Re: DDOS attack
sory to create dead horse thread againt because i newbie in pf n openbsd . ok i try all thx for all respon
Re: DDOS attack
sonjaya wrote: How to blok ddos/Flooding/ssh brute attack with pf . Thanks to ( max-src-nodes 20, max-src-states 1 ) brute forcing just disappeared. Stephan [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
DDOS attack
Dear all How to blok ddos/Flooding/ssh brute attack with pf . -sonjaya-
Re: DDOS attack
On Tue, Jul 04, 2006 at 08:08:39PM +0700, sonjaya wrote: Dear all How to blok ddos/Flooding/ssh brute attack with pf . Since there is no context: 'block all' works pretty well. Joachim
Re: DDOS attack
On Tue, Jul 04, 2006 at 08:08:39PM +0700, sonjaya wrote: Dear all How to blok ddos/Flooding/ssh brute attack with pf . -sonjaya- I usually bind sshd on another port. The scripted ssh brute forcing stops. The logs are happy. -peter -- Here my ticker tape .signature My name is Peter Philipp lynx -dump http://en.wikipedia.org/w/index.php?title=Pufferfisholdid=20768394; | sed -n 131,136p So long and thanks for all the fish!!!
Re: DDOS attack
Hi.
You can bind ssh to another port and/or you can play with a little scripting
and the excellent packet filter. I run a script from cron that greps the
IP addresses from the sshscans, dups them in an file and a pf table
uses this file to drop connections from these IPs. Depending on the
type these IP addresses will be removed after a specific amount of time.
The script is really stupid and easy:
#!/bin/sh
exec 21
LOGTAIL=/usr/local/bin/logtail
PF_TABLE=sshscanners
# Penalties:
PENALTY_SCAN=1.0
PENALTY_INVALID_USER=2.0
PENALTY_ROOT_ACCESS=4.0
# Time to expire
TTE_BLACK_LIST=43200 # 12 hours
TMPFILE=/tmp/authlog.tail.$$
NOW=`date +'%s'`
$LOGTAIL /var/log/authlog $TMPFILE
grep 'Did not receive identification string from' $TMPFILE | awk -v
SCORE=$PENALTY_SCAN '{print $12,SCORE;}' | grep -v '[a-zA-Z]' | sort |
uniq -c /tmp/sshd_no_id.$$
grep 'Invalid user' $TMPFILE | awk -v SCORE=$PENALTY_INVALID_USER
'{print $10,SCORE;}' | grep -v '[a-zA-Z]' | sort | uniq -c
/tmp/sshd_invalid_users.$$
grep 'Failed password for root from' $TMPFILE | awk -v
SCORE=$PENALTY_ROOT_ACCESS '{print $11,SCORE;}' | grep -v '[a-zA-Z]' |
sort | uniq -c /tmp/sshd_root_hackers.$$
cat /tmp/sshd_root_hackers.$$ /tmp/sshd_invalid_users.$$
/tmp/sshd_no_id.$$ | awk -v STAMP=$NOW '{bastards[$2]+=$1*$3;} END{for
(ip in bastards) {print ip # bastards[ip] STAMP;}}'
/tmp/new_bastards.$$
cp /etc/pf.d/sshscans /tmp/sshscans.$$
echo Updating table ${PF_TABLE}:
echo
cat /tmp/sshscans.$$ /tmp/new_bastards.$$ | grep '^[0-9]' | awk -v
NOW=$NOW -v TTE=$TTE_BLACK_LIST '{if ((NOW-$4)TTE*$3) {print $0;}}'
/etc/pf.d/sshscans
/sbin/pfctl -t $PF_TABLE -T replace -f /etc/pf.d/sshscans -v | grep -v
'^X' | sed -e 's/^A /Adding /g' -e 's/`D /Deleting /g' 21
echo
/bin/rm -f /tmp/sshd_root_hackers.$$ /tmp/sshd_invalid_users.$$
/tmp/sshd_no_id.$$ /tmp/new_bastards.$$ $TMPFILE
pf.conf defines a table with the addresse build from that file and drops them:
[... snipp ...]
table sshscanners file /etc/pf.d/sshscans persist
[...]
block return-rst in log quick on $ext_if proto tcp from sshscanners
to any port 22
[... snipp ...]
This works for me but zour mileage may vary.
HTH,
Andreas.
On 7/4/06, sonjaya [EMAIL PROTECTED] wrote:
Dear all
How to blok ddos/Flooding/ssh brute attack with pf .
-sonjaya-
--
Hobbes : Shouldn't we read the instructions?
Calvin : Do I look like a sissy?
Re: DDOS attack
On 2006/07/04 16:25, Andreas Maus wrote: You can bind ssh to another port and/or you can play with a little scripting Oh please, not this thread again...
Re: DDOS attack
On 7/4/06, sonjaya [EMAIL PROTECTED] wrote: How to blok ddos/Flooding/ssh brute attack with pf . This subject has been pretty much beaten to death. In the list archives, you will find a myriad of solutions people use for this problem. Please read the archives before posting (and flogging this dead horse again). Personally, I use the max-src-conn-rate variant and a set of tables for addresses that should always get unimpeded access (to prevent a DoS against myself). See pf.conf(5) for more information. Cheers, Rogier -- If you don't know where you're going, any road will get you there.
Re: DDOS Attack!!!who can help me?
There are exemples for this configuration?
Thanks,
Denis
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Friday, July 29, 2005 4:12 AM
To: Sean Knox
Cc: jeff; misc@openbsd.org; jking1
Subject: Re: DDOS Attack!!!who can help me?
Define a filter to drop the packets with SYN+FIN flags set.
Mihai
jeff wrote:
Sean Knox wrote:
tcpdump logs and pf.conf snipped
The only people who can help is your ISP. Talk to them and hopefully
they can trace the attack upstream.
I once added this to pf.conf to mitigate a DDoS. It appeared to have
worked, but it may have been a placebo effect ;)
set optimization aggressive
set timeout tcp.first 45
set timeout tcp.established 43200
set timeout { adaptive.start 3, adaptive.end 45000 } set limit
states 4
This might help with a SYN attack as long you still have available
bandwidth. Additionally, this wouldn't help against any non-TCP
packet.
If an attacker is exhausting your pipe, all the firewalling in the
world won't help. You'll have to have upstream ISPs route the packets
into /dev/null.
sk
Re: DDOS Attack!!!who can help me?
Sean Knox wrote:
tcpdump logs and pf.conf snipped
The only people who can help is your ISP. Talk to them and hopefully
they can trace the attack upstream.
I once added this to pf.conf to mitigate a DDoS. It appeared to have
worked, but it may have been a placebo effect ;)
set optimization aggressive
set timeout tcp.first 45
set timeout tcp.established 43200
set timeout { adaptive.start 3, adaptive.end 45000 }
set limit states 4
-Jeff
Re: DDOS Attack!!!who can help me?
jeff wrote:
Sean Knox wrote:
tcpdump logs and pf.conf snipped
The only people who can help is your ISP. Talk to them and hopefully
they can trace the attack upstream.
I once added this to pf.conf to mitigate a DDoS. It appeared to have
worked, but it may have been a placebo effect ;)
set optimization aggressive
set timeout tcp.first 45
set timeout tcp.established 43200
set timeout { adaptive.start 3, adaptive.end 45000 }
set limit states 4
This might help with a SYN attack as long you still have available
bandwidth. Additionally, this wouldn't help against any non-TCP packet.
If an attacker is exhausting your pipe, all the firewalling in the world
won't help. You'll have to have upstream ISPs route the packets into
/dev/null.
sk
Re: DDOS Attack!!!who can help me?
Define a filter to drop the packets with SYN+FIN flags set.
Mihai
jeff wrote:
Sean Knox wrote:
tcpdump logs and pf.conf snipped
The only people who can help is your ISP. Talk to them and hopefully
they can trace the attack upstream.
I once added this to pf.conf to mitigate a DDoS. It appeared to have
worked, but it may have been a placebo effect ;)
set optimization aggressive
set timeout tcp.first 45
set timeout tcp.established 43200
set timeout { adaptive.start 3, adaptive.end 45000 }
set limit states 4
This might help with a SYN attack as long you still have available
bandwidth. Additionally, this wouldn't help against any non-TCP packet.
If an attacker is exhausting your pipe, all the firewalling in the world
won't help. You'll have to have upstream ISPs route the packets into
/dev/null.
sk
Re: DDOS Attack!!!who can help me?
Disable logging since it takes up a lot of resources and ``set block-policy drop'' so your machine won't attempt to reply to bogus requests. Normally I'm not in favour of these measures. Logging a ddoss for a while must be done to gather evidence, logging must done at all other times as well. It won't help your connection but at least your machine becomes responsive again. # Han
Re: DDOS Attack!!!who can help me?
With DOS, there was something you could do. With DDOS, you will have to either get a huge pipe and systems to just take it, or move and have your ISP do something like http://www.secsup.org/Tracking/
Re: DDOS Attack!!!who can help me?
tcpdump logs and pf.conf snipped The only people who can help is your ISP. Talk to them and hopefully they can trace the attack upstream. sk
