IPTABLES / DDOS PROTECTION

chuga2

Restricted
Jul 16, 2016
175
42
61
This Is Some IPTABLES Can Help You To Block Some DDos Attacks


#block udp with a 0-byte payload
iptables -A INPUT -p udp -m u32 --u32 "22&0xFFFF=0x0008" -j DROP

#block all packets from ips ending in .255.255
iptables -A INPUT -m u32 --u32 "12&0xFFFF=0xFFFF" -j DROP

#block common Camfrog-specific attacks
iptables -A INPUT -m u32 --u32 "28&0x00000FF0=0xFEDFFFFF" -j DROP

#block udp containing "farewall"
iptables -A INPUT -m string --algo bm --from 28 --to 29 --string "farewell" -j DROP

#block udp starting with alternating spaces
iptables -A INPUT -p udp -m u32 --u32 "28 & 0x00FF00FF = 0x00200020 && 32 & 0x00FF00FF = 0x00200020 && 36 & 0x00FF00FF = 0x00200020 && 40 & 0x00FF00FF = 0x00200020" -j DROP

#block tcp ack 0 of length 40
iptables -I INPUT -p tcp -m tcp -m string --hex-string "|000000005010|" --algo kmp --from 28 --to 29 -m length --length 40 -j DROP

#block udp containing "SAMP"
iptables -I INPUT -p udp -m udp -m string --hex-string "|53414d50|" --algo kmp --from 28 --to 29 -j DROP

#block udp starting with "std" and 00s
iptables -I INPUT -p udp -m udp -m string --hex-string "|7374640000000000|" --algo kmp --from 28 --to 29 -j DROP

#block udp containing 16 null (00) chars
iptables -I INPUT -p udp -m udp -m string --hex-string "|00000000000000000000000000000000|" --algo kmp --from 32 --to 33 -j DROP

#block udp containing "AAAAAAAAAAAAAAAA"
iptables -A INPUT -p udp -m udp -m string --algo bm --from 32 --to 33 --string "AAAAAAAAAAAAAAAA" -j DROP

#block udp containing "0123456789ABCDE"
iptables -A INPUT -p udp -m udp -m string --algo bm --from 28 --to 29 --string "0123456789ABCDE" -j DROP

#block all packets from ips ending in .0.0
iptables -A INPUT -m u32 --u32 "12&0xFFFF=0" -j DROP

#block Source Split Packets
iptables -A INPUT -p udp -m u32 --u32 "26&0xFFFFFFFF=0xfeff" -j DROP

#block udp containing "0123456789"
iptables -A INPUT -p udp -m udp -m string --algo bm --from 44 --to 45 --string "0123456789" -j DROP

#block udp containing "a cat is fine too"
iptables -A INPUT -p udp -m udp -m string --algo bm --from 28 --to 29 --string "A cat is fine too" -j DROP

#block udp containing "flood"
iptables -A INPUT -p udp -m udp -m string --algo bm --from 28 --to 29 --string "flood" -j DROP

#block udp containing "q00000000000000"
iptables -A INPUT -m string --algo bm --from 32 --to 33 --string "q00000000000000" -j DROP

#block udp containing "statusResponse"
iptables -A INPUT -m string --algo bm --from 32 --to 33 --string "statusResponse" -j DROP

#block icmp
iptables -A INPUT -p icmp -j DROP

#block udp methode "NTP"
iptables -A INPUT -i lo -p udp --destination-port 123 -j DROP
iptables -A INPUT -p udp --source-port 123:123 -m state --state ESTABLISHED -j DROP

#block udp methode "CODE"
iptables -I INPUT -p udp -m udp -m string --hex-string "|ffffffff6765746368616c6c656e676520302022|" --algo kmp -j DROP

#block TCP expect port 80,22
iptables -A INPUT -p tcp -m tcp -m multiport ! --dports 80,22 -j DROP

#block udp methode "SSDP"
iptables -I INPUT -p udp --dport 16000:29000 -m string --to 75 --algo bm --string 'HTTP/1.1 200 OK' -j DROP

#block protocols other than tcp, udp, and icmp [block all traffic]
iptables -A INPUT -p udp -m u32 --u32 "6&0xFF=0,2:5,7:16,18:255" -j DROP
 
U

User_2995

Thx for rules.
Is it better to put them in prerouting instead of input?
The future is nftables. I think it is worth moving on to it.
 
U

User_2995

you can't filter in prerouting
You are right but i found this:
Code:
So you want to know why your iptables DDoS protection rules suck? It’s because you use the filter table and the INPUT chain to block the bad packets!

The best solution to dramatically increase the performance of your iptables rules and therefore the amount of (TCP) DDoS attack traffic they can filter is to use the mangle table and the PREROUTING chain!
 

MrFunken

New Member
Oct 26, 2017
0
0
13
You are right but i found this:
Code:
So you want to know why your iptables DDoS protection rules suck? It’s because you use the filter table and the INPUT chain to block the bad packets!

The best solution to dramatically increase the performance of your iptables rules and therefore the amount of (TCP) DDoS attack traffic they can filter is to use the mangle table and the PREROUTING chain!

You can put some TCP rules in the prerouting table. But.. they can't be verry complex.
Also.. a DDoS Protection based on iptables will always sucks. Ususal servers don't have more then 1Gbit/s. Ususal DDoS attacks are between 5-40Gbit/s. So.. your server will always be down without a right DDoS Protection on the routing/ISP level.
 

mizu9797

Member
Sep 11, 2015
6
0
33
Hi,
I was used this rules without last and my bots query were blocked.
Which rule block query ?
 

InVaDeR359

Active Member
May 29, 2017
160
121
72
Hi,
I was used this rules without last and my bots query were blocked.
Which rule block query ?
Apparently this
#block TCP expect port 80,22
iptables -A INPUT -p tcp -m tcp -m multiport ! --dports 80,22 -j DROP
So, if your query port is the default 10011, you can change that rule to this one :
iptables -A INPUT -p tcp -m tcp -m multiport ! --dports 80,22,10011 -j DROP
 

chuga2

Restricted
Jul 16, 2016
175
42
61
Hi,
I was used this rules without last and my bots query were blocked.
Which rule block query ?

Rule For Block Query
iptables -A INPUT -p tcp -m tcp --dport 10011 -j DROP

Rule For Accept Query Ip
ᅟᅟᅟᅟᅟᅟᅟᅟᅟᅟ(add ip here)
ᅟᅟᅟᅟᅟᅟᅟᅟᅟᅟᅟᅟv
ᅟᅟᅟᅟᅟᅟᅟᅟᅟᅟᅟᅟv
iptables -A INPUT -s 192.168.l.l -p tcp -m tcp --dport 10011 -j ACCEPT



BUT FIRST ADD RULE ACCEPT AND ADD RULE BLOCK
 

InVaDeR359

Active Member
May 29, 2017
160
121
72
Rule For Block Query
iptables -A INPUT -p tcp -m tcp --dport 10011 -j DROP

Rule For Accept Query Ip
ᅟᅟᅟᅟᅟᅟᅟᅟᅟᅟ(add ip here)
ᅟᅟᅟᅟᅟᅟᅟᅟᅟᅟᅟᅟv
ᅟᅟᅟᅟᅟᅟᅟᅟᅟᅟᅟᅟv
iptables -A INPUT -s 192.168.l.l -p tcp -m tcp --dport 10011 -j ACCEPT



BUT FIRST ADD RULE ACCEPT AND ADD RULE BLOCK
I think he was asking what rule of the above was blocking his Query Port not asking for a way to block them.
 

MobVPN

New Member
Jan 11, 2019
1
0
6
You can put some TCP rules in the prerouting table. But.. they can't be verry complex.
Also.. a DDoS Protection based on iptables will always sucks. Ususal servers don't have more then 1Gbit/s. Ususal DDoS attacks are between 5-40Gbit/s. So.. your server will always be down without a right DDoS Protection on the routing/ISP level.
This isn't true sir.
We utilize our own DDoS Protection system which monitors the real time traffic & sorts everything out. We've have attacks in the past that surpassed 400Gbps, on hosts that protect up to 120Gbps. We always dedicated at least 4GBs( 8GBs Preferred) of memory to handle these intensive tasks. We rarely have ever had one of our servers go down, except in the rare occurrence - where someone found an unfiltered port we had open - to communicate with our server hub. We fixed that with ease, by restricting the route by source.
Then again, it really matters what rules you have in place, to handle these type of attacks that seem to happen more frequent.
 

MwZ

Active Member
Dec 27, 2016
47
6
83
Any 'in-kernel' firewalls, will not be able to cope with any mid sized ddos attack, it can help with small stuff, but for other cases, you indeed, need a DDoS Protected Network, to cover your server properly...
 

Jonaxio

New Member
Sep 12, 2019
8
1
5
i used this and now my script are not working. My scripts downlaod something from server outdoors
 
Top