Solved at moment, some bad boy its doing a syn flood to my webserver with 38.000 ips, i want die :) , for now, iptables and mod_evasive its winning. 2006/6/5, Mogens Valentin <mogensv@xxxxxxxxxxxxxxxx>:
Alberto Ferrer wrote: > i got a lot of: > > Jun 5 00:19:29 lnx1 kernel: [4322108.323000] fp=bad_packets:1 a=DROP > IN=eth0 OUT= MAC=00:08:54:2f:8a:ac:00:0b:46:e2:04:00:08:00 > SRC=201.231.52.141 DST=200.68.95.25 LEN=40 TOS=0x00 PREC=0x00 TTL=248 > ID=0 PROTO=TCP SPT=53176 DPT=80 WINDOW=0 RES=0x00 RST URGP=0 > > Jun 5 00:19:34 lnx1 kernel: [4322112.926000] fp=INPUT:99 a=DROP > IN=eth0 OUT= MAC=00:08:54:2f:8a:ac:00:0b:46:e2:04:00:08:00 > SRC=200.68.126.88 DST=200.68.95.27 LEN=48 TOS=0x00 PREC=0x00 TTL=119 > ID=44694 DF PROTO=TCP SPT=1196 DPT=445 WINDOW=8760 RES=0x00 SYN URGP=0 > > Jun 5 00:19:35 lnx1 kernel: [4322113.710000] fp=INPUT:99 a=DROP > IN=eth0 OUT= MAC=00:08:54:2f:8a:ac:00:0b:46:e2:04:00:08:00 > SRC=200.68.126.88 DST=200.68.95.28 LEN=48 TOS=0x00 PREC=0x00 TTL=119 > ID=44762 DF PROTO=TCP SPT=1134 DPT=445 WINDOW=8760 RES=0x00 SYN URGP=0 > > Jun 5 00:19:36 lnx1 kernel: [4322114.558000] fp=INPUT:99 a=DROP > IN=eth0 OUT= MAC=00:08:54:2f:8a:ac:00:0b:46:e2:04:00:08:00 > SRC=200.68.126.88 DST=200.68.95.27 LEN=48 TOS=0x00 PREC=0x00 TTL=119 > ID=44873 DF PROTO=TCP SPT=1196 DPT=445 WINDOW=8760 RES=0x00 SYN URGP=0 > > Jun 5 00:19:39 lnx1 kernel: [4322117.587000] fp=bad_packets:1 a=DROP > IN=eth0 OUT= MAC=00:08:54:2f:8a:ac:00:0b:46:e2:04:00:08:00 > SRC=201.254.155.13 DST=200.68.95.25 LEN=40 TOS=0x00 PREC=0x00 TTL=244 > ID=0 PROTO=TCP SPT=28837 DPT=80 WINDOW=0 RES=0x00 RST URGP=0 > > My website its working a bit slow now ^^ and my ISP says: "you can > block that by your self" . And rightfully so; this is your own problem. No pun intended :) Looking at your presended dumps, you see DPT=445: grep 445 /etc/services microsoft-ds 445/tcp microsoft-ds 445/udp Those are requests to MS directory services, coming in on your internet interface (so it looks), and correctly being blocked. Your only problem may be the number of those, which you may do something about using iptables limit targets. The DTP=80 are requests to either your webserver (do you have one running?), or to a assumed running webserver. You may wanna have a look at which services are running behind, or at, the firewall, whether or not those are secured by themselves. > ¿What distro is most prepared for this? The one you know the best ;) No, seriously, I don't know. Thay can all be used. It's not a that much a matter of which distro, but go through the kernel setup, read in /usr/src/linux/Documentation about what you can do with in /proc or with sysctl, and read about iptables. For a distro, I'd suggest Slackware, partly because I know ot well, partly because it doesn't have all those wrapper mechanisms other distros have, so it's simple to find out how things works, plus per default it's setup quite safe. However, no distros I know of, can do anything about your specific kind of traffic. It's up to you to define measures against such. > 2006/6/3, Mogens Valentin <mogensv@xxxxxxxxxxxxxxxx>: > >> Alberto Ferrer wrote: >> > ¿any know a way to stop via Linux with iptables or related a SYN >> attack ? >> > ¿where i can read something related to this? >> >> # Enable syn-cookies (prevent syn-flood attacks): >> echo "1" >/proc/sys/net/ipv4/tcp_syncookies >> >> # Reduce number of possible SYN Floods: >> echo "1024" >/proc/sys/net/ipv4/tcp_max_syn_backlog >> >> Helps somewhat. Can also be set via sysctl. >> You may wan't to look into iptables docs for the 'limit' module: >> >> -m limit --limit X/sec Again, take a look a the limits target in iptables. -- Kind regards, Mogens Valentin
-- bet0x
