DDoS counter-measures (Rules)

zito.pol@xxxxxxxxxxxxxx · Sat, 5 Apr 2003 02:12:20 -0300

Hi folks,
I am new in list and I am need help with some extra IPTABLES DDoS/DoS rules.

I am receiving a large volume of packets... in other words... I am been
dosed. 

The IP_FRAG OUTPUT: 
[**] MISC Tiny Fragments [**] 
04/03-03:03:24.131192 < l/l len: 0 l/l type: 0x200 0:0BBBB 
pkt type:0x0 proto: 0x800 len:0x2C 
200.182.128.30 -> 200.164.250.204 ICMP TTL:39 TOS:0x0 ID:67 IpLen:20 DgmLen:28
MF 
Frag Offset: 0x0680 Frag Size: 0xFFFFF988 
55 55 55 55 55 55 55 55 UUUUUUUU 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=

[**] MISC Tiny Fragments [**] 
04/03-03:03:27.251702 < l/l len: 0 l/l type: 0x200 0:0BBBB 
pkt type:0x0 proto: 0x800 len:0x2C 
200.182.128.30 -> 200.164.250.204 ICMP TTL:39 TOS:0x0 ID:69 IpLen:20 DgmLen:28
MF 
Frag Offset: 0x039C Frag Size: 0xFFFFFC6C 
55 55 55 55 55 55 55 55 UUUUUUUU 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=

[**] MISC Tiny Fragments [**] 
04/03-03:03:37.406839 < l/l len: 0 l/l type: 0x200 0:0BBBB 
pkt type:0x0 proto: 0x800 len:0x2C 
200.182.128.30 -> 200.164.250.204 ICMP TTL:39 TOS:0x0 ID:75 IpLen:20 DgmLen:28
MF 
Frag Offset: 0x0D01 Frag Size: 0xFFFFF307 
55 55 55 55 55 55 55 55 UUUUUUUU 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
---------------------------------------------------------- 

The ICMP_ECHO OUTPUT: 
[**] ICMP Large ICMP Packet [**] 
04/03-03:04:07.018622 < l/l len: 0 l/l type: 0x200 0:0BBBB 
pkt type:0x0 proto: 0x800 len:0x7560 
200.182.128.30 -> 200.164.250.204 ICMP TTL:39 TOS:0x0 ID:89 IpLen:20 DgmLen:30032

Type:8 Code:0 ID:131 Seq:0 ECHO 
00 07 2C A6 55 55 55 55 55 55 55 55 55 55 55 55 ..,.UUUUUUUUUUUU 
55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 UUUUUUUUUUUUUUUU... UUUUUUUUUUUUUUUUU...
UUUUUUUU... 
VERY LARGE OUTPUT (2.44 MB) 
---------------------------------------------------------- 

Well, I need help with it... need one counter-measure... this box is one
old Pentium 2 with 512KB of band (ADSL), serving access to other 2 machines
(IPTABLES + NAT). 

Any help is wellcome (some extra iptables rules too). 

Best regards... 
Joao Carlos
BOMPREÇO SYSTEM ADMINISTRATOR

PS: Sorry to my poor english, I am brazilian and in my country this type
of information is very hard to obtain.

------------------------------------------
Use o melhor sistema de busca da Internet
Radar UOL - http://www.radaruol.com.br