DDoS

xLosT · Mar 4, 2013

I am getting several DDoS packets, my firewall not block (SonicWALL 215), anyone know any iptables that can solve my problem?

look the problam \/

Code:

      1 98.54.160.100
      1 98.250.52.84
      1 98.224.168.169
      1 96.26.227.159
      1 96.222.184.198
      1 96.209.103.250
      1 96.142.184.127
      1 94.99.12.9
      1 94.219.89.174
      1 94.144.250.227
      1 92.227.241.33
      1 92.154.51.208
      1 90.41.144.182
      1 90.141.190.210
      1 88.87.33.103
      1 88.82.109.226
      1 88.154.228.62
      1 88.154.180.97
      1 88.144.169.186
      1 86.98.122.101
      1 86.31.76.145
      1 84.92.128.80
      1 84.237.131.107
      1 84.210.244.47
      1 84.118.84.233
      1 82.88.108.88
      1 82.53.80.117
      1 82.37.83.116
      1 82.255.87.183
      1 82.110.39.88
      1 80.251.107.150
      1 80.195.231.42
      1 80.122.81.165
      1 8.174.72.175
      1 78.164.123.89
      1 78.118.169.185
      1 76.227.62.198
      1 76.214.73.151
      1 76.210.148.2
      1 74.199.162.46
      1 74.173.255.255
      1 72.255.178.15
      1 72.162.197.69
      1 72.107.12.250
      1 70.4.58.30
      1 70.161.51.165
      1 68.57.223.246
      1 68.55.70.126
      1 66.249.73.235
      1 66.239.195.255
      1 64.8.180.50
      1 64.149.160.3
      1 64.144.184.251
      1 64.135.93.96
      1 62.77.107.142
      1 62.27.192.106
      1 62.250.216.129
      1 62.146.16.54
      1 60.72.225.227
      1 60.159.88.217
      1 58.188.25.198
      1 50.9.190.168
      1 50.29.179.223
      1 46.227.154.166
      1 44.87.147.218
      1 44.26.27.59
      1 44.231.46.69
      1 42.231.49.149
      1 4.80.209.220
      1 4.227.201.52
      1 4.108.169.103
      1 38.83.82.160
      1 38.237.213.179
      1 38.170.72.152
      1 38.120.207.37
      1 36.54.0.26
      1 36.11.79.2
      1 32.34.28.103
      1 32.167.160.186
      1 24.67.182.38
      1 24.229.42.4
      1 222.246.21.85
      1 220.185.183.132
      1 220.137.107.38
      1 220.122.74.169
      1 220.116.91.167
      1 218.246.182.39
      1 216.83.71.214
      1 216.48.170.215
      1 216.218.31.175
      1 216.177.65.10
      1 216.119.85.35
      1 216.108.7.177
      1 216.100.117.103
      1 214.55.211.80
      1 214.254.187.113
      1 214.143.142.217
      1 214.13.161.84
      1 212.23.163.106
      1 212.201.199.87
      1 212.17.179.206
      1 212.116.53.233
      1 210.77.88.212
      1 210.49.88.112
      1 210.116.121.215
      1 210.110.24.61
      1 206.96.155.179
      1 206.55.25.166
      1 204.73.17.180
      1 202.211.183.59
      1 202.186.226.9
      1 202.136.173.121
      1 202.111.23.59
      1 200.80.17.109
      1 200.70.10.7
      1 200.44.215.246
      1 2.74.213.4
      1 2.68.95.53
      1 2.219.117.75
      1 2.212.20.98
      1 196.210.54.20
      1 194.96.161.202
      1 194.197.226.223
      1 192.195.111.213
      1 192.119.149.154
      1 190.82.117.53
      1 190.75.85.231
      1 190.44.111.24
      1 190.193.61.28
      1 188.51.218.185
      1 188.252.222.234
      1 188.141.220.148
      1 186.2.250.182
      1 186.168.131.5
      1 186.163.75.131
      1 186.110.105.137
      1 184.194.253.75
      1 182.44.198.27
      1 182.137.19.226
      1 182.0.32.53
      1 180.34.110.120
      1 180.195.140.139
      1 180.152.179.21
      1 18.94.143.88
      1 18.89.73.34
      1 18.174.249.75
      1 18.158.167.204
      1 178.64.250.182
      1 178.56.183.160
      1 178.41.94.98
      1 178.226.252.117
      1 178.103.207.196
      1 176.99.156.153
      1 176.189.140.223
      1 176.182.52.225
      1 176.173.70.139
      1 176.100.177.122
      1 174.87.155.221
      1 174.79.161.204
      1 174.33.26.80
      1 174.224.167.248
      1 174.143.218.74
      1 174.114.58.225
      1 172.58.92.145
      1 170.163.112.74
      1 168.32.71.233
      1 166.226.60.225
      1 166.132.59.180
      1 166.110.47.5
      1 164.67.255.128
      1 162.23.79.251
      1 162.120.49.7
      1 162.11.134.36
      1 160.97.90.237
      1 16.94.127.51
      1 16.90.177.165
      1 16.222.12.128
      1 16.220.87.221
      1 16.204.212.46
      1 16.201.166.165
      1 16.159.66.104
      1 16.115.39.148
      1 158.195.1.169
      1 156.47.7.2
      1 156.135.187.85
      1 154.39.98.137
      1 152.226.237.162
      1 152.121.242.168
      1 150.229.178.253
      1 150.209.64.213
      1 148.115.195.111
      1 146.9.90.155
      1 146.249.208.173
      1 146.247.214.86
      1 144.139.86.41
      1 144.127.127.136
      1 142.240.243.37
      1 140.111.71.134
      1 138.179.18.24
      1 138.162.33.145
      1 138.140.74.2
      1 136.187.175.144
      1 134.88.86.17
      1 134.252.120.172
      1 134.197.186.144
      1 134.180.180.143
      1 132.67.7.107
      1 132.52.32.90
      1 132.52.133.200
      1 132.17.92.136
      1 130.52.223.8
      1 130.47.108.118
      1 130.194.157.145
      1 130.111.111.100
      1 128.149.95.85
      1 126.217.57.161
      1 126.208.14.216
      1 126.20.32.160
      1 126.144.150.99
      1 124.247.68.221
      1 124.2.131.188
      1 124.132.77.37
      1 124.13.177.253
      1 122.74.21.41
      1 122.6.163.148
      1 122.21.81.64
      1 122.1.140.157
      1 120.93.85.163
      1 120.40.251.210
      1 120.253.19.64
      1 120.214.31.187
      1 12.62.207.19
      1 12.45.214.189
      1 12.218.159.149
      1 12.179.20.38
      1 12.14.35.151
      1 118.25.153.53
      1 116.51.72.247
      1 116.122.202.247
      1 114.79.54.244
      1 114.57.198.121
      1 112.78.184.176
      1 112.38.221.128
      1 112.175.116.116
      1 110.96.96.154
      1 110.78.132.149
      1 110.30.6.137
      1 108.4.96.246
      1 108.247.149.164
      1 108.172.138.152
      1 108.151.163.94
      1 108.1.159.159
      1 106.69.250.254
      1 106.246.42.79
      1 106.223.145.227
      1 106.200.214.0
      1 106.135.64.150

Fairywintah · Mar 4, 2013

I am maybe not for any help, but I can try?
Look which ISP it comes from?
And contact the ISP and complain ^^

Vrotz · Mar 4, 2013

w8 the fat boy adm mega-war stop..

LucasFerraz · Mar 4, 2013

http://otland.net/f138/ddos-protection-script-iptables-168154/

xLosT · Mar 4, 2013

ZyzzBR said:
w8 the fat boy adm mega-war stop..

yes...

LucasFerraz said:
http://otland.net/f138/ddos-protection-script-iptables-168154/

the ip's generate only 1 connection then iptables will not solve this

ahmed30 · Mar 4, 2013

xLosT said:

I am getting several DDoS packets, my firewall not block (SonicWALL 215), anyone know any iptables that can solve my problem?

look the problam \/

Code:

      1 98.54.160.100
      1 98.250.52.84
      1 98.224.168.169
      1 96.26.227.159
      1 96.222.184.198
      1 96.209.103.250
      1 96.142.184.127
      1 94.99.12.9
      1 94.219.89.174
      1 94.144.250.227
      1 92.227.241.33
      1 92.154.51.208
      1 90.41.144.182
      1 90.141.190.210
      1 88.87.33.103
      1 88.82.109.226
      1 88.154.228.62
      1 88.154.180.97
      1 88.144.169.186
      1 86.98.122.101
      1 86.31.76.145
      1 84.92.128.80
      1 84.237.131.107
      1 84.210.244.47
      1 84.118.84.233
      1 82.88.108.88
      1 82.53.80.117
      1 82.37.83.116
      1 82.255.87.183
      1 82.110.39.88
      1 80.251.107.150
      1 80.195.231.42
      1 80.122.81.165
      1 8.174.72.175
      1 78.164.123.89
      1 78.118.169.185
      1 76.227.62.198
      1 76.214.73.151
      1 76.210.148.2
      1 74.199.162.46
      1 74.173.255.255
      1 72.255.178.15
      1 72.162.197.69
      1 72.107.12.250
      1 70.4.58.30
      1 70.161.51.165
      1 68.57.223.246
      1 68.55.70.126
      1 66.249.73.235
      1 66.239.195.255
      1 64.8.180.50
      1 64.149.160.3
      1 64.144.184.251
      1 64.135.93.96
      1 62.77.107.142
      1 62.27.192.106
      1 62.250.216.129
      1 62.146.16.54
      1 60.72.225.227
      1 60.159.88.217
      1 58.188.25.198
      1 50.9.190.168
      1 50.29.179.223
      1 46.227.154.166
      1 44.87.147.218
      1 44.26.27.59
      1 44.231.46.69
      1 42.231.49.149
      1 4.80.209.220
      1 4.227.201.52
      1 4.108.169.103
      1 38.83.82.160
      1 38.237.213.179
      1 38.170.72.152
      1 38.120.207.37
      1 36.54.0.26
      1 36.11.79.2
      1 32.34.28.103
      1 32.167.160.186
      1 24.67.182.38
      1 24.229.42.4
      1 222.246.21.85
      1 220.185.183.132
      1 220.137.107.38
      1 220.122.74.169
      1 220.116.91.167
      1 218.246.182.39
      1 216.83.71.214
      1 216.48.170.215
      1 216.218.31.175
      1 216.177.65.10
      1 216.119.85.35
      1 216.108.7.177
      1 216.100.117.103
      1 214.55.211.80
      1 214.254.187.113
      1 214.143.142.217
      1 214.13.161.84
      1 212.23.163.106
      1 212.201.199.87
      1 212.17.179.206
      1 212.116.53.233
      1 210.77.88.212
      1 210.49.88.112
      1 210.116.121.215
      1 210.110.24.61
      1 206.96.155.179
      1 206.55.25.166
      1 204.73.17.180
      1 202.211.183.59
      1 202.186.226.9
      1 202.136.173.121
      1 202.111.23.59
      1 200.80.17.109
      1 200.70.10.7
      1 200.44.215.246
      1 2.74.213.4
      1 2.68.95.53
      1 2.219.117.75
      1 2.212.20.98
      1 196.210.54.20
      1 194.96.161.202
      1 194.197.226.223
      1 192.195.111.213
      1 192.119.149.154
      1 190.82.117.53
      1 190.75.85.231
      1 190.44.111.24
      1 190.193.61.28
      1 188.51.218.185
      1 188.252.222.234
      1 188.141.220.148
      1 186.2.250.182
      1 186.168.131.5
      1 186.163.75.131
      1 186.110.105.137
      1 184.194.253.75
      1 182.44.198.27
      1 182.137.19.226
      1 182.0.32.53
      1 180.34.110.120
      1 180.195.140.139
      1 180.152.179.21
      1 18.94.143.88
      1 18.89.73.34
      1 18.174.249.75
      1 18.158.167.204
      1 178.64.250.182
      1 178.56.183.160
      1 178.41.94.98
      1 178.226.252.117
      1 178.103.207.196
      1 176.99.156.153
      1 176.189.140.223
      1 176.182.52.225
      1 176.173.70.139
      1 176.100.177.122
      1 174.87.155.221
      1 174.79.161.204
      1 174.33.26.80
      1 174.224.167.248
      1 174.143.218.74
      1 174.114.58.225
      1 172.58.92.145
      1 170.163.112.74
      1 168.32.71.233
      1 166.226.60.225
      1 166.132.59.180
      1 166.110.47.5
      1 164.67.255.128
      1 162.23.79.251
      1 162.120.49.7
      1 162.11.134.36
      1 160.97.90.237
      1 16.94.127.51
      1 16.90.177.165
      1 16.222.12.128
      1 16.220.87.221
      1 16.204.212.46
      1 16.201.166.165
      1 16.159.66.104
      1 16.115.39.148
      1 158.195.1.169
      1 156.47.7.2
      1 156.135.187.85
      1 154.39.98.137
      1 152.226.237.162
      1 152.121.242.168
      1 150.229.178.253
      1 150.209.64.213
      1 148.115.195.111
      1 146.9.90.155
      1 146.249.208.173
      1 146.247.214.86
      1 144.139.86.41
      1 144.127.127.136
      1 142.240.243.37
      1 140.111.71.134
      1 138.179.18.24
      1 138.162.33.145
      1 138.140.74.2
      1 136.187.175.144
      1 134.88.86.17
      1 134.252.120.172
      1 134.197.186.144
      1 134.180.180.143
      1 132.67.7.107
      1 132.52.32.90
      1 132.52.133.200
      1 132.17.92.136
      1 130.52.223.8
      1 130.47.108.118
      1 130.194.157.145
      1 130.111.111.100
      1 128.149.95.85
      1 126.217.57.161
      1 126.208.14.216
      1 126.20.32.160
      1 126.144.150.99
      1 124.247.68.221
      1 124.2.131.188
      1 124.132.77.37
      1 124.13.177.253
      1 122.74.21.41
      1 122.6.163.148
      1 122.21.81.64
      1 122.1.140.157
      1 120.93.85.163
      1 120.40.251.210
      1 120.253.19.64
      1 120.214.31.187
      1 12.62.207.19
      1 12.45.214.189
      1 12.218.159.149
      1 12.179.20.38
      1 12.14.35.151
      1 118.25.153.53
      1 116.51.72.247
      1 116.122.202.247
      1 114.79.54.244
      1 114.57.198.121
      1 112.78.184.176
      1 112.38.221.128
      1 112.175.116.116
      1 110.96.96.154
      1 110.78.132.149
      1 110.30.6.137
      1 108.4.96.246
      1 108.247.149.164
      1 108.172.138.152
      1 108.151.163.94
      1 108.1.159.159
      1 106.69.250.254
      1 106.246.42.79
      1 106.223.145.227
      1 106.200.214.0
      1 106.135.64.150

iptables have NO control on the network before it arrives on your computer, you would in this case need a ISP level block (most of ISP doesn't support this since people aren't paying for the bandwidth).

Enable some logging to figure out what he does, also enable ip connection limits this will usually kill of any tcp based attacks on your server.

You should be working with your hosting company to mitigate the attack.
They likely have other resources and means with which to deal with a DDOS attack. It is better handled at the network edge rather than the target.

xLosT · Mar 4, 2013

I added SonicWALL 215 then the server stopped having large packet losses but still lag continues

AnarchGov · Mar 4, 2013

Download guardian. You can run a free trial for a month and if you like it it is only a one time payment of 100 bucks. Good deal. It has worked for me.

xLosT · Mar 4, 2013

for windows?
i use ubuntu

I need something that limit 30 connections on port 80, more than that he should block

AnarchGov · Mar 4, 2013

It should work on either.

xLosT · Mar 11, 2013

Cronox · Mar 11, 2013

Use this iptables:

Lua:

iptables -A INPUT -p tcp -m tcp --dport 7172 -m state --state NEW -m recent --set --name SSH --rsource -A INPUT -p tcp -m tcp --dport 7172 -m state --state NEW -m recent --update --seconds 1 --hitcount 20 --rttl --name SSH --rsource -j DROP 
iptables -A INPUT -p tcp -m tcp --dport 7172 -m state --state NEW -m recent --set --name SSH --rsource
iptables -A INPUT -p tcp -m tcp --dport 7172 -m state --state NEW -m recent --update --seconds 1 --hitcount 20 --rttl --name SSH --rsource -j DROP 
iptables -A INPUT -p tcp -m tcp --dport 7171 -m state --state NEW -m recent --set --name SSH --rsource
iptables -A INPUT -p tcp -m tcp --dport 7171 -m state --state NEW -m recent --update --seconds 1 --hitcount 20 --rttl --name SSH --rsource -j DROP 
iptables -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -m recent --set --name SSH --rsource
iptables -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -m recent --update --seconds 1 --hitcount 20 --rttl --name SSH --rsource -j DROP

xLosT · Mar 11, 2013

iptables: No chain/target/match by that name.

Cronox · Mar 11, 2013

don't worry only are 1 or 2 iptables failed, are works fine .. use one per one and u see works..

xLosT · Mar 11, 2013

not work

PHP:

root@server:~# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

- - - Updated - - -

it is possible to do a task that has over 20 ip's connected to port 80 run X iptables?

Cronox · Mar 12, 2013

iptables -L?
lol this for see IPS blocked you can blocked IPS and you see many conections "attacks"
every you see attacks go your ssh and use

Code:

netstat -ntu4 | grep ":22" | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

or

Code:

netstat -ntu4 | grep ":7172" | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

You see 3 last IPS - more connections and blocked..

Code:

iptables -A INPUT -s 190.206.151.24 -j DROP

you need edit IP 190.... ,and you blocked IP attack and don't back attack why many people use dedicateds for attacks and you blocked IPS..

DDoS

xLosT

Member

Fairywintah

RoHaN-OTs - Support and Mapper.

Vrotz

Member

LucasFerraz

Systems Analyst

xLosT

Member

ahmed30

Active Member

xLosT

Member

AnarchGov

Member

xLosT

Member

AnarchGov

Member

xLosT

Member

Cronox

www.Searz-Online.com

xLosT

Member

Cronox

www.Searz-Online.com

xLosT

Member

Cronox

www.Searz-Online.com