atac ddos
Moderator: Moderators
atac ddos
cum pot sa ma protejez de un atac de genul asta ?
Sunt mai multe tipuri de atacuri ddos. acum depinde la ce te referi tu. poti considera un denial of service si un banal syn flood, care pana la urma iti umple banda si implicit te impiedica sa iti desfasori activitatea. ma rog, chestiile astea sunt dicutabile. daca intrebi 10 administratori de retea sau persoane care se ocupa cu securitatea retelelor, mai mult ca sigur vei primii 6 raspunsuri diferite, pe putin.
In principiu, ca sa scapi de dureri de cap poti vorbi cu upstream`ul tau sa te filtreze.
In principiu, ca sa scapi de dureri de cap poti vorbi cu upstream`ul tau sa te filtreze.
Code: Select all
#!/bin/sh
# Firewall script made by Magarus for verlihubforums.com and adminzone.ro
# Copyright @ 2007 - Saftoiu Mihai, All rights reserved.
# The distribution of this script without Saftoiu Mihai's
# approval is a violation of copyright and will be persued to the
# full extent of the law. You may use it ONLY for non-commercial use,
# except without the author's explicit approval.
# Define constants - Leave them alone
IPTABLES=`which iptables`
MODPROBE=`which modprobe`
$MODPROBE ip_conntrack
$MODPROBE ipt_recent
NR_IP=""
IP_LOOP=""
PORT_LOOP=""
# Modify tcp/ip parameters
# Reduce timeout
echo "15" > /proc/sys/net/ipv4/tcp_fin_timeout
# Increase backlog and max conn
echo "3000" > /proc/sys/net/core/netdev_max_backlog
echo "3000" > /proc/sys/net/core/somaxconn
# Reduce timeouts and retransmissions
echo "300" > /proc/sys/net/ipv4/tcp_keepalive_time
echo "15" > /proc/sys/net/ipv4/tcp_keepalive_intvl
echo "1" > /proc/sys/net/ipv4/tcp_keepalive_probes
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "2" > /proc/sys/net/ipv4/tcp_synack_retries
echo "1" > /proc/sys/net/ipv4/tcp_syn_retries
# Increase SYN backlog
echo "28000" > /proc/sys/net/ipv4/tcp_max_syn_backlog
# Decrease timeouts
echo "10" > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_syn_recv
echo "40" > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_syn_sent
# Check for spoofing / Use 2 instead of 1 bellow if it doesn't fix it
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
# See that conntrack doesn't get overflowed
echo "220000" > /proc/sys/net/ipv4/ip_conntrack_max
# Use scaling
echo "1" > /proc/sys/net/ipv4/tcp_window_scaling
# Remove overhead and unnecessary tcp/icmp params.
echo "0" > /proc/sys/net/ipv4/tcp_sack
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
echo "0" > /proc/sys/net/ipv4/tcp_timestamps
# Increase available memory
echo "16777216" > /proc/sys/net/core/rmem_max
echo "16777216" > /proc/sys/net/core/wmem_max
echo "4096 87380 16777216" > /proc/sys/net/ipv4/tcp_rmem
echo "4096 87380 16777216" > /proc/sys/net/ipv4/tcp_wmem
echo "1" > /proc/sys/net/ipv4/tcp_no_metrics_save
# Increase number of ports available (this is a must for future apache fix)
echo "1024 65000" > /proc/sys/net/ipv4/ip_local_port_range
# Function for protection/hub/ip
protect_hub(){
$IPTABLES -A OUTPUT -s $IP_LOOP -p tcp --sport $PORT_LOOP --tcp-flags ALL PSH,ACK -m string --algo bm --string Pk=version --to 300 -j RST_LOOP_OUT
$IPTABLES -A INPUT -d $IP_LOOP -p tcp --dport $PORT_LOOP --syn -j SYN_CHECK
$IPTABLES -A INPUT -d $IP_LOOP -p tcp --dport $PORT_LOOP --tcp-flags ALL PSH,ACK -m string --algo bm --string MyNick --to 100 -j REJECT --reject-with tcp-reset
$IPTABLES -A INPUT -d $IP_LOOP -p tcp --dport $PORT_LOOP -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -d $IP_LOOP -p tcp --dport $PORT_LOOP -j DROP
$IPTABLES -A INPUT -d $IP_LOOP -p udp --dport $PORT_LOOP -j DROP
$IPTABLES -A SYN_CHECK -d $IP_LOOP -p tcp --dport $PORT_LOOP -m hashlimit --hashlimit 2/min --hashlimit-mode srcip,dstip
--hashlimit-name dcclients --hashlimit-burst 1 --hashlimit-htable-expire 30000 --hashlimit-htable-gcinterval 1000 -j ACCEPT
$IPTABLES -A SYN_CHECK -d $IP_LOOP -p tcp --dport $PORT_LOOP -j REJECT --reject-with tcp-reset
$IPTABLES -A RST_LOOP_OUT -d $IP_LOOP -p tcp --sport $PORT_LOOP --tcp-flags ALL PSH,ACK -m conntrack --ctexpire 1:1000 -j REJECT --reject-with tcp-reset
$IPTABLES -A RST_LOOP_OUT -d $IP_LOOP -p tcp --sport $PORT_LOOP --tcp-flags ALL FIN,PSH,ACK -m conntrack --ctexpire 1:1000 -j REJECT --reject-with tcp-reset
}
# Main()
firewall_run(){
clear
echo -e "n Anti DDOS firewall for verlihub software, Copyright @ 2007 Saftoiu Mihai nn"
echo -e " How many ip addresses do you have allocated for your running hubs? c" && read NR_IP
NR_IP=`expr $NR_IP + 1`
ctl="1"
while [ "$ctl" -lt "$NR_IP" ]; do
echo -e "n Input ip no. $ctl = c"
read IP[$ctl]
let "ctl += 1"
done
echo -e "n"
ctl="1"
# Define custom chains
# Check syn chain frequency drops anyway
$IPTABLES -N SYN_CHECK
# Reset output packets so hub doesn't get locked up on output
$IPTABLES -N RST_LOOP_OUT
# Drop all junk data
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
$IPTABLES -A INPUT -p tcp -m state --state INVALID,UNTRACKED -j DROP
# Enter loop
while [ "$ctl" -lt "$NR_IP" ]; do
IP_LOOP="${IP[$ctl]}"
echo -e "n How many hub ports are there on this ip ${IP[$ctl]}? c"
read NR_PORTS && NR_PORTS=`expr $NR_PORTS + 1` && ctlx="1"
while [ "$ctlx" -lt "$NR_PORTS" ]; do
echo -e "n Input port $ctlx for ${IP[$ctl]} : c"
read PORT[$ctlx] && PORT_LOOP="${PORT[$ctlx]}"
protect_hub
let "ctlx += 1"
done
let "ctl += 1"
done
}
# Clear the rules and any i might add
firewall_clear(){
clear
echo -e "nn Firewall rules are now being cleared...n"
$IPTABLES -t mangle -F
$IPTABLES -t filter -F
$IPTABLES -t raw -F
$IPTABLES -Z
$IPTABLES -X
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -L
echo -e "n Firewall CLEARED!"
}
# Run-time options
case "$1" in
'start') firewall_run ;;
'stop') firewall_clear ;;
*) echo -e "nUsage: $0 [OPTION]..."
echo -e "nOPTIONS:"
echo -e " start Run the firewall."
echo -e " stop Stop the firewall."
echo -e "n " ;;
esac
Lumea are tendinta sa creada ca firewall-ul ala o sa-i protejeze de ORICE. Chestia asta e gresita, daca vrei sa te protejezi cu adevarat, da poti pleca de la ce am scris eu acolo, dar, vezi ca-ti trebuie update la el. S-au mai schimbat niste lucruri de cand l-am postat. Update-ul nu este disponibil, va trebui sa afli ce are daca nu-ti merge. In principiu trebuie modificate numele la unele fisiere de pe acolo, care au fost redenumite de dezvoltatorii kernelului. (Ma refer la cele din /proc). Daca vrei sa fi intr-adevar safe, va trebui sa iei jucaria asta de script si s-o adaptezi pentru sistemul tau. Vim a uitat sa spuna ca sistemul pe care a fost pus la punct acel firewall era un P4 cu 2 GB ram si 100Mbps (internet nu shitty metro). Daca ai probleme dese de ddos, incearca sa-ti limitezi UPLOADUL in timpul atacului, altfel risti sa ramai fara banda.
Once you get Slack, you never go back. http://www.slackware.com
Bine ai venit printre noi Magarus.
Intradevar, protejare 100% ai doar daca scoti calculatoru din priza, il pui inapoi in cutii si cutiile in dulap. Poti urma anumiti pasi ca sa nu fi descoperit 100%. Configurarea buna a server-ului si priceperea administratorului, cred ca sunt punctele primordiale pentru a fi protejat. Cat despre update la respectivul script, posibil sa existe. Sincer sa fiu nu l`am folosit niciodata. Am dat de el mai demult pe un forum si l`am pastrat, ca "in cazul in care" e nevoie, sa am. Cred ca toti avem obiceiu asta.
Si eu intotdeauna am fost adeptu filtrarilor de la ISP. Mai usor si mai putine batai de cap. Nu sunt fiabile intotdeauna, dar macar mai "cerne" cate ceva
Pentru protectie la ORICE, folositi prezervativul
Intradevar, protejare 100% ai doar daca scoti calculatoru din priza, il pui inapoi in cutii si cutiile in dulap. Poti urma anumiti pasi ca sa nu fi descoperit 100%. Configurarea buna a server-ului si priceperea administratorului, cred ca sunt punctele primordiale pentru a fi protejat. Cat despre update la respectivul script, posibil sa existe. Sincer sa fiu nu l`am folosit niciodata. Am dat de el mai demult pe un forum si l`am pastrat, ca "in cazul in care" e nevoie, sa am. Cred ca toti avem obiceiu asta.

Si eu intotdeauna am fost adeptu filtrarilor de la ISP. Mai usor si mai putine batai de cap. Nu sunt fiabile intotdeauna, dar macar mai "cerne" cate ceva

Pentru protectie la ORICE, folositi prezervativul

Code: Select all
[root@gw-03 ~]# man woman
Segmentation Fault (core dumped)