trinity-devel@lists.pearsoncomputing.net

Message: previous - next
Month: February 2014

Re: [trinity-devel] Ongoing DDoS attack

From: "Timothy Pearson" <kb9vqf@...>
Date: Sun, 16 Feb 2014 23:36:23 -0600
> On 02/16/2014 09:09 PM, David C. Rankin wrote:
>> On 02/16/2014 08:54 PM, Timothy Pearson wrote:
>>> All,
>>>
>>> The TDE servers have been undergoing a DDoS attack since around 6:00AM
>>> CST
>>> 02/16/2014.  As a result, many TDE services are functioning
>>> sporadically.
>>> I am attempting to counter this attack as best as I am able, but I do
>>> not
>>> have sufficient bandwidth available to guarantee continued access to
>>> any
>>> TDE services until the attack is over.
>>>
>>> I apologise for the disruption, and hope to have access to all services
>>> restored a soon as possible.  Thank you for your patience!
>>>
>>> Timothy Pearson
>>
>> Give'em hell Tim!
>>
>> iptables -A INPUT -s off.end.ing._ip -j DROP
>>
>
> It was probably Martin having a bad night :p  Seriously, here are a few
> notes I
> had regarding responses to ssh type DOS attacks:
>
> # Blocking ssh attacks
>
> /usr/sbin/iptables -A INPUT -p tcp --syn --dport 22 -m recent --name
> sshattack --set
> /usr/sbin/iptables -A INPUT -p tcp --dport 22 --syn -m recent --name
> sshattack
> --update --seconds 60 --hitcount 6 -j LOG --log-prefix 'SSH attack: '
> /usr/sbin/iptables -A INPUT -p tcp --dport 22 --syn -m recent --name
> sshattack
> --update --seconds 60 --hitcount 6 -j REJECT
>
> 	This will block all further syns from an IP address starting on the sixth
> port
> 22 connection within 60 seconds. It takes 60 seconds of absolute quiet
> from that
> same ip address (or a reboot) to make the block go away. Kills a LOT of
> brute
> force ssh attacks. I've also used this both against web statistics
> spammers and
> email DOSers with good results.
>
> Another:
>
> I believe that this is it:
> iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack
> --update
> --seconds 240 --hitcount 2 -j REJECT
>
> --
> David C. Rankin, J.D.,P.E.

Thanks for the tips!  I tend not to use direct iptables access to the
firewall, but if needed this is a good summary.

The attack originated in the Netherlands and it appears that it has
stopped as of a couple hours ago.  Blocking reduced the traffic but did
not completely eliminate it, so I needed to wait before sounding the
all-clear.

Tim

powered by ezmlm-www (v1.4.5)