Hi,

I am getting DOS to my server.

I blocked the attacker using IP tables.

iptables -I INPUT -s 203.200.63.209/24 -j DROP

How can i drop MY.IP.ADDR.ESS from my server ?

In this case, the IP that get the attack is not used by any of the sites in my server. So droping the IP will not cause any problem.

Whats the command to drop the IP from my server ?

Regards,

Yujin


tcp 1 14600 MY.IP.ADDR.ESS:80 203.200.63.209:1825 CLOSE_WAIT
tcp 0 10220 MY.IP.ADDR.ESS:80 203.200.63.209:1345 ESTABLISHED
tcp 0 14600 MY.IP.ADDR.ESS:80 203.200.63.209:3233 ESTABLISHED
tcp 1 11680 MY.IP.ADDR.ESS:80 203.200.63.209:1024 CLOSE_WAIT
tcp 1 14600 MY.IP.ADDR.ESS:80 203.200.63.209:1120 CLOSE_WAIT
tcp 0 11680 MY.IP.ADDR.ESS:80 203.200.63.209:3200 ESTABLISHED
tcp 1 21900 MY.IP.ADDR.ESS:80 203.200.63.209:1184 CLOSE_WAIT
tcp 1 14600 MY.IP.ADDR.ESS:80 203.200.63.209:1440 CLOSE_WAIT
tcp 1 29200 MY.IP.ADDR.ESS:80 203.200.63.209:1347 CLOSE_WAIT
tcp 0 13140 MY.IP.ADDR.ESS:80 203.200.63.209:1123 ESTABLISHED
tcp 0 29200 MY.IP.ADDR.ESS:80 202.88.238.172:1695 ESTABLISHED
tcp 1 10220 MY.IP.ADDR.ESS:80 203.200.63.209:1026 CLOSE_WAIT
tcp 0 21900 MY.IP.ADDR.ESS:80 219.65.55.45:4928 ESTABLISHED
tcp 1 32120 MY.IP.ADDR.ESS:80 203.200.63.209:1218 CLOSE_WAIT
tcp 0 18980 MY.IP.ADDR.ESS:80 219.65.55.45:3079 ESTABLISHED
tcp 1 18980 MY.IP.ADDR.ESS:80 203.200.63.209:1284 CLOSE_WAIT
tcp 1 18980 MY.IP.ADDR.ESS:80 203.200.63.209:1188 CLOSE_WAIT
tcp 1 13140 MY.IP.ADDR.ESS:80 203.200.63.209:1319 CLOSE_WAIT
tcp 1 24820 MY.IP.ADDR.ESS:80 203.200.63.209:3207 CLOSE_WAIT
tcp 0 11680 MY.IP.ADDR.ESS:80 203.200.63.209:1223 ESTABLISHED
tcp 0 14600 MY.IP.ADDR.ESS:80 203.200.63.209:3047 ESTABLISHED
tcp 1 13140 MY.IP.ADDR.ESS:80 203.200.63.209:1382 CLOSE_WAIT
tcp 0 13140 MY.IP.ADDR.ESS:80 203.200.63.209:3208 ESTABLISHED
tcp 0 21900 MY.IP.ADDR.ESS:80 219.65.55.45:3945 ESTABLISHED
tcp 1 11680 MY.IP.ADDR.ESS:80 203.200.63.209:1131 CLOSE_WAIT
tcp 1 11680 MY.IP.ADDR.ESS:80 203.200.63.209:1195 CLOSE_WAIT
tcp 1 12300 MY.IP.ADDR.ESS:80 203.200.63.209:1290 CLOSE_WAIT
tcp 1 35040 MY.IP.ADDR.ESS:80 203.200.63.209:1066 CLOSE_WAIT
tcp 0 13140 MY.IP.ADDR.ESS:80 203.200.63.209:1322 ESTABLISHED

You could download TCP VIEW (http://www.net-security.org/software.php?id=319) It shows you every connection on your computer and allows you to KILL THE CONNECTION (Which is what you wanna do)

I use this and its quite handy :)

Good Luck!!

Thanks, But its only for Windows...

Im sorry my friend,i didnt know you werent on Windows :(

Ill look 4 something for your platform...Are you on Linux?

Thanks, OS is linux, Fedora 1.0

After i do iptables blocking the DOS attack stoped. May be because of the iptable blocking or because of the mail i send to the netblock owner.

Well im glad you took care of things :)

You need to edit your network card settings to drop off ips (ifconfig) if i remember correctly..

having any connections showing from the ip that you added in the iptables rules makes me think that the firewall isnt working properly.
If you setup the firewall to drop any connections to that IP, you wouldn't need to mess with ifconfig.

-s IP in iptables is for the source IP, -d IP is the target IP

In this case, your.ip

ifconfig eth0 del x.x.x.x

The IP will come back when you reboot the server.

Thanks, ifconfig eth0 del x.x.x.x will be helpfull in dealing DDOS.