I know this is a little late, but here's an iptables rule I use to help against DDoS attacks. You'll probably need to have two--one for UDP and one for TCP if it's a DNS type of attack.
# allow only 8 req/sec per IP -A INPUT -p tcp -m state --state NEW -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m recent --set --name SYNFLOOD --rsource -A INPUT -p tcp -m state --state NEW -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m recent --update --seconds 1 --hitcount 8 --name SYNFLOOD --rsource -j DROP Not sure if this is the type of solution you're looking for, but it couldn't hurt. - rann On 1/11/2013 12:40 PM, John wrote: > The solution that gamead...@127001.org gave was correct. For DNS DRDoS > reflection attacks, the best plan is to have your upstream apply an > ACL that whitelists the couple of DNS servers that you use and blocks > all other traffic from port 53 to your network. Your ISP should be > able to do this for little or no cost. Null-routing is not usually > required for this type of attack unless your upstream's overall > network capacity is less than 10G. > > DNS DRDoS attacks are one of the most common and easiest (thankfully) > types to filter. Other DRDoS attacks can be a little harder to filter, > and there are non-reflected attacks that are yet more difficult to > block, requiring advanced string-matching rules upstream or other > specialized techniques. > > -John > > On 1/11/2013 4:09 AM, ics wrote: >> Most of us have experienced ddos attacks like that and yes >> nullrouting is the only protection so the whole network isn't >> affected. There is no protection against that without paying huge >> sums of money. Those are not an option to small communities. >> >> -ics >> >> ----- Alkuperäinen viesti ----- >>> We've had incoming DNS query reply attacks over several Gbit/sec. Any >>> non-pro gaming community like ours can't defend against such floods of >>> data. >>> >>> All you can do is have your IP's null-routed and wait till the attack >>> dies out. >>> >>> Saint K. >>> ________________________________________ >>> From: hlds_linux-boun...@list.valvesoftware.com >>> [hlds_linux-boun...@list.valvesoftware.com] On Behalf Of Sachin Sud >>> [sudsac...@gmail.com] Sent: 11 January 2013 11:42 To: Half-Life >>> dedicated Linux server mailing list Subject: Re: [hlds_linux] Servers >>> get attacked via DDoS >>> >>> @127001 ( Some Pin code) .Orrgy >>> Do i really care? >>> Its better you start protecting your servers before its too late! >>> Don't waste your time !:) >>> >>> On Fri, Jan 11, 2013 at 4:06 PM, <gamead...@127001.org> wrote: >>> >>>> Just because they're well known doesn't make them immune to >>>> configuration cockups... one solution might be to get your host to >>>> firewall all incoming from port 53 except for stuff coming from your >>>> hosts' DNS servers (or google's, or whoever) - that won't help if the >>>> bandwidth is going to overwhelm your host's core router, but it WILL >>>> help in cases where it's flooding out your uplink >>>> >>>> @Sachin Sud: >>>> >>>> Perhaps you could actually be constructive? Despite saying you didn't >>>> want to spam the list, your two contributions have been "lol" and a >>>> post that essentially says "I think your approach is wrong but I'm not >>>> going to give any details whatsoever" >>>> >>>>> -----Original Message----- >>>>> From: hlds_linux-boun...@list.valvesoftware.com [mailto:hlds_linux- >>>>> boun...@list.valvesoftware.com] On Behalf Of Marco Padovan >>>>> Sent: 11 January 2013 10:32 >>>>> To: hlds_linux@list.valvesoftware.com >>>>> Subject: Re: [hlds_linux] Servers get attacked via DDoS >>>>> >>>>> yes, the attacks is exactly that... >>>>> >>>>> but those are not just "broken dns",i even saw some *well known* IT >>>>> names into the "attackers". >>>>> >>>>> Il 11/01/2013 11.16, Arnim Eijkhoudt ha scritto: >>>>>> Haha, >>>>>> >>>>>> I hope you're joking. Almost none of your questions are remotely >>>>>> relevant to this type of attack. DNS reflection attacks can only be >>>>>> effectively mitigated upstream. The structural solution, >>>>>> unfortunately, is educating/informing the admins of the broken DNS >>>>>> servers (short of just bluntly increasing the bandwidth capacity of >>>>>> the affected server(s) and 'sitting it out'). >>>>>> >>>>>> See also: http://blog.cloudflare.com/65gbps-ddos-no-problem >>>>>> >>>>>> €0,02 >>>>>> >>>>>> On 11-1-2013 10:52, Sachin Sud wrote: >>>>>>> My intensions are not to spam this mail list. >>>>>>> But if you guys are comfortable , you need to answer few >>>>>>> questions >>>>> by >>>>>>> which >>>>>>> i can help you better to get saved from ddos attacks. >>>>>>> >>>>>>> Which country are you from? >>>>>>> How many game servers you host? >>>>>>> How often the attack happens? >>>>>>> Is it specific to any particular game? >>>>>>> Which OS you have on server? >>>>>>> What kind of firewall you use , in case if you use any >>>>>>> And last question How much money you spend monthly on servers ( >>>>> Based on >>>>>>> your location, i can recommend some ddos protection if required ) >>>>>>> >>>>>>> Thanks, >>>>>>> Sachin >>>>>> _______________________________________________ >>>>>> To unsubscribe, edit your list preferences, or view the list >>>>> archives, >>>>>> please visit: >>>>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux >>>>> _______________________________________________ >>>>> To unsubscribe, edit your list preferences, or view the list >>>>> archives, please visit: >>>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux >>>> >>>> _______________________________________________ >>>> To unsubscribe, edit your list preferences, or view the list archives, >>>> please visit: >>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux >>>> >>> _______________________________________________ >>> To unsubscribe, edit your list preferences, or view the list archives, >>> please visit: >>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux >>> >>> _______________________________________________ >>> To unsubscribe, edit your list preferences, or view the list archives, >>> please visit: >>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux >> _______________________________________________ >> To unsubscribe, edit your list preferences, or view the list >> archives, please visit: >> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux > > > _______________________________________________ > To unsubscribe, edit your list preferences, or view the list archives, > please visit: > https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux -- Jake Forrester Freelance Web Developer/Designer & Joomla Enthusiast e: j...@ranndesigns.com _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
