rudyzainal
asked on
DDOS Protection
I offer psybncs and shell access and all that, and my server recently was hit by DDOS. I have recently blocked any ICMP packets, and blocked any incoming UDP packets except port 53 (for DNS). I tried to ddos myself, and succeeded in preventing any PING ddos but when i UDP'ed myself my server was still hit. Where have I gone wrong? I also want to prevent TCP syn packet DDOSing, and i read somewhere that by filtering incoming TCP syn requests to drop any packets after a certain number of packet/sec is possible, but I am fairly new to this and I need some help in configuring my firewall. Can anyone give some examples on how to prevent DDOS attacks, or at least minimize them?
Right, you should address firewall individually, RTFM, and use appropriate TA for better response:
https://www.experts-exchange.com/Security/Firewalls/
> but when i UDP'ed myself my server was still hit. Where have I gone wrong?
Check here:
http://www.iana.org/assignments/port-numbers
Sample:
xns-time 52/tcp XNS Time Protocol
xns-time 52/udp XNS Time Protocol
# Susie Armstrong <Armstrong.wbst128@XEROX>
domain 53/tcp Domain Name Server
domain 53/udp Domain Name Server
# Paul Mockapetris <PVM@ISI.EDU>
xns-ch 54/tcp XNS Clearinghouse
xns-ch 54/udp XNS Clearinghouse
TCP and UDP are different protocols, so you must default block all ports for both of them. Also, where you do not block, you may choose to condifer blocking only one way, probably inbound traffic.
https://www.experts-exchange.com/Security/Firewalls/
> but when i UDP'ed myself my server was still hit. Where have I gone wrong?
Check here:
http://www.iana.org/assignments/port-numbers
Sample:
xns-time 52/tcp XNS Time Protocol
xns-time 52/udp XNS Time Protocol
# Susie Armstrong <Armstrong.wbst128@XEROX>
domain 53/tcp Domain Name Server
domain 53/udp Domain Name Server
# Paul Mockapetris <PVM@ISI.EDU>
xns-ch 54/tcp XNS Clearinghouse
xns-ch 54/udp XNS Clearinghouse
TCP and UDP are different protocols, so you must default block all ports for both of them. Also, where you do not block, you may choose to condifer blocking only one way, probably inbound traffic.
<ugh> condifer = consider
ASKER
richrumble: I am using Linux IPCHAINS.
sunbow: I cant block any inbound TCP due to the nature and the purpose of the server. My current firewall has been configured to accept all inbound TCP packets, drop all ICMP, and drop all UDP packets EXCEPT UDP 53 for DNS. I am still losing my server and having to reboot after my test DDOS with a mere 30 DSL drone UDP attack
sunbow: I cant block any inbound TCP due to the nature and the purpose of the server. My current firewall has been configured to accept all inbound TCP packets, drop all ICMP, and drop all UDP packets EXCEPT UDP 53 for DNS. I am still losing my server and having to reboot after my test DDOS with a mere 30 DSL drone UDP attack
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
rich,
its already set to drop, not reject. and my box is not behind any router. its situated on a datacenter. And yes i'd say about 30 DSL host to DDOS my own box for testing purpose, more or less.
But my original question was, is restricting incoming packets by filtering incoming TCP syn requests to drop any packets after a certain number of packet/sec possible, and if so will it help much, and the way to go about doing it. I have read up a bit on some burst rate limits and such, but the book I read wasnt meant for a novice like me, i guess.
I've upped the points for this question cause I was hit yet again and its getting quite irritating to have to go down to the datacenter to reboot my box twice in a fortnight.
its already set to drop, not reject. and my box is not behind any router. its situated on a datacenter. And yes i'd say about 30 DSL host to DDOS my own box for testing purpose, more or less.
But my original question was, is restricting incoming packets by filtering incoming TCP syn requests to drop any packets after a certain number of packet/sec possible, and if so will it help much, and the way to go about doing it. I have read up a bit on some burst rate limits and such, but the book I read wasnt meant for a novice like me, i guess.
I've upped the points for this question cause I was hit yet again and its getting quite irritating to have to go down to the datacenter to reboot my box twice in a fortnight.
ASKER
thanks rich the links are useful. but so far it doesnt actually stop the ddos to my current box, but it does give certain insights as to what is needed and the lot.
Here are some things to understand, and possibly minimize dos attacks.: http://www.cisco.com/warp/public/707/newsflash.html
I also recommend DJBDNS (aka tinydns) over BIND, 2Billion times better than bind... http://cr.yp.to/djbdns.html
-rich