Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Iptables Block Flood
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Iptables Block Flood

AlexJonesAlexJones Member
edited October 2017 in Help

Any Iptables experts here?
I need to block a syn flood that just spams max windows size tcp packets (65535)
https://prntscr.com/grst8t

My favorite IP so far
https://prnt.sc/grsron
https://prntscr.com/grsryt

Comments

  • I'm surprised you have port 10011 opened. What do you have on it? Remember rule no.1 of every good firewall: block per default everything (-P DROP), then allow only what you want to allow...

    Also try to rate-limit logging, otherwise you might ddos your own server...

  • AlexJonesAlexJones Member
    edited October 2017

    Teamspeak Query Runs on port 10011 lol. I have already rate limited syn to 75/s burst 25 and connlimit is set at 80 and my server still gets destroyed. Also ipset is being used to block some of the syn flood not iptables alone

  • Ovh

  • jackbjackb Member, Host Rep
    edited October 2017

    @AlexJones said:
    Teamspeak Query Runs on port 10011 lol. I have already rate limited syn to 75/s burst 25 and connlimit is set at 80 and my server still gets destroyed. Also ipset is being used to block some of the syn flood not iptables alone

    If you're using limit you're destroying your own server.

    The limit module is not designed for filtering ddos. 75/s from any host (combined) will knock your system offline. Also burst should be higher than the normal limit.

    Hashlimit is more appropriate here - but it does come with caveats.

  • Im not asking for your opinions on blocking im just looking for someone to inform me how to block by window size.

  • @AlexJones said:
    Teamspeak Query Runs on port 10011 lol.

    Running TS on default port is asking for problems, "lol". Move it elsewhere and prevent any attempt for port-scanning...

  • @Jarry said:

    @AlexJones said:
    Teamspeak Query Runs on port 10011 lol.

    Running TS on default port is asking for problems, "lol". Move it elsewhere and prevent any attempt for port-scanning...

    Still no one with helpful advice

  • WSSWSS Member

    Disable large fragments?

    echo 0 >/proc/sys/net/ipv4/ip_no_pmtu_disc

  • AlexJonesAlexJones Member
    edited October 2017

    @WSS said:
    Disable large fragments?

    echo 0 >/proc/sys/net/ipv4/ip_no_pmtu_disc

    Tried that window size 65535 still comes through
    /etc/sysctl.conf using javapipe values
    https://javapipe.com/ddos/blog/iptables-ddos-protection/

  • jh_aurologicjh_aurologic Member, Patron Provider

    @AlexJones said:

    Tried that window size 65535 still comes through
    /etc/sysctl.conf using javapipe values
    https://javapipe.com/ddos/blog/iptables-ddos-protection/

    Getting a server with ddos protection seems to be more suitable for your problem instead of dealing with hostbased firewalls which are not really designed to filter floods.

  • jackbjackb Member, Host Rep
    edited October 2017

    @AlexJones said:
    Im not asking for your opinions on blocking im just looking for someone to inform me how to block by window size.

    What you're asking for doesn't matter if you're blocking syn packet #76 and upwards regardless of what host it came from, which is what will be happening if you're using the limit module.

    You might not even be seeing an actual attack - just a false positive due to this usage of the limit module.

    If you really do want to go ahead and ignore the advice, look at the u32 module. You can match window size there, but you will block a lot of legitimate traffic going that route.

Sign In or Register to comment.