On 02/16/2014 09:09 PM, David C. Rankin wrote:
> On 02/16/2014 08:54 PM, Timothy Pearson wrote:
>> All,
>>
>> The TDE servers have been undergoing a DDoS attack since around 6:00AM CST
>> 02/16/2014.  As a result, many TDE services are functioning sporadically. 
>> I am attempting to counter this attack as best as I am able, but I do not
>> have sufficient bandwidth available to guarantee continued access to any
>> TDE services until the attack is over.
>>
>> I apologise for the disruption, and hope to have access to all services
>> restored a soon as possible.  Thank you for your patience!
>>
>> Timothy Pearson
> 
> Give'em hell Tim!
> 
> iptables -A INPUT -s off.end.ing._ip -j DROP
> 

It was probably Martin having a bad night :p  Seriously, here are a few notes I
had regarding responses to ssh type DOS attacks:

# Blocking ssh attacks

/usr/sbin/iptables -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set
/usr/sbin/iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack
--update --seconds 60 --hitcount 6 -j LOG --log-prefix 'SSH attack: '
/usr/sbin/iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack
--update --seconds 60 --hitcount 6 -j REJECT

	This will block all further syns from an IP address starting on the sixth port
22 connection within 60 seconds. It takes 60 seconds of absolute quiet from that
same ip address (or a reboot) to make the block go away. Kills a LOT of brute
force ssh attacks. I've also used this both against web statistics spammers and
email DOSers with good results.

Another:

I believe that this is it:
iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --update
--seconds 240 --hitcount 2 -j REJECT

-- 
David C. Rankin, J.D.,P.E.