Hello list, Recently i have had one of my boxes attacked with a ddos attack. It was all coming from 1 ip address so I made the rule : DROP net:<ip> $FW ANY This however did not help much for the load coming onto the box, asif it wasn''t working properly. When adding : iptables -A INPUT -p tcp -s <ip> -j DROP, the load to the box did get dropped. Can anyone tell me what I was doing wrong with the shorewall rule configuration ? Thanks in advance. Regards. ************************************NIEUWS*********************************** - Actueel nieuws over GGZ Drenthe vindt u op www.ggzdrenthe.nl - Wilt u automatisch op de hoogte blijven via onze maandelijkse e-mailnieuwsbrief? Meld u aan op www.ggzdrenthe.nl/e-mailnieuwsbrief *********************************DISCLAIMER********************************* Dit E-mail bericht is slechts bestemd voor de (rechts)persoon aan wie het is gericht en kan informatie bevatten die persoonlijk is en niet openbaar mag worden gemaakt krachtens wet- of regelgeving of overeenkomst. Indien een ander dan geadresseerde dit e-mail bericht ontvangt of anderszins in handen krijgt is hij niet gerechtigd tot kennisneming, verspreiding, openbaar maken of vermenigvuldiging daarvan. Hij wordt verzocht onmiddellijk de afzender op de hoogte te stellen en het e-mail bericht te vernietigen. De afzender staat niet in voor de juiste en volledige overbrenging van de inhoud van een verzonden e-mail, noch voor tijdige ontvangst daarvan. Dit e-mail bericht brengt geen enkele contractuele gebondenheid voor de afzender tot stand. GGZ Drenthe - KvK-nummer: 41186586. ********************************************************************************** ------------------------------------------------------------------------------ Free Software Download: Index, Search & Analyze Logs and other IT data in Real-Time with Splunk. Collect, index and harness all the fast moving IT data generated by your applications, servers and devices whether physical, virtual or in the cloud. Deliver compliance at lower cost and gain new business insights. http://p.sf.net/sfu/splunk-dev2dev
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Am 01.03.2011 09:50, schrieb Jensen, Peter:> Recently i have had one of my boxes attacked with a ddos attack. It was > all coming from 1 ip address so I made the rule :paradoxon! If it''s all coming from on 1 IP, it is not a *Distributed* Denail of Service Attack (DDOS), but rather a DOS. And if a single Computer can freak the hell out of you, you''ve gut a much bigger problem than a firewall rule.> DROP net:<ip> $FW ANY >Why specifying "ANY" for port? Laeaving it empty would be your desired solution. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJNbL/RAAoJEESzYGUfVKgiQXcH/jjM5j86+8ldvwaDep8qfwbm uCuXs9IRKWNA5quBmVpBRkDsATfkY4mm2aEHIOcvdZDgfEFKDAV3jmuDHHNG8RtA FQcca078cntkxMf4qwA6zEPHXpJw3secJu4oL6jCF0IjC9bBxqF5H+UVXND/ykPb x+7BSprvjHSOKt8LSRdpSnNCfavm40fsljJiSybYgtRrq9s4r+ZMq4DJVLp1Nx/Y 1GI1PBh0HDMftYG5UZyRGqoIfOyWBpyHfiLstEoR1TCBPJYqyzsO/SBRv+ljX5GB FMB2hLURSjTb+J3F9QfAnpbqfjsfdZVWTCZdSoH/4zjwGjFDtVYsk05wsus12c0=mABh -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Free Software Download: Index, Search & Analyze Logs and other IT data in Real-Time with Splunk. Collect, index and harness all the fast moving IT data generated by your applications, servers and devices whether physical, virtual or in the cloud. Deliver compliance at lower cost and gain new business insights. http://p.sf.net/sfu/splunk-dev2dev
Hello Peter, On Tue, 1 Mar 2011 09:50:08 +0100 "Jensen, Peter" <Peter.Jensen@ggzdrenthe.nl> wrote:> Can anyone tell me what I was doing wrong with the shorewall rule > configuration ?if you are using Shorewall 4.4 or later you can use the blacklist [0] functionality of shorewall: shorewall drop <ip/subnet> or have a look into /etc/shorewall/blacklist Regards, Daniel [0] http://www.shorewall.net/blacklisting_support.htm ------------------------------------------------------------------------------ Free Software Download: Index, Search & Analyze Logs and other IT data in Real-Time with Splunk. Collect, index and harness all the fast moving IT data generated by your applications, servers and devices whether physical, virtual or in the cloud. Deliver compliance at lower cost and gain new business insights. http://p.sf.net/sfu/splunk-dev2dev
2011/3/1 Jensen, Peter <Peter.Jensen@ggzdrenthe.nl>:> Hello list, > > > > Recently i have had one of my boxes attacked with a ddos attack. It was all > coming from 1 ip address so I made the rule : > > DROP net:<ip> $FW ANY > > > > This however did not help much for the load coming onto the box, asif it > wasn’t working properly. > > When adding : iptables -A INPUT -p tcp -s <ip> -j DROP, the load to the box > did get dropped. > > > > Can anyone tell me what I was doing wrong with the shorewall rule > configuration ?From 1 IP address is not a DDOS, but just a DOS, and in both cases, You cant do much, notify your upstream internet provider that can take the appropiate measures. ------------------------------------------------------------------------------ Free Software Download: Index, Search & Analyze Logs and other IT data in Real-Time with Splunk. Collect, index and harness all the fast moving IT data generated by your applications, servers and devices whether physical, virtual or in the cloud. Deliver compliance at lower cost and gain new business insights. http://p.sf.net/sfu/splunk-dev2dev _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
On Tue, Mar 1, 2011 at 11:59 AM, Daniel Meißner <daniel@3st.mine.nu> wrote:> if you are using Shorewall 4.4 or later you can use the blacklist [0] > functionality of shorewall: > > shorewall drop <ip/subnet> > or have a look into /etc/shorewall/blacklistWhich is a very bad idea, wont stop the attack itself, and will provide nothing more than a false sense of security. ------------------------------------------------------------------------------ Free Software Download: Index, Search & Analyze Logs and other IT data in Real-Time with Splunk. Collect, index and harness all the fast moving IT data generated by your applications, servers and devices whether physical, virtual or in the cloud. Deliver compliance at lower cost and gain new business insights. http://p.sf.net/sfu/splunk-dev2dev _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users