How to stop DDoS?

[Dankoo]

- Ok, I've been thinking, consider this first part of the topic, you can read the rest if you want -

To DDoS and bring down my server, it would be necessary another dedicated server, 'cause it haves 2gb uplink and stuff.

Going by the logics that at least 90% of the dedicated servers have an unique IP adress, if I can track down what IP sent more than X bytes of data, I could track him and add an iptables to block all connections from that IP, no?

------- end of first part lol -------

So, I'm facing some issues regarding DDoS.

Actually the guy who is DDoS'n me became my friend, but the next one might not be.

I'm using Ubuntu, tried stian's iptables:

iptables -N conn-flood
iptables -I INPUT 1 -p tcp --syn -j conn-flood
iptables -A conn-flood -m limit --limit 7/s --limit-burst 20 -j RETURN
iptables -A conn-flood -j DROP
iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j ACCEPT
iptables -A INPUT -p icmp -j DROP

Tried this iptables, but cutted both my server and site connetions:

echo "Block TCP-CONNECT scan attempts (SYN bit packets)"
iptables -A INPUT -p tcp --syn -j DROP
echo "Block TCP-SYN scan attempts (only SYN bit packets)"
iptables -A INPUT -m conntrack --ctstate NEW -p tcp --tcp-flags SYN,RST,ACK,FIN,URG,PSH SYN -j DROP
echo "Block TCP-FIN scan attempts (only FIN bit packets)"
iptables -A INPUT -m conntrack --ctstate NEW -p tcp --tcp-flags SYN,RST,ACK,FIN,URG,PSH FIN -j DROP
echo "Block TCP-ACK scan attempts (only ACK bit packets)"
iptables -A INPUT -m conntrack --ctstate NEW -p tcp --tcp-flags SYN,RST,ACK,FIN,URG,PSH ACK -j DROP
echo "Block TCP-NULL scan attempts (packets without flag)"
iptables -A INPUT -m conntrack --ctstate INVALID -p tcp --tcp-flags ! SYN,RST,ACK,FIN,URG,PSH SYN,RST,ACK,FIN,URG,PSH -j DROP
echo "Block "Christmas Tree" TCP-XMAS scan attempts (packets with FIN, URG, PSH bits)"
iptables -A INPUT -m conntrack --ctstate NEW -p tcp --tcp-flags SYN,RST,ACK,FIN,URG,PSH FIN,URG,PSH -j DROP

echo "Block DOS - Ping of Death"
iptables -A INPUT -p ICMP --icmp-type echo-request -m length --length 60:65535 -j ACCEPT
echo "Block DOS - Teardrop"
iptables -A INPUT -p UDP -f -j DROP
echo "Block DDOS - SYN-flood"
iptables -A INPUT -p TCP --syn -m iplimit --iplimit-above 9 -j DROP
echo "Block DDOS - Smurf"
iptables -A INPUT -m pkttype --pkt-type broadcast -j DROP
iptables -A INPUT -p ICMP --icmp-type echo-request -m pkttype --pkttype broadcast -j DROP
iptables -A INPUT -p ICMP --icmp-type echo-request -m limit --limit 3/s -j ACCEPT
echo "Block DDOS - UDP-flood (Pepsi)"
iptables -A INPUT -p UDP --dport 7 -j DROP
iptables -A INPUT -p UDP --dport 19 -j DROP
echo "Block DDOS - SMBnuke"
iptables -A INPUT -p UDP --dport 135:139 -j DROP
iptables -A INPUT -p TCP --dport 135:139 -j DROP
echo "Block DDOS - Connection-flood"
iptables -A INPUT -p TCP --syn -m iplimit --iplimit-above 3 -j DROP
echo "Block DDOS - Fraggle"
iptables -A INPUT -p UDP -m pkttype --pkt-type broadcast -j DROP
iptables -A INPUT -p UDP -m limit --limit 3/s -j ACCEPT
echo "Block DDOS - Jolt"
iptables -A INPUT -p ICMP -f -j DROP

Didn't work.

Tried this:

set security zones security-zone external screen external-udp-flood
set security screen ids-option 1000-udp-flood udp flood threshold 1000

Didn't work

Now I want to know... How to be safe from DDoS?

The guy who is DDoS'n me said he haves an dedicated server 1gb uplink quad core to nuke servers, and my one is 2gb uplink semi-dedicated 3GB ram core 2 duo 2.8

He said he can bring down almost any server from otservlist, witch exception from 4 he listed.

How can I be safer from DDoS attacks? I seriously NEED to know!

 

[Cykotitan]

hey read my post from the other thread

 

[Dankoo]

I did...

Cyk, teorically I could track the DDoS'r IP and add an rule in iptables to not accept nothing from this IP?

=s

An firewall like this would be good?

http://www.fs-security.com/

 

[Cykotitan]

it gets harder with UDP floods, as source IP can be spoofed very easily