Anyone know how to prevent this person from messing with my server? This guy is costing me some big bucks!


Here's a sample of my TCPDUMP:


16:23:55.726282 lynn.keyfile.com > 64.242.34.140: (frag 2294:1480@59200+)
16:23:55.734314 lynn.keyfile.com > 64.242.34.140: (frag 2294:1480@60680+)
16:23:55.742230 lynn.keyfile.com > 64.242.34.140: (frag 2294:1480@62160+)
16:23:55.749748 lynn.keyfile.com > 64.242.34.140: (frag 2294:1480@63640+)
16:23:55.909489 lynn.keyfile.com > 64.242.34.140: icmp: echo request (frag 2296:1480@0+)
16:23:55.917643 lynn.keyfile.com > 64.242.34.140: (frag 2296:1480@1480+)
16:23:55.925550 lynn.keyfile.com > 64.242.34.140: (frag 2296:1480@2960+)
16:23:55.933424 lynn.keyfile.com > 64.242.34.140: (frag 2296:1480@4440+)
16:23:55.941561 lynn.keyfile.com > 64.242.34.140: (frag 2296:1480@5920+)
16:23:55.949426 lynn.keyfile.com > 64.242.34.140: (frag 2296:1480@7400+)
16:23:55.957459 lynn.keyfile.com > 64.242.34.140: (frag 2296:1480@8880+)
16:23:55.965320 lynn.keyfile.com > 64.242.34.140: (frag 2296:1480@10360+)
16:23:55.973185 lynn.keyfile.com > 64.242.34.140: (frag 2296:1480@11840+)
16:23:55.981744 lynn.keyfile.com > 64.242.34.140: (frag 2296:1480@13320+)
16:23:55.989076 lynn.keyfile.com > 64.242.34.140: (frag 2296:1480@14800+)
16:23:55.996940 lynn.keyfile.com > 64.242.34.140: (frag 2296:1480@16280+)
16:23:56.004804 lynn.keyfile.com > 64.242.34.140: (frag 2296:1480@17760+)
16:23:56.012711 lynn.keyfile.com > 64.242.34.140: (frag 2296:1480@19240+)
16:23:56.021191 lynn.keyfile.com > 64.242.34.140: (frag 2296:1480@20720+)
16:23:56.028929 lynn.keyfile.com > 64.242.34.140: (frag 2296:1480@22200+)
16:23:56.036591 lynn.keyfile.com > 64.242.34.140: (frag 2296:1480@23680+)
16:23:56.044295 lynn.keyfile.com > 64.242.34.140: (frag 2296:1480@25160+)
16:23:56.052157 lynn.keyfile.com > 64.242.34.140: (frag 2296:1480@26640+)
16:23:56.060071 lynn.keyfile.com > 64.242.34.140: (frag 2296:1480@28120+)

to block the IP at the router.

Monte Roberts

1. Block thier IP

2. If that fails power off the server

Hi,


We just unroute targeted ip on some time and close ping
It helps

Regards

I just had a case where my server was doing 25 Mbps for about 2 hours straight from a DOS attack. However, admittedly, the provider told me that it originated from a different server and spread throughout the network. My server has since had unusual bursts that go way above what it should be doing. I'm thinking that it's one of their other servers on their network that's causing my MRTG graphs to skyrocket, just as it did when it went to 25 Mbps.


In cases like this, is it illegal for them to charge you for it?

DOS attacks come in all shapes and sizes, some can be combated and others are just pointless to fight or defend against.

There is only so much you can do on a specific server, to harden it from DOS/DDOS attacks. The real protection should be @ the network level but seldom do large hosting providers (e.g: rackshack.net, affordableservers.net etc..) equip their networks with proper protection and hardening against externel DOS/DDOS attacks.

From the perspective of individual servers, you can make use of netfilter (iptables) to filter out some of the junk that may come your way. From the looks of the abovew logs, you have a problem with fragmented packets flooding your server (i think ?) - this is easily fixed. The following are 3 iptable chains that will stop fragmented packets, packets with invalid flags (options) & all icmp packets:

# Block Fragmented Packets
iptables -N FRAG
iptables -A INPUT -f -j FRAG
iptables -A FRAG -m limit --limit 5/minute -j LOG --log-level 'warning' --log-prefix 'netfilter: Fragmented:'
iptables -A FRAG -j DROP

#Block Traffic w/ Invalid Flags
iptables -N INV
iptables -t filter -A INPUT -m state --state INVALID -j INV
iptables -A INV -m limit --limit 5/minute -j LOG --log-level 'warning' --log-prefix 'netfilter: Invalid Flags:'
iptables -A INV -j DROP

#Drop All ICMP Traffic (its not really needed in the least bit)
iptables -A INPUT -p icmp -s 0/0 -d 0/0 -j DROP

This is only one step of protecting yourself. You should be employing an array of software to ensure the security of your servers (e.g: tripwire, snort, iptables etc...).

Some links you may care to refer to:
http://www.webhostingtalk.com/showthread.php?s=&threadid=46195
http://www.webhostingtalk.com/showthread.php?s=&threadid=45887
http://www.webhostingtalk.com/showthread.php?s=&threadid=45885
http://www.webhostingtalk.com/showthread.php?s=&threadid=47086
http://www.securityfocus.com
http://www.r-fx.net/lib.php
http://www.packetstormsecurity.net
http://www.wiretapped.net

rfxn,

Wow... thanks for the info! However, this is the error I'm getting when executing the iptables command:

/lib/modules/2.4.7-10/kernel/net/ipv4/netfilter/ip_tables.o: init_module: Device or resource busy
Hint: insmod errors can be caused by incorrect module parameters, including invalid IO or IRQ parameters
/lib/modules/2.4.7-10/kernel/net/ipv4/netfilter/ip_tables.o: insmod /lib/modules/2.4.7-10/kernel/net/ipv4/netfilter/ip_tables.o failed
/lib/modules/2.4.7-10/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables failed
iptables v1.2.3: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.


Anyone know why it won't let me set the iptables? Maybe I need to disable ipchains?

lsmod

unload ipchains first
then load iptables

archngle777, you can keep simply drop the connection to this specific IP with this command:
/usr/sbin/route add 64.242.34.140 reject

This should keep him away from your server.

Originally posted by rfxn
iptables -A FRAG -m limit --limit 5/minute -j LOG --log-level 'warning' --log-prefix 'netfilter: Fragmented:'


This doesn't work... it gives me the following error:


iptables v1.2.3: log-level `warning' ambiguous

This doesn't work... it gives me the following error:

You need to update iptables... It looks like you are running RH 7.2 so this one will work with the log feature. Older versions had some logging problems.

ftp://ftp.rpmfind.net/linux/redhat/updates/7.2/en/os/i386/iptables-1.2.4-2.i386.rpm