ddos defence?

[jdow]

On 2012/01/17 19:56, Dave Stevens wrote:
> Quoting Joe Zeff <joe at zeff.us>:
>
>> On 01/17/2012 07:40 PM, Dave Stevens wrote:
>>> I have a vps that has been repeatedly hit with a ddos attack. The ISP
>>> has given me new IP addresses several times but every time I update the
>>> DNS records the attack resumes within hours. This is not yet a
>>> production site but I need it to be, sooner rather than later.
>>>
>>> Can anyone suggest reading or strategies for dealing with this?
>>>
>>> Dave
>>>
>>
>> Have you considered using Fail2ban? See
>> http://www.fail2ban.org/wiki/index.php/Main_Page
>
> Not familiar with it but will check it out, thanks

This is a set if iptables rules that essentially "deals" with packets that
come in too fast. Anything more than one attempt in one minute is logged and
rejected. You can also forgo logging and DROP the packet if you wish. (This
specifically drops ssh packets. But it can be triggered by almost any attempt
to connect to your system, whether it fails or not.) Got no logging drop
the second line and its continuations. To DROP instead of REJECT change
the third line's REJECT to DROP.

iptables -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set
iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
   --rcheck --seconds 60 --hitcount 2 -j LOG --log-prefix 'SSH REJECT: ' \
   --log-level info
iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
   --rcheck --seconds 60 --hitcount 2 -j REJECT --reject-with tcp-reset

If the normal traffic to the site is really light 180 seconds works nice.
If it's quite light 60 seconds is fine. If it's modest perhaps 10 seconds
is OK. I'd not use it on a site with Google level traffic, of course.

{^_^}