All,
The TDE servers have been undergoing a DDoS attack since around 6:00AM CST 02/16/2014. As a result, many TDE services are functioning sporadically. I am attempting to counter this attack as best as I am able, but I do not have sufficient bandwidth available to guarantee continued access to any TDE services until the attack is over.
I apologise for the disruption, and hope to have access to all services restored a soon as possible. Thank you for your patience!
Timothy Pearson
On 02/16/2014 08:54 PM, Timothy Pearson wrote:
All,
The TDE servers have been undergoing a DDoS attack since around 6:00AM CST 02/16/2014. As a result, many TDE services are functioning sporadically. I am attempting to counter this attack as best as I am able, but I do not have sufficient bandwidth available to guarantee continued access to any TDE services until the attack is over.
I apologise for the disruption, and hope to have access to all services restored a soon as possible. Thank you for your patience!
Timothy Pearson
Give'em hell Tim!
iptables -A INPUT -s off.end.ing._ip -j DROP
On 02/16/2014 09:09 PM, David C. Rankin wrote:
On 02/16/2014 08:54 PM, Timothy Pearson wrote:
All,
The TDE servers have been undergoing a DDoS attack since around 6:00AM CST 02/16/2014. As a result, many TDE services are functioning sporadically. I am attempting to counter this attack as best as I am able, but I do not have sufficient bandwidth available to guarantee continued access to any TDE services until the attack is over.
I apologise for the disruption, and hope to have access to all services restored a soon as possible. Thank you for your patience!
Timothy Pearson
Give'em hell Tim!
iptables -A INPUT -s off.end.ing._ip -j DROP
It was probably Martin having a bad night :p Seriously, here are a few notes I had regarding responses to ssh type DOS attacks:
# Blocking ssh attacks
/usr/sbin/iptables -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set /usr/sbin/iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --update --seconds 60 --hitcount 6 -j LOG --log-prefix 'SSH attack: ' /usr/sbin/iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --update --seconds 60 --hitcount 6 -j REJECT
This will block all further syns from an IP address starting on the sixth port 22 connection within 60 seconds. It takes 60 seconds of absolute quiet from that same ip address (or a reboot) to make the block go away. Kills a LOT of brute force ssh attacks. I've also used this both against web statistics spammers and email DOSers with good results.
Another:
I believe that this is it: iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --update --seconds 240 --hitcount 2 -j REJECT
Fail 2 ban works well also. On Feb 16, 2014 10:14 PM, "David C. Rankin" drankinatty@suddenlinkmail.com wrote:
On 02/16/2014 09:09 PM, David C. Rankin wrote:
On 02/16/2014 08:54 PM, Timothy Pearson wrote:
All,
The TDE servers have been undergoing a DDoS attack since around 6:00AM
CST
02/16/2014. As a result, many TDE services are functioning
sporadically.
I am attempting to counter this attack as best as I am able, but I do
not
have sufficient bandwidth available to guarantee continued access to any TDE services until the attack is over.
I apologise for the disruption, and hope to have access to all services restored a soon as possible. Thank you for your patience!
Timothy Pearson
Give'em hell Tim!
iptables -A INPUT -s off.end.ing._ip -j DROP
It was probably Martin having a bad night :p Seriously, here are a few notes I had regarding responses to ssh type DOS attacks:
# Blocking ssh attacks
/usr/sbin/iptables -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set /usr/sbin/iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --update --seconds 60 --hitcount 6 -j LOG --log-prefix 'SSH attack: ' /usr/sbin/iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --update --seconds 60 --hitcount 6 -j REJECT
This will block all further syns from an IP address starting onthe sixth port 22 connection within 60 seconds. It takes 60 seconds of absolute quiet from that same ip address (or a reboot) to make the block go away. Kills a LOT of brute force ssh attacks. I've also used this both against web statistics spammers and email DOSers with good results.
Another:
I believe that this is it: iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --update --seconds 240 --hitcount 2 -j REJECT
-- David C. Rankin, J.D.,P.E.
To unsubscribe, e-mail: trinity-devel-unsubscribe@lists.pearsoncomputing.net For additional commands, e-mail: trinity-devel-help@lists.pearsoncomputing.net Read list messages on the web archive: http://trinity-devel.pearsoncomputing.net/ Please remember not to top-post: http://trinity.pearsoncomputing.net/mailing_lists/#top-posting
On 02/16/2014 09:09 PM, David C. Rankin wrote:
On 02/16/2014 08:54 PM, Timothy Pearson wrote:
All,
The TDE servers have been undergoing a DDoS attack since around 6:00AM CST 02/16/2014. As a result, many TDE services are functioning sporadically. I am attempting to counter this attack as best as I am able, but I do not have sufficient bandwidth available to guarantee continued access to any TDE services until the attack is over.
I apologise for the disruption, and hope to have access to all services restored a soon as possible. Thank you for your patience!
Timothy Pearson
Give'em hell Tim!
iptables -A INPUT -s off.end.ing._ip -j DROP
It was probably Martin having a bad night :p Seriously, here are a few notes I had regarding responses to ssh type DOS attacks:
# Blocking ssh attacks
/usr/sbin/iptables -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set /usr/sbin/iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --update --seconds 60 --hitcount 6 -j LOG --log-prefix 'SSH attack: ' /usr/sbin/iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --update --seconds 60 --hitcount 6 -j REJECT
This will block all further syns from an IP address starting on the sixth port 22 connection within 60 seconds. It takes 60 seconds of absolute quiet from that same ip address (or a reboot) to make the block go away. Kills a LOT of brute force ssh attacks. I've also used this both against web statistics spammers and email DOSers with good results.
Another:
I believe that this is it: iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --update --seconds 240 --hitcount 2 -j REJECT
-- David C. Rankin, J.D.,P.E.
Thanks for the tips! I tend not to use direct iptables access to the firewall, but if needed this is a good summary.
The attack originated in the Netherlands and it appears that it has stopped as of a couple hours ago. Blocking reduced the traffic but did not completely eliminate it, so I needed to wait before sounding the all-clear.
Tim
-
Calvin Morrison -
David C. Rankin -
Timothy Pearson