How to: Stop Small DDOS attacks

 

Q. How to identify the IP that is attacking you

A. In order to verify the number of concurrent connections from all clients that are connected to your linux Box

Issue the following command.

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

It will show a list of the current active connections by IP address and the offending IP is usually the one with a high number of connections:

1 54.86.193.54
1 Address
1 servers)
2 50.72.9.212
13 81.7.79.222
78 217.71.224.174
82 213.247.244.67
117 213.147.120.30
119 158.46.249.166

In the example above the first number is the number of connections followed by the Originating IP address, the results of the netstat command used are sorted by number of connections so your offender is usually at the end, (note that there maybe several offending IPs most of the times from anonymous proxies).
In this case the offending IPs are those with 78 connections

Now we need to block the offending IPs with IPTABLES rules and then kill the ongoing ddos TCP connections.

Syntax to block an IP address under Linux:

iptables -A INPUT -s IP_ADDRESS -j DROP

Replace IP_ADDRESS with the actual IP address, example: iptables -A INPUT -s 158.46.249.166 -j DROP

If you have IP tables firewall script, add above rule to your script.

If you just want to block access to one port from an ip 158.46.249.166 to port 80 then type command:

iptables -A INPUT -s 158.46.249.166 -p tcp –destination-port 80 -j DROP

Now we need to kill the connections still ‘active’ with the program tcpkill:

tcpkill is part of dsniff tools suite for linux to sniff network traffic for cleartext insecurities

This package contains several tools to listen to and create network traffic:

arpspoof – Send out unrequested (and possibly forged) arp replies.
dnsspoof – forge replies to arbitrary DNS address / pointer queries on the Local Area Network.
dsniff – password sniffer for several protocols.
filesnarf – saves selected files sniffed from NFS traffic.
macof – flood the local network with random MAC addresses.
mailsnarf – sniffs mail on the LAN and stores it in mbox format.
msgsnarf – record selected messages from different Instant Messengers.
sshmitm – SSH monkey-in-the-middle. proxies and sniffs SSH traffic.
sshow – SSH traffic analyser
tcpkill – kills specified in-progress TCP connections.
tcpnice – slow down specified TCP connections via “active” traffic shaping.
urlsnarf – output selected URLs sniffed from HTTP traffic in CLF.
webmitm – HTTP / HTTPS monkey-in-the-middle. transparently proxies.
webspy – sends URLs sniffed from a client to your local browser.

What interests you here is tcpkill, first we need to install dsniff.

debian/ubuntu:

apt-get install dsniff

Then we run:

tcpkill host IP_ADDRESS

where IP_ADDRESS is replaced with the identified offending IP address.

Leave a comment

Your email address will not be published. Required fields are marked *