> On 02/16/2014 09:09 PM, David C. Rankin wrote: >> On 02/16/2014 08:54 PM, Timothy Pearson wrote: >>> All, >>> >>> The TDE servers have been undergoing a DDoS attack since around 6:00AM >>> CST >>> 02/16/2014. As a result, many TDE services are functioning >>> sporadically. >>> I am attempting to counter this attack as best as I am able, but I do >>> not >>> have sufficient bandwidth available to guarantee continued access to >>> any >>> TDE services until the attack is over. >>> >>> I apologise for the disruption, and hope to have access to all services >>> restored a soon as possible. Thank you for your patience! >>> >>> Timothy Pearson >> >> Give'em hell Tim! >> >> iptables -A INPUT -s off.end.ing._ip -j DROP >> > > It was probably Martin having a bad night :p Seriously, here are a few > notes I > had regarding responses to ssh type DOS attacks: > > # Blocking ssh attacks > > /usr/sbin/iptables -A INPUT -p tcp --syn --dport 22 -m recent --name > sshattack --set > /usr/sbin/iptables -A INPUT -p tcp --dport 22 --syn -m recent --name > sshattack > --update --seconds 60 --hitcount 6 -j LOG --log-prefix 'SSH attack: ' > /usr/sbin/iptables -A INPUT -p tcp --dport 22 --syn -m recent --name > sshattack > --update --seconds 60 --hitcount 6 -j REJECT > > This will block all further syns from an IP address starting on the sixth > port > 22 connection within 60 seconds. It takes 60 seconds of absolute quiet > from that > same ip address (or a reboot) to make the block go away. Kills a LOT of > brute > force ssh attacks. I've also used this both against web statistics > spammers and > email DOSers with good results. > > Another: > > I believe that this is it: > iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack > --update > --seconds 240 --hitcount 2 -j REJECT > > -- > David C. Rankin, J.D.,P.E. Thanks for the tips! I tend not to use direct iptables access to the firewall, but if needed this is a good summary. The attack originated in the Netherlands and it appears that it has stopped as of a couple hours ago. Blocking reduced the traffic but did not completely eliminate it, so I needed to wait before sounding the all-clear. Tim