, RELATED-j ACCEPT
-A input-p tcp? Syn-m limit? Limit 12/s? Limit-burst 24-jACCEPT
-A forward-p tcp? Syn-m limit? Limit 1/s-j ACCEPT
Whitelist settings:
Sometimes there are frequent mistakes in the default whitelist. to avoid this problem, we can manually set the ip address of the whitelist and force it not to be modified.
Vi/usr/local/ddos/ignore. ip. list
Set whitelist IP manually
Chattr + I/usr/local/ddos/ignore. ip. list
Cannot be modified
Chattr-I/usr/local/ddos/ignore. ip. list
Unmodifiable
Manually use IPTABLES to shield IP addresses:
The command for a single IP address is
Iptables-I INPUT-s 124.115.0.199-j DROP
Recover a single IP address:
Iptables-d input-s 124.115.0.199-j
DROP
The command for sealing IP segments is
Iptables-I INPUT-s 124.115.0.0/16-j DROP
Iptables-I INPUT-s 124.115.3.0/16-j DROP
Iptables-I INPUT-s 124.115.4.0/16-j DROP
The command to block the entire segment is
Iptables-I INPUT-s 124.115.0.0/8-j DROP
The command for writing several segments is
Iptables-I INPUT-s 61.37.80.0/24-j DROP
Iptables-I INPUT-s 61.37.81.0/24-j DROP
Prevent CC attacks
When the apache site is under severe cc attacks, we can use iptables to prevent CC attacks on the web server and automatically shield the IP address.
1. System requirements
(1) Linux kernel version: 2.6.9-42ELsmp or 2.6.9-55 ELsmp (other kernel versions need to re-compile the kernel, which is troublesome, but can also be implemented ).
(2) iptables version: 1.3.7
2. Installation
Install the kernel module kernel-smp-modules-connlimit corresponding to iptables1.3.7 and the system kernel version
3. configure the corresponding iptables rules
Example:
(1) control the maximum number of concurrent connections of a single IP address
Iptables-I INPUT-p tcp -- dport 80-m connlimit -- connlimit-abve 50-j REJECT
# The maximum number of connections allowed for a single IP address is 30
# By default, the iptables module does not contain connlimit and must be compiled and loaded independently.
(2) control the number of new connections allowed by a single IP address within a certain period of time (such as 60 seconds)
Iptables-a input-p tcp -- dport 80-m recent -- nameBAD_HTTP_ACCESS -- update -- seconds 60 -- hitcount 30-j REJECTiptables-a input-p tcp -- dport 80-m recent -- nameBAD_HTTP_ACCESS -- set-j ACCEPT
# Up to 30 connections can be created for a single IP address within 60 seconds
4. verify
(1) you can simulate an attack on your own or view the attack results.
(2) view results:
Use
Watch 'netstat-an | grep: 21 | grep | wc-L'
View the number of connections established by the simulated attack client in real time,
Use
Watch 'iptables-L-n-v | grep'
View the number of dropped packets of a simulated attack client.
5. Note
To enhance iptables's ability to prevent CC attacks, you 'd better adjust the ipt_recent parameter as follows:
# Cat/etc/modprobe. conf options ipt_recent ip_list_tot = 1000ip_pkt_list_tot = 60
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.