Results 1 to 24 of 24
  1. #1
    Join Date
    Sep 2010
    Posts
    198

    Block all IP's from hinet.net DDOS

    There is anyway to do it?

    A lot of ddos on udp 53 from that domain.

    They have so many ips.

  2. #2
    Join Date
    Jul 2013
    Posts
    63
    Try these IPtables rules ?

    iptables -A INPUT -p udp --sport 53 -j ACCEPT
    iptables -A INPUT -p udp --dport 53 -j ACCEPT
    iptables -A OUTPUT -p udp --sport 53 -j ACCEPT
    iptables -A OUTPUT -p udp --dport 53 -j ACCEPT

    iptables -A INPUT -p udp -j DROP
    iptables -A OUTPUT -p udp -j DROP


    Just block all UDP traffic incoming & outgoing.

  3. #3
    Join Date
    Sep 2010
    Posts
    198
    Yep, but the websites goes off line if i do it. =/

    Its a cpanel server, with a lot of customers.

    CSF is not doing the good job on this case.

  4. #4
    Join Date
    Sep 2010
    Posts
    198
    Code:
     * :53                                      <=> 61-220-10-111.HINET-IP.hinet.net:5156           0b      0b     13b
     * :53                                      <=> 61-220-10-111.HINET-IP.hinet.net:3132           0b      0b     13b
     * :53                                      <=> 61-220-10-111.HINET-IP.hinet.net:37813          0b      0b     13b
     * :53                                      <=> 61-220-10-111.HINET-IP.hinet.net:41420          0b      0b     13b
     * :53                                      <=> 61-220-10-111.HINET-IP.hinet.net:64372          0b      0b     13b
     * :53                                      <=> 61-220-10-111.HINET-IP.hinet.net:65392          0b      0b     13b
     * :53                                      <=> 61-220-10-111.HINET-IP.hinet.net:32526          0b      0b     13b
     * :53                                      <=> 61-220-10-111.HINET-IP.hinet.net:26181          0b      0b     13b
     * :53                                      <=> 61-220-10-111.HINET-IP.hinet.net:4070           0b      0b     13b
     * :53                                      <=> 61-220-10-111.HINET-IP.hinet.net:45637          0b      0b     13b
     * :53                                      <=> 61-220-10-111.HINET-IP.hinet.net:4035           0b      0b     12b
     * :53                                      <=> 61-220-10-111.HINET-IP.hinet.net:43644          0b      0b     12b
     * :53                                      <=> 61-220-10-172.HINET-IP.hinet.net:55585          0b      0b     15b
     * :53                                      <=> 61-220-10-172.HINET-IP.hinet.net:56368          0b      0b     15b
     * :53                                      <=> 61-220-10-172.HINET-IP.hinet.net:44909          0b      0b     15b
     * :53                                      <=> 61-220-10-172.HINET-IP.hinet.net:22734          0b      0b     15b
     * :53                                      <=> 61-220-10-172.HINET-IP.hinet.net:46209          0b      0b     15b
     * :53                                      <=> 61-220-10-172.HINET-IP.hinet.net:12576          0b      0b     15b
     * :53                                      <=> 61-220-10-172.HINET-IP.hinet.net:12587          0b      0b     15b
     * :53                                      <=> 61-220-10-172.HINET-IP.hinet.net:7233           0b      0b     15b
     * :53                                      <=> 61-220-10-172.HINET-IP.hinet.net:34279          0b      0b     15b
     * :53                                      <=> 61-220-10-172.HINET-IP.hinet.net:57236          0b      0b     15b
     * :53                                      <=> 61-220-10-172.HINET-IP.hinet.net:8276           0b      0b     15b
     * :53                                      <=> 61-220-10-172.HINET-IP.hinet.net:28169          0b     60b     15b
     * :53                                      <=> 61-220-10-172.HINET-IP.hinet.net:31488          0b      0b     15b
     * :53                                      <=> 61-220-10-172.HINET-IP.hinet.net:18811          0b     60b     15b
     * :53                                      <=> 61-220-10-172.HINET-IP.hinet.net:15497          0b      0b     15b
     * :53                                      <=> 61-220-10-172.HINET-IP.hinet.net:62721          0b      0b     15b
     * :53                                      <=> 61-220-10-172.HINET-IP.hinet.net:43873          0b      0b     14b
     * :53                                      <=> 61-220-10-172.HINET-IP.hinet.net:41337          0b      0b     14b
     * :53                                      <=> 61-220-10-172.HINET-IP.hinet.net:47494          0b      0b     14b
     * :53                                      <=> 61-220-10-172.HINET-IP.hinet.net:15518          0b      0b     14b
     * :53                                      <=> 61-220-10-172.HINET-IP.hinet.net:27536          0b     51b     13b
     * :53                                      <=> 61-220-10-172.HINET-IP.hinet.net:28578          0b     51b     13b
     * :53                                      <=> 61-220-10-172.HINET-IP.hinet.net:26794          0b     51b     13b
     * :53                                      <=> 61-220-10-172.HINET-IP.hinet.net:52044        256b     51b     13b
     * :53                                      <=> 61-220-10-172.HINET-IP.hinet.net:31398          0b     51b     13b
     * :53                                      <=> 61-220-10-172.HINET-IP.hinet.net:58455          0b     51b     13b
     * :53                                      <=> 61-220-10-172.HINET-IP.hinet.net:39845        256b     51b     13b
     * :53                                      <=> 61-220-10-172.HINET-IP.hinet.net:5706           0b     51b     13b
     * :53                                      <=> 61-220-10-172.HINET-IP.hinet.net:35825        256b     51b     13b
     * :53                                      <=> 61-220-10-172.HINET-IP.hinet.net:64904          0b     51b     13b
     * :53                                      <=> 61-220-10-172.HINET-IP.hinet.net:58026          0b     51b     13b
     * :53                                      <=> 61-220-10-172.HINET-IP.hinet.net:43015          0b      0b     13b
     * :53                                      <=> 61-220-10-172.HINET-IP.hinet.net:12934          0b     51b     13b
     * :53                                      <=> 61-220-10-172.HINET-IP.hinet.net:58070          0b     51b     13b
     * :53                                      <=> 61-220-10-172.HINET-IP.hinet.net:37938        256b     51b     13b
     * :53                                      <=> 61-220-10-172.HINET-IP.hinet.net:23405          0b      0b     13b
     * :53                                      <=> 61-220-10-172.HINET-IP.hinet.net:39739          0b     51b     13b
     * :53                                      <=> 61-220-10-172.HINET-IP.hinet.net:49453          0b     51b     13b
     * :53                                      <=> 61-220-10-172.HINET-IP.hinet.net:19726          0b      0b     12b
    Its only one of the ips... but there is a lot of then... SO MANY IPS. lol
    Block all asia again?

  5. #5
    Join Date
    Jul 2013
    Posts
    63
    Which Operating System you using ?

    Also try to limit the outbound flow rate of UDP packets:

    /sbin/iptables -A OUTPUT -p udp -m state --state NEW -j ACCEPT
    /sbin/iptables -A OUTPUT -p udp -m limit --limit 100/s -j ACCEPT
    /sbin/iptables -A OUTPUT -p udp -j DROP

    You know which domain is sending out the packets ?

  6. #6
    Join Date
    Sep 2010
    Posts
    198
    CentOS 6.4
    cPanel.

    I'm gonna try to limit, anyway, if someone knows how to get all ips from hinet.net will be good =)
    For the domains, its sending requests for all domains inside this server.


    Thanks for help NBExpert =)

  7. #7
    Join Date
    Jul 2013
    Posts
    63
    Scan your server once with Linux Malware Detect (http://www.rfxn.com/projects/linux-malware-detect/)

    Once installed, then edit /usr/local/maldetect/conf.maldet and change

    email_alert=1
    email_addr="root"
    quar_hits=1
    scanthreads=5
    maxfilesize="1024k"

    quar_hits=1 that why maldet is not guarantee anything

    and Scan


    >>>----<<<<<

    Post results for :- lsof -Pni | grep "xxx.xxx.xx.xx'

    xxx.xxx.xx.xx = your server ip

  8. #8
    Join Date
    Sep 2010
    Posts
    198
    Wow... maybe we have an malware on the server?

    I'll try. Anyway, Clanav is installed and running.

    RKhunter too... i have scanned with then, but nothing found.

    I'll try with this =)

  9. #9
    Join Date
    Jul 2013
    Posts
    63
    Try this, it's results are better. Hope it helps! Because i have a feeling that your system is infected, some of domain maybe.

  10. #10
    Join Date
    Dec 2011
    Location
    Germany
    Posts
    1,153
    You could try to block that on layer 4 using iptables with string matching, like:

    Code:
    iptables -A INPUT -p udp --dport 53 -m string --string "hinet.net" --algo bm -j DROP
    Inbound Marketing & real SEO for web hosting providers
    ✎ Get in touch with me: co<at>infinitnet.de

  11. #11
    Join Date
    Sep 2010
    Posts
    198
    Suspect results from the lsof -Pni | grep xxx.xxx.xxx.xxx

    Code:
    nginx     12999   nobody   22u  IPv4 1005094      0t0  TCP xx.xx.xx.xx:80->111.248.118.141:38801 (ESTABLISHED)
    nginx     12999   nobody   23u  IPv4 1005155      0t0  TCP xx.xx.xx.xx:80->68.10.224.155:1392 (ESTABLISHED)
    nginx     12999   nobody   24u  IPv4 1005191      0t0  TCP xx.xx.xx.xx:80->60.246.45.246:21777 (ESTABLISHED)
    nginx     12999   nobody   30u  IPv4 1005173      0t0  TCP xx.xx.xx.xx:80->122.176.75.252:13563 (ESTABLISHED)
    nginx     12999   nobody  177u  IPv4   57009      0t0  TCP xx.xx.xx.xx:80 (LISTEN)
    nginx     13000   nobody  177u  IPv4   57009      0t0  TCP xx.xx.xx.xx:80 (LISTEN)
    exim      17427 mailnull    3u  IPv4 1004097      0t0  TCP xx.xx.xx.xx:25->93.87.160.121:26424 (ESTABLISHED)
    exim      17427 mailnull    7u  IPv4 1004097      0t0  TCP xx.xx.xx.xx:25->93.87.160.121:26424 (ESTABLISHED)
    exim      17462 mailnull    3u  IPv4 1004705      0t0  TCP xx.xx.xx.xx:25->93.87.160.121:26792 (ESTABLISHED)
    exim      17462 mailnull    7u  IPv4 1004705      0t0  TCP xx.xx.xx.xx:25->93.87.160.121:26792 (ESTABLISHED)
    From these IPs, its not my normal traffic.

    And the Linux malware shows 0 malware
    maldet(16990): {scan} scan completed on /home/*/public_html: files 22409, malware hits 0, cleaned hits 0

  12. #12
    Join Date
    Sep 2010
    Posts
    198
    When I reuse the lsof -Pni | grep "xxx.xxx.xx.xx"

    A lot of results of exim with mailnull with very stranger IPs

    o.O

  13. #13
    Join Date
    Jul 2013
    Posts
    63
    If you're not expecting udp traffic at all I might recommend just dropping it (except for your DNS servers, of course!):

    iptables -A INPUT -p udp --sport 53 -s my.dns.server1 -j ACCEPT
    iptables -A INPUT -p udp --sport 53 -s my.dns.server2 -j ACCEPT
    iptables -A INPUT -p udp -j DROP

  14. #14
    Join Date
    Dec 2011
    Location
    Germany
    Posts
    1,153
    You could as well try to block this with hosts.deny. Just add this to your /etc/hosts.deny file: ALL: .hinet.net
    Inbound Marketing & real SEO for web hosting providers
    ✎ Get in touch with me: co<at>infinitnet.de

  15. #15
    Join Date
    Sep 2010
    Posts
    198
    after that

    iptables -A INPUT -p udp --dport 53 -m string --string "hinet.net" --algo bm -j DROP

    From maybe 500 connections, now it shows not bad, i can see all connections on the iftop.

  16. #16
    Join Date
    Sep 2010
    Posts
    198
    Thanks for the help NBExpert and Infinitnet

    Now it shows solved.

    I'm gonna add this hinet.net on the hosts deny too.

    If you Google hinet.net, a lot of criminal internet actions and spams.

    How can exist a company like this? Why they are not blocked?
    Just Google it and you will see a lot of claims about this hinet.net.
    OMG!

  17. #17
    Join Date
    Dec 2011
    Location
    Germany
    Posts
    1,153
    So my iptables rules did the trick then? If hinet IPs are connecting to other ports than 53 too, you could also modify the rules like this, to block any packet that contains the string "hinet.net":

    iptables -A INPUT -m string --string "hinet.net" --algo bm -j DROP
    Inbound Marketing & real SEO for web hosting providers
    ✎ Get in touch with me: co<at>infinitnet.de

  18. #18
    Join Date
    Jul 2013
    Posts
    63
    Quote Originally Posted by HostFill View Post
    Thanks for the help NBExpert and Infinitnet

    Now it shows solved.

    I'm gonna add this hinet.net on the hosts deny too.

    If you Google hinet.net, a lot of criminal internet actions and spams.

    How can exist a company like this? Why they are not blocked?
    Just Google it and you will see a lot of claims about this hinet.net.
    OMG!
    Am glad if i come helpful in anyway.

  19. #19
    Join Date
    Dec 2011
    Location
    Germany
    Posts
    1,153
    Oh any by the way.. you might want to add my rule to the CSF scripts, so they are being added again after a CSF or server restart. To do that, you can add them to /etc/csf/csfpre.sh
    Inbound Marketing & real SEO for web hosting providers
    ✎ Get in touch with me: co<at>infinitnet.de

  20. #20
    Join Date
    Sep 2010
    Posts
    198
    What is wrong with this?

    iptables -A INPUT -p udp --dport 53 -m string --string "hinet.net" --algo bm -j DROP

    Not working =/

  21. #21
    Join Date
    Dec 2011
    Location
    Germany
    Posts
    1,153
    Didn't you say that this was blocking the attack yesterday? Try:

    iptables -A INPUT -m string --string "hinet.net" --algo bm -j DROP
    iptables -A OUTPUT -m string --string "hinet.net" --algo bm -j DROP

    And also try to block this with hosts.deny. If it still doesn't work, it might make sense to get an external DDoS protection.
    Inbound Marketing & real SEO for web hosting providers
    ✎ Get in touch with me: co<at>infinitnet.de

  22. #22
    Join Date
    Sep 2010
    Posts
    198
    Start to drop when i use without dot

    iptables -A INPUT -m string --string "hinet" --algo bm -j DROP
    iptables -A OUTPUT -m string --string "hinet" --algo bm -j DROP

    Also added yesterday on hosts.deny
    ALL: .hinet.net

    Strange because they had .net at the end

    o.O

    Another thing with help a lot:
    http://sysadminnotebook.blogspot.com...1_archive.html

    Very good script.

    Thank you again Infinitnet =)

  23. #23
    Join Date
    Dec 2011
    Location
    Germany
    Posts
    1,153
    That's weird. Well, my rules were rather an example, as I don't know how exactly the traffic on your server looks like, it's hard to "just write something" that blocks these requests. You could also have a look at /etc/csf/csf.blocklists - CSF also includes a feature to block IPs which are on certain blacklists (Spamhaus etc.). Good luck with this and you're welcome.
    Inbound Marketing & real SEO for web hosting providers
    ✎ Get in touch with me: co<at>infinitnet.de

  24. #24
    Join Date
    Sep 2010
    Posts
    198
    Infinity.

    I'm using these iptables on the node (host). On the VPS i have csf with blacklists activated. But with this script, i can filter before it comes to VPS.

    =)

Similar Threads

  1. Is it possible to block 100mbps DDOS?
    By xtgaming in forum Dedicated Server
    Replies: 11
    Last Post: 11-29-2012, 06:08 PM
  2. SPAM sending by ms43.hinet.net
    By ddrhost in forum Hosting Software and Control Panels
    Replies: 5
    Last Post: 04-05-2012, 03:55 AM
  3. litespeed block DDOS IP ?
    By mahdy_sharifi in forum Hosting Security and Technology
    Replies: 5
    Last Post: 01-16-2012, 02:12 PM
  4. how to block udp ddos
    By xlenonz in forum Hosting Security and Technology
    Replies: 1
    Last Post: 08-26-2010, 07:24 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •