17 Feb
2014
17 Feb
'14
5:36 a.m.
On 02/16/2014 09:09 PM, David C. Rankin wrote:
Thanks for the tips! I tend not to use direct iptables access to the
firewall, but if needed this is a good summary.
The attack originated in the Netherlands and it appears that it has
stopped as of a couple hours ago. Blocking reduced the traffic but did
not completely eliminate it, so I needed to wait before sounding the
all-clear.
Tim
On 02/16/2014 08:54 PM, Timothy Pearson wrote:
It was probably Martin having a bad night :p Seriously, here are a few
notes I
had regarding responses to ssh type DOS attacks:
# Blocking ssh attacks
/usr/sbin/iptables -A INPUT -p tcp --syn --dport 22 -m recent --name
sshattack --set
/usr/sbin/iptables -A INPUT -p tcp --dport 22 --syn -m recent --name
sshattack
--update --seconds 60 --hitcount 6 -j LOG --log-prefix 'SSH attack: '
/usr/sbin/iptables -A INPUT -p tcp --dport 22 --syn -m recent --name
sshattack
--update --seconds 60 --hitcount 6 -j REJECT
This will block all further syns from an IP address starting on the sixth
port
22 connection within 60 seconds. It takes 60 seconds of absolute quiet
from that
same ip address (or a reboot) to make the block go away. Kills a LOT of
brute
force ssh attacks. I've also used this both against web statistics
spammers and
email DOSers with good results.
Another:
I believe that this is it:
iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack
--update
--seconds 240 --hitcount 2 -j REJECT
--
David C. Rankin, J.D.,P.E. All,
The TDE servers have been undergoing a DDoS attack since around 6:00AM
CST
02/16/2014. As a result, many TDE services are functioning
sporadically.
I am attempting to counter this attack as best as I am able, but I do
not
have sufficient bandwidth available to guarantee continued access to
any
TDE services until the attack is over.
I apologise for the disruption, and hope to have access to all services
restored a soon as possible. Thank you for your patience!
Timothy Pearson
Give'em hell Tim!
iptables -A INPUT -s off.end.ing._ip -j DROP