Watched a DDoS attack for hours and couldn't do much :S

G.W. Haywood ged at jubileegroup.co.uk
Mon Nov 27 09:38:30 CET 2006


Hi there,

On Mon, 27 Nov 2006 AntiProxy wrote:

> One of my servers was hit by a DDoS attack earlier today,
> and the pattern was different to these i've seen before.
>
> netstat doesn't show any TCP or UDP connections in any state.
>
> however, TCPDUMP shows the following (i'm posting a few lines of
> millions):
> [...]
> what does it tell you?

Somebody is trying to spoof a machine on your network?

I'd have thought a reasonable box could drop 15k packets/second OK but
you might need to put rules in the INPUT chain to drop everything from
the offending IPs.  For this kind of thing I use a Perl script to scan
the logs and insert rules into iptables in real time.  Its input is
piped from syslog-ng.  It takes a bit of setting up but it's worth it.
If there are large numbers (thousands) of attacking IPs you'll need to
look at something like ipset as iptables will begin to creak a bit.

If this continues you might want to contact your upstream provider.
They will want to help if they're at all reputable.

--

73,
Ged.



More information about the netfilter mailing list