Skip to content

Basic DoS Protection

Jump to bottom Edit New page
SamuelNZ edited this page Mar 28, 2014 · 24 revisions

Basic DoS Protection with IPTables.

To cut a long story short, I've been doing recon on pools running MPOS using various methods. Anyway, I have compiled what i consider to be the "Absolute Minimums" that you should apply to IPTables.

You can just blindly post the code block at the bottom into your terminal, But it will be missing a few rules, I recommend having a read, Don't just copy and paste.

I'll try to be really brief when i explain what they do, That guide was already pretty long ;D

Rule 1: Limit New Connections to something Sane.

sudo iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m limit --limit 50/minute --limit-burst 200 -j ACCEPT

  1. We are Adding an INPUT rule.
  2. -p tcp --dport 80 = We are looking for TCP traffic over port 80
  3. we are applying this to any new connections meeting the above conditions.
  4. We then limit the amount of "packets" that can be sent to 200, And when that limit is reached, We limit further attempts to 50 "packets" (In essence, You speed up for no reason, We slow you down)
  5. We Jump to ACCEPT the packet and send it to its destination without further questioning.

Rule 2: Limit Existing Connections to something Sane.

sudo iptables -A INPUT -m state --state RELATED,ESTABLISHED -m limit --limit 50/second --limit-burst 50 -j ACCEPT

  1. We are Adding an INPUT rule
  2. This is going to apply to already established connections and their related connections.
  3. We limit their requests to 50 packets a second (A "normal" person shouldn't need more then that)
  4. Again we Jump to ACCEPT those packets.

Rule 3: Wow Lets just drop anything we don't like

sudo iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP sudo iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP sudo iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP sudo iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP sudo iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP sudo iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP

There's "a-lot" going here, So i will sum it up by saying, We are dropping packets from lame script kiddies, and anything else that isn't complete or compliant. No self respecting firewall should be lacking these rules by default (Yet they all are) This should protect you from lame flood attacks, well at least the ones not launched by "professionals"

Rule 3: Come in or go away, Stop knocking.

sudo iptables -A PORT_SCANNING -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j RETURN

sudo iptables -A PORT-SCANNING j DROP

We create a new chain to monitor PORT SCANNING attempts, And then DROP them all on their head if they flood us. You may want to also create a log file, But we won't do that because theirs quota considerations you need to make.

Rule 4: For you LAND Lovers (Local Area Network Denial)

sudo iptables -A INPUT -s YOURSERVERIP/32 -j DROP

This one isn't a copy and paste. This will protect you from Spoofed IP's pretending to be you, Although this should be caught already by the above rules its better to be safe then DoS'd

Rule 5: Ho-Ho-Ho, Wait.. Its not Christmas.. (XMAS Packets)

sudo iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP

Basically, A really cool and easy way to kill a server, Is send a whole heap of packets at it with every single option, To avoid DoSing ourselves, We first specify we want to check all flags and then we make exceptions for the options that are "Mandatory" and then drop anything else we deem suspect.

Rule 6: Seeing Blue (Smurf Attacks)

sudo iptables -A INPUT -p icmp -m limit --limit 2/second --limit-burst 2 -j ACCEPT

OR IF YOUR NOT USING IT, DROP IT I'll let you decide which one is right You also have the option of specify what types of ICMP packets you want to drop, But you can read about that somewhere.

sudo iptables -A INPUT -p icmp -j DROP

First, Go read about what ICMP is. Then scratch your head about its legitimate existence. Anyway, What this rule does is limits the requests to what is still a a pretty high level of 1 every 2 seconds. You don't want your server to be spammed with these.

Rule 7: The more advanced SYN filter (MODIFICATION OF OTHER RULE)

Open, So you managed to get around the malformed packet filter, Good for you.

sudo iptables -A INPUT -p tcp -m state --state NEW -m limit --limit 2/second --limit-burst 2 -j ACCEPT

If your having real problems with SYN floods, Then you can use this to SEVERELY limit new connections. If you already added the rule at the top you need to run this before you add the above rule:

sudo iptables -D INPUT -p tcp --dport 80 -m state --state NEW -m limit --limit 50/minute --limit-burst 200 -j ACCEPT

Rule 8: NO UDP EXCEPT DNS - UDP CAN GO CLIMB A TREE

sudo iptables -A INPUT -p udp --sport 53 -j ACCEPT
sudo iptables -A INPUT -p udp --dport 53 -j ACCEPT
sudo iptables -A OUTPUT -p udp --sport 53 -j ACCEPT
sudo iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
sudo iptables -A INPUT -p udp -j DROP
sudo iptables -A OUTPUT -p udp -j DROP

Other Considerations

  1. You might consider installing APF firewall.
  2. You might consider installing (D)DosDeflate.
  3. You probably (you do) want to drop everything your not using. (research)
  4. This is NOT the end of your IP Tables adventure, This is just to wake you up to the idea.

TL;DR I just want to Copy and Paste.

Please note, There are rules missing that require actual reading.

sudo iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m limit --limit 50/minute --limit-burst 200 -j ACCEPT sudo iptables -A INPUT -m state --state RELATED,ESTABLISHED -m limit --limit 50/second --limit-burst 50 -j ACCEPT sudo iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP sudo iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP sudo iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP sudo iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP sudo iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP sudo iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP sudo iptables -A PORT_SCANNING -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j RETURN
sudo iptables -A PORT-SCANNING j DROP

READ THIS

DO NOT TRY TO LIMIT YOUR STRATUM PORT, You will CRASH your firewall.

We haven't bothered with OUTPUT chains because you shouldn't be running programs you don't trust, And with that said, If you think your infected best practice is to flash a back up or start again and get it right.

want a server set up? you can contact me @[email protected]@ (Remove the leading and ending @) There are plenty more rules even a basic server should have.

I also do custom setups for servers that want to hide behind cloud flare effectively.

Check its working

You can check how effective your rules are by running the following command: iptables --list --verbose

You want to look at the pkts and bytes columns, This will show you how much traffic each rule has evaluated successfully.

Example: (From Time of Posting)
K,URG/NONE
pkts bytes
18307 2900K DROP

If i helped you mitigate a DoS attack, Send me a prize: fad0d5602884e23fd9a044ab1870fdb6dc2c5ac4 (Cryptsy Trade Key)

Add a custom sidebar
Clone this wiki locally