17 Feb
2014
17 Feb
'14
2:54 a.m.
All,
The TDE servers have been undergoing a DDoS attack since around 6:00AM CST
02/16/2014. As a result, many TDE services are functioning sporadically.
I am attempting to counter this attack as best as I am able, but I do not
have sufficient bandwidth available to guarantee continued access to any
TDE services until the attack is over.
I apologise for the disruption, and hope to have access to all services
restored a soon as possible. Thank you for your patience!
Timothy Pearson
17 Feb
17 Feb
3:09 a.m.
New subject: [trinity-devel] Ongoing DDoS attack
On 02/16/2014 08:54 PM, Timothy Pearson wrote:
All,
The TDE servers have been undergoing a DDoS attack since around 6:00AM CST
02/16/2014. As a result, many TDE services are functioning sporadically.
I am attempting to counter this attack as best as I am able, but I do not
have sufficient bandwidth available to guarantee continued access to any
TDE services until the attack is over.
I apologise for the disruption, and hope to have access to all services
restored a soon as possible. Thank you for your patience!
Timothy Pearson
Give'em hell Tim!
iptables -A INPUT -s off.end.ing._ip -j DROP
--
David C. Rankin, J.D.,P.E.
3:14 a.m.
New subject: [trinity-devel] Ongoing DDoS attack
On 02/16/2014 09:09 PM, David C. Rankin wrote:
On 02/16/2014 08:54 PM, Timothy Pearson wrote:
It was probably Martin having a bad night :p Seriously, here are a few notes I
had regarding responses to ssh type DOS attacks:
# Blocking ssh attacks
/usr/sbin/iptables -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set
/usr/sbin/iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack
--update --seconds 60 --hitcount 6 -j LOG --log-prefix 'SSH attack: '
/usr/sbin/iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack
--update --seconds 60 --hitcount 6 -j REJECT
This will block all further syns from an IP address starting on the sixth port
22 connection within 60 seconds. It takes 60 seconds of absolute quiet from that
same ip address (or a reboot) to make the block go away. Kills a LOT of brute
force ssh attacks. I've also used this both against web statistics spammers and
email DOSers with good results.
Another:
I believe that this is it:
iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --update
--seconds 240 --hitcount 2 -j REJECT
--
David C. Rankin, J.D.,P.E.
All,
The TDE servers have been undergoing a DDoS attack since around 6:00AM CST
02/16/2014. As a result, many TDE services are functioning sporadically.
I am attempting to counter this attack as best as I am able, but I do not
have sufficient bandwidth available to guarantee continued access to any
TDE services until the attack is over.
I apologise for the disruption, and hope to have access to all services
restored a soon as possible. Thank you for your patience!
Timothy Pearson
Give'em hell Tim!
iptables -A INPUT -s off.end.ing._ip -j DROP
4:03 a.m.
New subject: [trinity-devel] Ongoing DDoS attack
Fail 2 ban works well also.
On Feb 16, 2014 10:14 PM, "David C. Rankin"
<drankinatty(a)suddenlinkmail.com>
wrote:
On 02/16/2014 09:09 PM, David C. Rankin wrote:
It was probably Martin having a bad night :p Seriously, here are a few
notes I
had regarding responses to ssh type DOS attacks:
# Blocking ssh attacks
/usr/sbin/iptables -A INPUT -p tcp --syn --dport 22 -m recent --name
sshattack --set
/usr/sbin/iptables -A INPUT -p tcp --dport 22 --syn -m recent --name
sshattack
--update --seconds 60 --hitcount 6 -j LOG --log-prefix 'SSH attack: '
/usr/sbin/iptables -A INPUT -p tcp --dport 22 --syn -m recent --name
sshattack
--update --seconds 60 --hitcount 6 -j REJECT
This will block all further syns from an IP address starting on
the sixth port
22 connection within 60 seconds. It takes 60 seconds of absolute quiet
from that
same ip address (or a reboot) to make the block go away. Kills a LOT of
brute
force ssh attacks. I've also used this both against web statistics
spammers and
email DOSers with good results.
Another:
I believe that this is it:
iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack
--update
--seconds 240 --hitcount 2 -j REJECT
--
David C. Rankin, J.D.,P.E.
---------------------------------------------------------------------
To unsubscribe, e-mail:
trinity-devel-unsubscribe(a)lists.pearsoncomputing.net
For additional commands, e-mail:
trinity-devel-help(a)lists.pearsoncomputing.net
Read list messages on the web archive:
http://trinity-devel.pearsoncomputing.net/
Please remember not to top-post:
http://trinity.pearsoncomputing.net/mailing_lists/#top-posting
On 02/16/2014 08:54 PM, Timothy Pearson wrote:
> All,
>
> The TDE servers have been undergoing a DDoS attack since around 6:00AM
CST
> 02/16/2014. As a result, many TDE services
are functioning
sporadically.
> I am attempting to counter this attack as
best as I am able, but I do
not
have
sufficient bandwidth available to guarantee continued access to any
TDE services until the attack is over.
I apologise for the disruption, and hope to have access to all services
restored a soon as possible. Thank you for your patience!
Timothy Pearson
Give'em hell Tim!
iptables -A INPUT -s off.end.ing._ip -j DROP
5:36 a.m.
New subject: [trinity-devel] Ongoing DDoS attack
On 02/16/2014 09:09 PM, David C. Rankin wrote:
Thanks for the tips! I tend not to use direct iptables access to the
firewall, but if needed this is a good summary.
The attack originated in the Netherlands and it appears that it has
stopped as of a couple hours ago. Blocking reduced the traffic but did
not completely eliminate it, so I needed to wait before sounding the
all-clear.
Tim
On 02/16/2014 08:54 PM, Timothy Pearson wrote:
It was probably Martin having a bad night :p Seriously, here are a few
notes I
had regarding responses to ssh type DOS attacks:
# Blocking ssh attacks
/usr/sbin/iptables -A INPUT -p tcp --syn --dport 22 -m recent --name
sshattack --set
/usr/sbin/iptables -A INPUT -p tcp --dport 22 --syn -m recent --name
sshattack
--update --seconds 60 --hitcount 6 -j LOG --log-prefix 'SSH attack: '
/usr/sbin/iptables -A INPUT -p tcp --dport 22 --syn -m recent --name
sshattack
--update --seconds 60 --hitcount 6 -j REJECT
This will block all further syns from an IP address starting on the sixth
port
22 connection within 60 seconds. It takes 60 seconds of absolute quiet
from that
same ip address (or a reboot) to make the block go away. Kills a LOT of
brute
force ssh attacks. I've also used this both against web statistics
spammers and
email DOSers with good results.
Another:
I believe that this is it:
iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack
--update
--seconds 240 --hitcount 2 -j REJECT
--
David C. Rankin, J.D.,P.E. All,
The TDE servers have been undergoing a DDoS attack since around 6:00AM
CST
02/16/2014. As a result, many TDE services are functioning
sporadically.
I am attempting to counter this attack as best as I am able, but I do
not
have sufficient bandwidth available to guarantee continued access to
any
TDE services until the attack is over.
I apologise for the disruption, and hope to have access to all services
restored a soon as possible. Thank you for your patience!
Timothy Pearson
Give'em hell Tim!
iptables -A INPUT -s off.end.ing._ip -j DROP
4009
days inactive
4009
days old
4 comments
3 participants
participants (3)
-
Calvin Morrison -
David C. Rankin -
Timothy Pearson