Professional Documents
Culture Documents
Anti DDoS With Iptables and Ipt
Anti DDoS With Iptables and Ipt
Anti DDoS With Iptables and Ipt
In these days Ive been attacked with a syn flood plus a GET flood requests.
There was ~1600 different IP that compose the botnet that was attacking, so I write some lines of
iptables in order to keep the attack under control.
Below you can find the entire micro script Ive made, and after that an explanation line per line
about what they do.
Clear all existent rules on the firewall.
iptables -F
iptables -X
Create the three new chains that we are going to use in order to filter the attack
iptables -N ATTACKED
iptables -N ATTK_CHECK
iptables -N SYN_FLOOD
For any new incoming packet we check if the packet is a syn or not, if not, we simply drop
it.
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
We drop fragmented packets.
iptables -A INPUT -f -j DROP
Drop XMAS packets.
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
Drop NULL packets.
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
Any incoming tcp packets will be forwarded in the SYN_FLOOD chain.
iptables -A INPUT -p tcp --syn -j SYN_FLOOD
We use module hashlimit to create a database of the single istance ip in order to drop any
packet from any ip that exceed 100 packet per second, and keep it in the database for 3600
seconds.
-j ATTACKED
We permit the rest of the traffic that could be almost completely legitimate.
iptables -A ATTK_CHECK -j ACCEPT
Shell scripts
#!/bin/bash
iptables -F
iptables -X
iptables -N ATTACKED
iptables -N ATTK_CHECK
iptables -N SYN_FLOOD
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables -A INPUT -f -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --syn -j SYN_FLOOD
iptables -A SYN_FLOOD -p tcp --syn -m hashlimit --hashlimit 100/sec --hashlimit-burst 3
--hashlimit-htable-expire 3600 --hashlimit-mode srcip --hashlimit-name synflood -j ACCEPT
iptables -A SYN_FLOOD -j ATTK_CHECK
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80 -m recent --update --seconds 1800 --name BANNED
--rsource -j DROP
iptables -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ATTK_CHECK
iptables -A ATTACKED -m limit --limit 5/min -j LOG --log-prefix "IPTABLES (Rule
ATTACKED): " --log-level 7
iptables -A ATTACKED -m recent --set --name BANNED --rsource -j DROP
iptables -A ATTK_CHECK -m recent --set --name ATTK
iptables -A ATTK_CHECK -m recent --update --seconds 180 --hitcount 20 --name ATTK
--rsource -j ATTACKED
iptables -A ATTK_CHECK -m recent --update --seconds 60 --hitcount 6 --name ATTK --rsource
-j ATTACKED
iptables -A ATTK_CHECK -j ACCEPT