Hi, I''ve been working the past 8 hrs combatting DDoS attacks on websites and dedicated servers I host for clients. They''re hitting one specific IP address, but coming from thousands of external IP addresses. I use: shorewall-4.0.10-3.noarch How can I tackle this? I''ve blocked many subnets in the blacklist file but it''s made very little difference. If someone can advise please do. Thanks. Michael. __________________________________________________________________________________ Find local businesses and services in your area with Yahoo!7 Local. Get started: http://local.yahoo.com.au ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
I''m aware of, but have never tried a technique called tarpitting that is supposed to be very useful in your situation. On Aug 29, 2009, at 1:18, Michael Mansour <micoots@yahoo.com> wrote:> Hi, > > I''ve been working the past 8 hrs combatting DDoS attacks on websites > and dedicated servers I host for clients. > > They''re hitting one specific IP address, but coming from thousands > of external IP addresses. > > I use: > > shorewall-4.0.10-3.noarch > > How can I tackle this? I''ve blocked many subnets in the blacklist > file but it''s made very little difference. > > If someone can advise please do. > > Thanks. > > Michael. > > > > > __________________________________________________________________________________> Find local businesses and services in your area with Yahoo!7 Local. > Get started: http://local.yahoo.com.au > > --- > --- > --- > --------------------------------------------------------------------- > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 > 30-Day > trial. Simplify your report design, integration and deployment - and > focus on > what you do best, core application coding. Discover what''s new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
--- On Sat, 8/29/09, Christ Schlacta <aarcane@gmail.com> wrote:> I''m aware of, but have never tried a > technique called tarpitting that > is supposed to be very useful in your situation.I think that the TARPIT target has made it into the latest kernels/iptables but I haven''t checked. I don''t know if shorewall itself supports it. Vieri ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
Vieri Di Paola wrote:> --- On Sat, 8/29/09, Christ Schlacta <aarcane@gmail.com> wrote: > >> I''m aware of, but have never tried a >> technique called tarpitting that >> is supposed to be very useful in your situation. > > I think that the TARPIT target has made it into the latest kernels/iptables but I haven''t checked. > I don''t know if shorewall itself supports it.It does not. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
On Sat, 2009-08-29 at 01:18 -0700, Michael Mansour wrote:> Hi, > > I''ve been working the past 8 hrs combatting DDoS attacks on websites and dedicated servers I host for clients. > > They''re hitting one specific IP address, but coming from thousands of external IP addresses. > > I use: > > shorewall-4.0.10-3.noarch > > How can I tackle this? I''ve blocked many subnets in the blacklist file but it''s made very little difference. > > If someone can advise please do. > > Thanks. >Have a looked at "null routing" http://en.wikipedia.org/wiki/Null_route Jerry ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
Christ Schlacta wrote:> I''m aware of, but have never tried a technique called tarpitting that > is supposed to be very useful in your situation.tarpitting a DDOS attack against a legitimate website takes the site offline. The TARPIT target is available in xtables-addons and it is easy to construct an action to invoke it: Assuming shorewall-perl.... /etc/shorewall/actions: Tarpit /etc/shorewall/action.Tarpit <empty file> /etc/shorewall/Tarpit: use Shorewall::Chains; add_rule $chainref, "-p tcp -j TARPIT"; /etc/shorewall/rules Tarpit net ... tcp 80 - ... -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
Le 29 août 2009 à 10:18, Michael Mansour <micoots@yahoo.com> a écrit :> Hi, > > I've been working the past 8 hrs combatting DDoS attacks on websites > and dedicated servers I host for clients. > > They're hitting one specific IP address, but coming from thousands > of external IP addresses. > > I use: > > shorewall-4.0.10-3.noarch > > How can I tackle this? I've blocked many subnets in the blacklist > file but it's made very little difference. > > If someone can advise please do. >Hi Is your Internet pipe flooded or your webserver's ressources are exhausted? In thé first case there is 'nothing' useful to do at your level imho. In the second one you can try to limit the rate of new connections from a single ip/range directed to your webserver. Laurent ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
I found the article I was reading before about a tarpitting solution that doesn''t simply take the website offline. http://www.secureworks.com/research/threats/ddos/ Tom Eastep wrote:> Christ Schlacta wrote: >> I''m aware of, but have never tried a technique called tarpitting that >> is supposed to be very useful in your situation. > > tarpitting a DDOS attack against a legitimate website takes the site > offline. > > The TARPIT target is available in xtables-addons and it is easy to > construct an action to invoke it: > > Assuming shorewall-perl.... > > /etc/shorewall/actions: > > Tarpit > > /etc/shorewall/action.Tarpit > > <empty file> > > /etc/shorewall/Tarpit: > > use Shorewall::Chains; > > add_rule $chainref, "-p tcp -j TARPIT"; > > /etc/shorewall/rules > > Tarpit net ... tcp 80 - ... > > -Tom > > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------------ > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day > trial. Simplify your report design, integration and deployment - and focus on > what you do best, core application coding. Discover what''s new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july > > > ------------------------------------------------------------------------ > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
On 29/08/09 04:18, Michael Mansour wrote:> How can I tackle this?Your ISP is the right place where the attack should be blocked, also contact your local authorities. ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
I have taken the Tarpit instructions below and made Tarpit the default action. To do this I changed the DROP_DEFAULT in shorewall.conf to Tarpit. The Tarpit action doesn''t handle UDP, ICMP, etc asis. I added another rule to handle them ie: cat /etc/shorewall/Tarpit use Shorewall::Chains; add_rule $chainref, "-p tcp -j TARPIT"; # DROP for all other protocols add_rule $chainref, "-j DROP"; Seems to be working, has anyone else tried this? This would make every host in the blacklist get tarpitted? Or do I need to set BLACKLIST_DISPOSITION=Tarpit in shorewall.conf? Thanks, ds Original tarpit instructions: tarpitting a DDOS attack against a legitimate website takes the site offline. The TARPIT target is available in xtables-addons and it is easy to construct an action to invoke it: Assuming shorewall-perl.... /etc/shorewall/actions: Tarpit /etc/shorewall/action.Tarpit <empty file> /etc/shorewall/Tarpit: use Shorewall::Chains; add_rule $chainref, "-p tcp -j TARPIT"; /etc/shorewall/rules Tarpit net ... tcp 80 - ... ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference
Dave Sparks wrote:> I have taken the Tarpit instructions below and made Tarpit the > default action. To do this I changed the DROP_DEFAULT in > shorewall.conf to Tarpit. > > The Tarpit action doesn''t handle UDP, ICMP, etc asis. I added > another rule to handle them ie: > > cat /etc/shorewall/Tarpit > > use Shorewall::Chains; add_rule $chainref, "-p tcp -j TARPIT"; # DROP > for all other protocols add_rule $chainref, "-j DROP"; > > Seems to be working, has anyone else tried this?Hopefully not. Using this as a default action will tarpit any Auth client who is trying to authenticate one of your users who just connected. It also totally breaks logging of DROP policies.> > This would make every host in the blacklist get tarpitted?No -- this will cause the Tarpit action to be invoked just before a DROP policy is enforced on a connection request.> Or do I > need to set BLACKLIST_DISPOSITION=Tarpit in shorewall.conf?You don''t get to specify your own action in the BLACKLIST_DISPOSITION option. The only legitimate use of your Tarpit action would be in /etc/shorewall/rules. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference