atac ddos

elgi · Post by **elgi** » 31 Dec 2007, 08:56

cum pot sa ma protejez de un atac de genul asta ?

vim · Post by **vim** » 31 Dec 2007, 09:01

Sunt mai multe tipuri de atacuri ddos. acum depinde la ce te referi tu. poti considera un denial of service si un banal syn flood, care pana la urma iti umple banda si implicit te impiedica sa iti desfasori activitatea. ma rog, chestiile astea sunt dicutabile. daca intrebi 10 administratori de retea sau persoane care se ocupa cu securitatea retelelor, mai mult ca sigur vei primii 6 raspunsuri diferite, pe putin.
In principiu, ca sa scapi de dureri de cap poti vorbi cu upstream`ul tau sa te filtreze.

elgi · Post by **elgi** » 31 Dec 2007, 09:03

bine ca te-am prins online.

vim wrote:In principiu, ca sa scapi de dureri de cap poti vorbi cu upstream`ul tau sa te filtreze.

cine e upstream ala ? sau ce e ?
eu vreau doar sa imi protejez hubul de atacuri. si mi-a zis cineva ca atacurile astea se numesc ddos.
multumesc anticipat.

vim · Post by **vim** » 31 Dec 2007, 09:07

Upstream = ISP, provider, nenea` cu netu`
Cat despre atacurile catre hub`urile dc++, li se pot taia avantul usor. Aveam pe aici un script cu reguli ptr iptables, facut pentru protectia la hub. Il caut si revin cu un post cand il gasesc.

elgi · Post by **elgi** » 31 Dec 2007, 09:09

astept. mersi frumos. u rule!

vim · Post by **vim** » 31 Dec 2007, 09:12

Code: Select all

    #!/bin/sh

    # Firewall script made by Magarus for verlihubforums.com and adminzone.ro
    # Copyright @ 2007 - Saftoiu Mihai, All rights reserved.
    # The distribution of this script without Saftoiu Mihai's
    # approval is a violation of copyright and will be persued to the
    # full extent of the law. You may use it ONLY for non-commercial use,
    # except without the author's explicit approval.

    # Define constants - Leave them alone
    IPTABLES=`which iptables`
    MODPROBE=`which modprobe`
    $MODPROBE ip_conntrack
    $MODPROBE ipt_recent
    NR_IP=""
    IP_LOOP=""
    PORT_LOOP=""

    # Modify tcp/ip parameters
    # Reduce timeout
    echo "15" > /proc/sys/net/ipv4/tcp_fin_timeout
    # Increase backlog and max conn
    echo "3000" > /proc/sys/net/core/netdev_max_backlog
    echo "3000" > /proc/sys/net/core/somaxconn
    # Reduce timeouts and retransmissions
    echo "300" > /proc/sys/net/ipv4/tcp_keepalive_time
    echo "15" > /proc/sys/net/ipv4/tcp_keepalive_intvl
    echo "1" > /proc/sys/net/ipv4/tcp_keepalive_probes
    echo "1" > /proc/sys/net/ipv4/tcp_syncookies
    echo "2" > /proc/sys/net/ipv4/tcp_synack_retries
    echo "1" > /proc/sys/net/ipv4/tcp_syn_retries
    # Increase SYN backlog
    echo "28000" > /proc/sys/net/ipv4/tcp_max_syn_backlog
    # Decrease timeouts
    echo "10" > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_syn_recv
    echo "40" > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_syn_sent
    # Check for spoofing / Use 2 instead of 1 bellow if it doesn't fix it
    echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
    # See that conntrack doesn't get overflowed
    echo "220000" > /proc/sys/net/ipv4/ip_conntrack_max
    # Use scaling
    echo "1" > /proc/sys/net/ipv4/tcp_window_scaling
    # Remove overhead and unnecessary tcp/icmp params.
    echo "0" > /proc/sys/net/ipv4/tcp_sack
    echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
    echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
    echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
    echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
    echo "0" > /proc/sys/net/ipv4/tcp_timestamps
    # Increase available memory
    echo "16777216" > /proc/sys/net/core/rmem_max
    echo "16777216" > /proc/sys/net/core/wmem_max
    echo "4096 87380 16777216" > /proc/sys/net/ipv4/tcp_rmem
    echo "4096 87380 16777216" > /proc/sys/net/ipv4/tcp_wmem
    echo "1" > /proc/sys/net/ipv4/tcp_no_metrics_save
    # Increase number of ports available (this is a must for future apache fix)
    echo "1024 65000" > /proc/sys/net/ipv4/ip_local_port_range

    # Function for protection/hub/ip
    protect_hub(){
        $IPTABLES -A OUTPUT -s $IP_LOOP -p tcp --sport $PORT_LOOP --tcp-flags ALL PSH,ACK -m string --algo bm --string Pk=version --to 300 -j RST_LOOP_OUT
        $IPTABLES -A INPUT -d $IP_LOOP -p tcp --dport $PORT_LOOP --syn -j SYN_CHECK
        $IPTABLES -A INPUT -d $IP_LOOP -p tcp --dport $PORT_LOOP --tcp-flags ALL PSH,ACK -m string --algo bm --string MyNick --to 100 -j REJECT --reject-with tcp-reset
        $IPTABLES -A INPUT -d $IP_LOOP -p tcp --dport $PORT_LOOP -m state --state RELATED,ESTABLISHED -j ACCEPT
        $IPTABLES -A INPUT -d $IP_LOOP -p tcp --dport $PORT_LOOP -j DROP
        $IPTABLES -A INPUT -d $IP_LOOP -p udp --dport $PORT_LOOP -j DROP
        $IPTABLES -A SYN_CHECK -d $IP_LOOP -p tcp --dport $PORT_LOOP -m hashlimit --hashlimit 2/min --hashlimit-mode srcip,dstip
        --hashlimit-name dcclients --hashlimit-burst 1 --hashlimit-htable-expire 30000 --hashlimit-htable-gcinterval 1000 -j ACCEPT
        $IPTABLES -A SYN_CHECK -d $IP_LOOP -p tcp --dport $PORT_LOOP -j REJECT --reject-with tcp-reset
        $IPTABLES -A RST_LOOP_OUT -d $IP_LOOP -p tcp --sport $PORT_LOOP --tcp-flags ALL PSH,ACK -m conntrack --ctexpire 1:1000 -j REJECT --reject-with tcp-reset
        $IPTABLES -A RST_LOOP_OUT -d $IP_LOOP -p tcp --sport $PORT_LOOP --tcp-flags ALL FIN,PSH,ACK -m conntrack --ctexpire 1:1000 -j REJECT --reject-with tcp-reset
    }

    # Main()
    firewall_run(){
        clear
        echo -e "n Anti DDOS firewall for verlihub software, Copyright @ 2007 Saftoiu Mihai nn"
        echo -e " How many ip addresses do you have allocated for your running hubs? c" && read NR_IP
        NR_IP=`expr $NR_IP + 1`
        ctl="1"
        while [ "$ctl" -lt "$NR_IP" ]; do
            echo -e "n Input ip no. $ctl = c"
            read IP[$ctl]
            let "ctl += 1"
        done
        echo -e "n"
        ctl="1"

        # Define custom chains
        # Check syn chain frequency drops anyway
        $IPTABLES -N SYN_CHECK
        # Reset output packets so hub doesn't get locked up on output
        $IPTABLES -N RST_LOOP_OUT
        # Drop all junk data
        $IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
        $IPTABLES -A INPUT -p tcp -m state --state INVALID,UNTRACKED -j DROP

        # Enter loop
        while [ "$ctl" -lt "$NR_IP" ]; do
            IP_LOOP="${IP[$ctl]}"
            echo -e "n How many hub ports are there on this ip ${IP[$ctl]}? c"
            read NR_PORTS && NR_PORTS=`expr $NR_PORTS + 1` && ctlx="1"
            while [ "$ctlx" -lt "$NR_PORTS" ]; do
                echo -e "n   Input port $ctlx for ${IP[$ctl]} : c"
                read PORT[$ctlx] && PORT_LOOP="${PORT[$ctlx]}"
                protect_hub
                let "ctlx += 1"
            done
            let "ctl += 1"
        done
    }

    # Clear the rules and any i might add
    firewall_clear(){
            clear
            echo -e "nn Firewall rules are now being cleared...n"
            $IPTABLES -t mangle -F
            $IPTABLES -t filter -F
            $IPTABLES -t raw -F
            $IPTABLES -Z
            $IPTABLES -X
            $IPTABLES -P INPUT ACCEPT
            $IPTABLES -P OUTPUT ACCEPT
            $IPTABLES -P FORWARD ACCEPT
            $IPTABLES -L
            echo -e "n Firewall CLEARED!"
    }

    # Run-time options
    case "$1" in
            'start') firewall_run ;;
             'stop') firewall_clear ;;
                  *) echo -e "nUsage: $0 [OPTION]..."
                     echo -e "nOPTIONS:"
                     echo -e "  start       Run the firewall."
                     echo -e "  stop        Stop the firewall."
                     echo -e "n " ;;
    esac

Magarus · Post by **Magarus** » 17 Jan 2008, 21:17

Lumea are tendinta sa creada ca firewall-ul ala o sa-i protejeze de ORICE. Chestia asta e gresita, daca vrei sa te protejezi cu adevarat, da poti pleca de la ce am scris eu acolo, dar, vezi ca-ti trebuie update la el. S-au mai schimbat niste lucruri de cand l-am postat. Update-ul nu este disponibil, va trebui sa afli ce are daca nu-ti merge. In principiu trebuie modificate numele la unele fisiere de pe acolo, care au fost redenumite de dezvoltatorii kernelului. (Ma refer la cele din /proc). Daca vrei sa fi intr-adevar safe, va trebui sa iei jucaria asta de script si s-o adaptezi pentru sistemul tau. Vim a uitat sa spuna ca sistemul pe care a fost pus la punct acel firewall era un P4 cu 2 GB ram si 100Mbps (internet nu shitty metro). Daca ai probleme dese de ddos, incearca sa-ti limitezi UPLOADUL in timpul atacului, altfel risti sa ramai fara banda.

vim · Post by **vim** » 17 Jan 2008, 21:45

Bine ai venit printre noi Magarus.
Intradevar, protejare 100% ai doar daca scoti calculatoru din priza, il pui inapoi in cutii si cutiile in dulap. Poti urma anumiti pasi ca sa nu fi descoperit 100%. Configurarea buna a server-ului si priceperea administratorului, cred ca sunt punctele primordiale pentru a fi protejat. Cat despre update la respectivul script, posibil sa existe. Sincer sa fiu nu l`am folosit niciodata. Am dat de el mai demult pe un forum si l`am pastrat, ca "in cazul in care" e nevoie, sa am. Cred ca toti avem obiceiu asta.

Si eu intotdeauna am fost adeptu filtrarilor de la ISP. Mai usor si mai putine batai de cap. Nu sunt fiabile intotdeauna, dar macar mai "cerne" cate ceva

Pentru protectie la ORICE, folositi prezervativul