IPTABLES / DDOS PROTECTION

chuga2

Restricted
Joined
Jul 16, 2016
Messages
189
Likes
45
Points
61
#1
This Is Some IPTABLES Can Help You To Block Some DDos Attacks


#block udp with a 0-byte payload
iptables -A INPUT -p udp -m u32 --u32 "22&0xFFFF=0x0008" -j DROP

#block all packets from ips ending in .255.255
iptables -A INPUT -m u32 --u32 "12&0xFFFF=0xFFFF" -j DROP

#block common Camfrog-specific attacks
iptables -A INPUT -m u32 --u32 "28&0x00000FF0=0xFEDFFFFF" -j DROP

#block udp containing "farewall"
iptables -A INPUT -m string --algo bm --from 28 --to 29 --string "farewell" -j DROP

#block udp starting with alternating spaces
iptables -A INPUT -p udp -m u32 --u32 "28 & 0x00FF00FF = 0x00200020 && 32 & 0x00FF00FF = 0x00200020 && 36 & 0x00FF00FF = 0x00200020 && 40 & 0x00FF00FF = 0x00200020" -j DROP

#block tcp ack 0 of length 40
iptables -I INPUT -p tcp -m tcp -m string --hex-string "|000000005010|" --algo kmp --from 28 --to 29 -m length --length 40 -j DROP

#block udp containing "SAMP"
iptables -I INPUT -p udp -m udp -m string --hex-string "|53414d50|" --algo kmp --from 28 --to 29 -j DROP

#block udp starting with "std" and 00s
iptables -I INPUT -p udp -m udp -m string --hex-string "|7374640000000000|" --algo kmp --from 28 --to 29 -j DROP

#block udp containing 16 null (00) chars
iptables -I INPUT -p udp -m udp -m string --hex-string "|00000000000000000000000000000000|" --algo kmp --from 32 --to 33 -j DROP

#block udp containing "AAAAAAAAAAAAAAAA"
iptables -A INPUT -p udp -m udp -m string --algo bm --from 32 --to 33 --string "AAAAAAAAAAAAAAAA" -j DROP

#block udp containing "0123456789ABCDE"
iptables -A INPUT -p udp -m udp -m string --algo bm --from 28 --to 29 --string "0123456789ABCDE" -j DROP

#block all packets from ips ending in .0.0
iptables -A INPUT -m u32 --u32 "12&0xFFFF=0" -j DROP

#block Source Split Packets
iptables -A INPUT -p udp -m u32 --u32 "26&0xFFFFFFFF=0xfeff" -j DROP

#block udp containing "0123456789"
iptables -A INPUT -p udp -m udp -m string --algo bm --from 44 --to 45 --string "0123456789" -j DROP

#block udp containing "a cat is fine too"
iptables -A INPUT -p udp -m udp -m string --algo bm --from 28 --to 29 --string "A cat is fine too" -j DROP

#block udp containing "flood"
iptables -A INPUT -p udp -m udp -m string --algo bm --from 28 --to 29 --string "flood" -j DROP

#block udp containing "q00000000000000"
iptables -A INPUT -m string --algo bm --from 32 --to 33 --string "q00000000000000" -j DROP

#block udp containing "statusResponse"
iptables -A INPUT -m string --algo bm --from 32 --to 33 --string "statusResponse" -j DROP

#block icmp
iptables -A INPUT -p icmp -j DROP

#block udp methode "NTP"
iptables -A INPUT -i lo -p udp --destination-port 123 -j DROP
iptables -A INPUT -p udp --source-port 123:123 -m state --state ESTABLISHED -j DROP

#block udp methode "CODE"
iptables -I INPUT -p udp -m udp -m string --hex-string "|ffffffff6765746368616c6c656e676520302022|" --algo kmp -j DROP

#block TCP expect port 80,22
iptables -A INPUT -p tcp -m tcp -m multiport ! --dports 80,22 -j DROP

#block udp methode "SSDP"
iptables -I INPUT -p udp --dport 16000:29000 -m string --to 75 --algo bm --string 'HTTP/1.1 200 OK' -j DROP

#block protocols other than tcp, udp, and icmp [block all traffic]
iptables -A INPUT -p udp -m u32 --u32 "6&0xFF=0,2:5,7:16,18:255" -j DROP
 
Joined
Nov 16, 2015
Messages
24
Likes
3
Points
35
Age
32
#2
Thx for rules.
Is it better to put them in prerouting instead of input?
The future is nftables. I think it is worth moving on to it.
 
Joined
Nov 16, 2015
Messages
24
Likes
3
Points
35
Age
32
#4
you can't filter in prerouting
You are right but i found this:
Code:
So you want to know why your iptables DDoS protection rules suck? It’s because you use the filter table and the INPUT chain to block the bad packets!

The best solution to dramatically increase the performance of your iptables rules and therefore the amount of (TCP) DDoS attack traffic they can filter is to use the mangle table and the PREROUTING chain!
 

MrFunken

New Member
Joined
Oct 26, 2017
Messages
0
Likes
0
Points
13
Age
22
#5
You are right but i found this:
Code:
So you want to know why your iptables DDoS protection rules suck? It’s because you use the filter table and the INPUT chain to block the bad packets!

The best solution to dramatically increase the performance of your iptables rules and therefore the amount of (TCP) DDoS attack traffic they can filter is to use the mangle table and the PREROUTING chain!
You can put some TCP rules in the prerouting table. But.. they can't be verry complex.
Also.. a DDoS Protection based on iptables will always sucks. Ususal servers don't have more then 1Gbit/s. Ususal DDoS attacks are between 5-40Gbit/s. So.. your server will always be down without a right DDoS Protection on the routing/ISP level.
 
Joined
Sep 11, 2015
Messages
6
Likes
0
Points
33
#6
Hi,
I was used this rules without last and my bots query were blocked.
Which rule block query ?
 

InVaDeR359

Active Member
Joined
May 29, 2017
Messages
157
Likes
118
Points
72
Location
Error 403
#7
Hi,
I was used this rules without last and my bots query were blocked.
Which rule block query ?
Apparently this
#block TCP expect port 80,22
iptables -A INPUT -p tcp -m tcp -m multiport ! --dports 80,22 -j DROP
So, if your query port is the default 10011, you can change that rule to this one :
iptables -A INPUT -p tcp -m tcp -m multiport ! --dports 80,22,10011 -j DROP
 

chuga2

Restricted
Joined
Jul 16, 2016
Messages
189
Likes
45
Points
61
#8
Hi,
I was used this rules without last and my bots query were blocked.
Which rule block query ?
Rule For Block Query
iptables -A INPUT -p tcp -m tcp --dport 10011 -j DROP

Rule For Accept Query Ip
ᅟᅟᅟᅟᅟᅟᅟᅟᅟᅟ(add ip here)
ᅟᅟᅟᅟᅟᅟᅟᅟᅟᅟᅟᅟv
ᅟᅟᅟᅟᅟᅟᅟᅟᅟᅟᅟᅟv
iptables -A INPUT -s 192.168.l.l -p tcp -m tcp --dport 10011 -j ACCEPT



BUT FIRST ADD RULE ACCEPT AND ADD RULE BLOCK
 

InVaDeR359

Active Member
Joined
May 29, 2017
Messages
157
Likes
118
Points
72
Location
Error 403
#9
Rule For Block Query
iptables -A INPUT -p tcp -m tcp --dport 10011 -j DROP

Rule For Accept Query Ip
ᅟᅟᅟᅟᅟᅟᅟᅟᅟᅟ(add ip here)
ᅟᅟᅟᅟᅟᅟᅟᅟᅟᅟᅟᅟv
ᅟᅟᅟᅟᅟᅟᅟᅟᅟᅟᅟᅟv
iptables -A INPUT -s 192.168.l.l -p tcp -m tcp --dport 10011 -j ACCEPT



BUT FIRST ADD RULE ACCEPT AND ADD RULE BLOCK
I think he was asking what rule of the above was blocking his Query Port not asking for a way to block them.
 

MobVPN

New Member
Joined
Jan 11, 2019
Messages
1
Likes
0
Points
6
Age
20
Location
Tampa, Florida
#10
You can put some TCP rules in the prerouting table. But.. they can't be verry complex.
Also.. a DDoS Protection based on iptables will always sucks. Ususal servers don't have more then 1Gbit/s. Ususal DDoS attacks are between 5-40Gbit/s. So.. your server will always be down without a right DDoS Protection on the routing/ISP level.
This isn't true sir.
We utilize our own DDoS Protection system which monitors the real time traffic & sorts everything out. We've have attacks in the past that surpassed 400Gbps, on hosts that protect up to 120Gbps. We always dedicated at least 4GBs( 8GBs Preferred) of memory to handle these intensive tasks. We rarely have ever had one of our servers go down, except in the rare occurrence - where someone found an unfiltered port we had open - to communicate with our server hub. We fixed that with ease, by restricting the route by source.
Then again, it really matters what rules you have in place, to handle these type of attacks that seem to happen more frequent.
 

Top