Blocking attack Ips/ddos Ips from China
DDos attacks are one of the major dilemmas among hosting world, We used to get attacks from china recently and implementing below rules could prevent ddos.
- Need to create a bash file with below script
ipset -N china hash:net
wget -P . http://www.ipdeny.com/ipblocks/data/countries/cn.zone
for i in $(cat /root/cn.zone ); do ipset -A china $i; done
iptables -I INPUT -p tcp -m set --match-set china src -j DROP
ipset // is a command utitlity comes along with ipconfig, we can set specific rules with this command
-N // indicates name of the set of rules
rm cn.zone // remove any existing zone configured
wget // Download the latest Chinese ips form ipdeny.com
-----------apply the for loop for adding ips to the hash set "china"------------------------
----------apply iptables command to block ips which match the condition in 'china' ipset------------
Run the bash script
=================If you wish to unblock the rules/ips in the future, simply create another file or in the same file , edit the last line to the following
iptables -D INPUT -p tcp -m set --match-set china src -j DROP
The -D option will delete the china of rules that we implemented.
Using CloudFlare to mitigate web attacks is easier than blocking a whole (huge) country. They let you block country codes on their end too.
cloudflare is an option, but what would happen if the client is not using cloudflare and its a shared hosting, and a sudden attack burst out.
Client may not be aware of this attack, he only purchased the hosting but the provider should handle the scenario at the moment.
So you're saying the shared hosting the person is using should block a whole country on the server? Anyways that's not the point of this, I understand the point, there's just easier and alternative ways to go about it.
ddos attacks are sometimes uncontrollable and we experienced it, in my post, the last section describes, how to delete the rules once the ddos is stopped.
If the ddos stopped or after a few hours, you can enable the ips,
this is a matter of time/work saving procedure at crucial situation.
So how exactly do you have root access and iptables on shared hosting?
Instead of fetching & saving the file, then looping through every line and running ipset add so many times, you can also do:
pfSense with Snort / Suricata and pfBlockerNG is a way better choice if you are not afraid of NAT IP addresses.
China isn't the only country bad traffic comes from. That being said there are much better alternatives like investing in actual ddos protection.
Or paying someone to do remote DDOS protection for you.
Damn near impossible in Asia. Bandwidth costs are so high that you need to spend an actual fortune every month to ensure sufficient capacity to mitigate the attack.
You could mitigate the DDoS overseas in the US or EU where bandwidth is much cheaper, but that has an effect on performance.
Many DDoS these days are well above 1G and mostly above 10G, and even 100M can be expensive in Asia. Most carriers in HK would charge about US$3,000 /month for 100M, so getting 1G and 10G is unrealistic for most.
But that's just Asia. Much different situation in EU/US.
GFW help u!
Great. We do getting lately a lot of orders from fakeland China, as their national identity now is to use fake names on internet like Tammy Jones (we do have at least 30 of them) and fake details.
Host some porn or dissident stuff on it, inform chinese government, have the GFW do the thing for you?
Thanks for sharing it. Very helpful tutorial. For some people Cloudflare is everything. (They will suggest you to use CloudFlare in heavy traffic while driving vehicle
Because CloudFlare can handle uhh, a bit more traffic than a few dollar VPS.
nice dude ? thank you
Yeah this is very true. I find setting UAM for Asian countries/Russia and then using a load monitor to apply more aggressive rules makes CF nearly impossible to bypass. All for $0
USA is the second biggest source of DDOS, could you ad them too to the script?
No, sensitive history events or names of head of government, you know what and who, are more effective.
I suppose multiple countries can be added in 1 file too yea?
Reported for racist topic title.
China isn't a race.