AnonGhost720, PacketGuard, and SmallDoink release on Anti-DDoS

Asphyxia

Owner
Administrator
Apr 25, 2015
1,842
2
2,194
327
Code:
#//////////////////////////////////////////////////////////
# Credit to AnonGhost720, PacketGuard, and SmallDoink
# Stop buying horrible panels and purchase from SecurityTeam.io | Best methods in the scene
# All methods are from Rebirth Panel and are complete garbage
# Since kids think this is 'flexing', this is literally helping people with servers in the community
# When he drops more methods, I will post the patches here. Keep up to date with this paste
# Patched 12/07/2019                                     
#//////////////////////////////////////////////////////////

# All these methods are shitty AMP attacks that are supposed to be called "bypasses"

# Summary to patch all his shitty methods and some more that he will possibly release soon
# Dropping all common AMP source ports
iptables -t mangle -A PREROUTING -p udp -m multiport --sports 3283,37810,7001,17185,3072,3702,32414,177,6881,5683,41794,2362,11211,53413,17,1900,10001,389,137,5351,502 -j DROP

# FN-LAG Patch | Method Patch | Found on Rebirth Panel by SelfRepNetis
# Port 37810 | Used by DVR IP Camera | UDP 
iptables -t mangle -A PREROUTING -p udp --sport 37810 -j DROP 

# OVH-KILL Patch | OVH Bypass Patch | Found on Rebirth Panel by SelfRepNetis
# Port 7001 | Used by Andrew File System (AFS) | UDP
iptables -t mangle -A PREROUTING -p udp --sport 7001 -j DROP
iptables -I INPUT -p udp -m length --length 100:140 -m string --string "nAFS" --algo kmp -j DROP
iptables -I INPUT -p udp -m length --length 100:140 -m string --string "OpenAFS" --algo kmp -j DROP

# OVH-SLAP Patch | OVH Bypass Patch | Found on Rebirth Panel by SelfRepNetis
# Port 17185 | Used by vxWorks//VoIP | UDP 
iptables -t mangle -A PREROUTING -p udp --sport 17185 -j DROP

# OVH-DOWN & OVH-DOWNv2 Patch | OVH Bypass Patch | Found on Rebirth Panel by SelfRepNetis
# Port 3072 | Used by WSD | TCP or UDP 
iptables -t mangle -A PREROUTING -p udp -m multiport --sports 3072,3702 -j DROP
iptables -t mangle -A PREROUTING -p tcp -m multiport --sports 3072,3702 -j DROP

# OVH-CRUSHv2 Patch | OVH Bypass Patch | Found on Rebirth Panel by SelfRepNetis
# Literally no difference in OVH-CRUSH and OVH-CRUSHv2, just posting a method and renaming it to v2
# Port 3283 | Used by ARD | UDP AMP 
iptables -t mangle -A PREROUTING -p udp --sport 3283 -m length --length 1048 -j DROP

# OVH-CRUSH Patch | OVH Bypass Patch | Found on Rebirth Panel by SelfRepNetis
# Port 3283 | Used by ARD | UDP AMP 
iptables -t mangle -A PREROUTING -p udp --sport 3283 -m length --length 1048 -j DROP

# NFO-LAG Patch | NFO Method Patch | Found on Rebirth Panel by SelfRepNetis
# Port 32414 | Used by PlexMediaServers | UDP
iptables -t mangle -A PREROUTING -p udp --sport 32414 -j DROP
# Port 177 | Used by XDMCP | UDP
iptables -t mangle -A PREROUTING -p udp --sport 177 -j DROP 

# NFO-CLAP Patch | NFO Method Patch | Found on Rebirth Panel by SelfRepNetis
# Port 6881 | Used by BitTorrent | UDP 
iptables -t mangle -A PREROUTING -p udp --sport 6881 -m length --length 320:330 -j DROP

# R6-LAG Patch | Method Patch | Found on Rebirth Panel by SelfRepNetis
# Port 32414 | Used by PlexMediaServers | UDP
iptables -t mangle -A PREROUTING -p udp -m length --length 280:300 --sport 32414 -j DROP
 

Kasi

Member
Dec 24, 2017
6
6
38
@Asphyxia

[email protected]:/home# ./kasiddos.sh
iptables v1.6.1: too many ports specified
Try `iptables -h' or 'iptables --help' for more information.


Code:
#!/bin/sh

# All these methods are shitty AMP attacks that are supposed to be called "bypasses"

# Summary to patch all his shitty methods and some more that he will possibly release soon
# Dropping all common AMP source ports
iptables -t mangle -A PREROUTING -p udp -m multiport --sports 3283,37810,7001,17185,3072,3702,32414,177,6881,5683,41794,2362,11211,53413,17,1900,10001,389,137,5351,502 -j DROP

# FN-LAG Patch | Method Patch | Found on Rebirth Panel by SelfRepNetis
# Port 37810 | Used by DVR IP Camera | UDP
iptables -t mangle -A PREROUTING -p udp --sport 37810 -j DROP

# OVH-KILL Patch | OVH Bypass Patch | Found on Rebirth Panel by SelfRepNetis
# Port 7001 | Used by Andrew File System (AFS) | UDP
iptables -t mangle -A PREROUTING -p udp --sport 7001 -j DROP
iptables -I INPUT -p udp -m length --length 100:140 -m string --string "nAFS" --algo kmp -j DROP
iptables -I INPUT -p udp -m length --length 100:140 -m string --string "OpenAFS" --algo kmp -j DROP

# OVH-SLAP Patch | OVH Bypass Patch | Found on Rebirth Panel by SelfRepNetis
# Port 17185 | Used by vxWorks//VoIP | UDP
iptables -t mangle -A PREROUTING -p udp --sport 17185 -j DROP

# OVH-DOWN & OVH-DOWNv2 Patch | OVH Bypass Patch | Found on Rebirth Panel by SelfRepNetis
# Port 3072 | Used by WSD | TCP or UDP
iptables -t mangle -A PREROUTING -p udp -m multiport --sports 3072,3702 -j DROP
iptables -t mangle -A PREROUTING -p tcp -m multiport --sports 3072,3702 -j DROP

# OVH-CRUSHv2 Patch | OVH Bypass Patch | Found on Rebirth Panel by SelfRepNetis
# Literally no difference in OVH-CRUSH and OVH-CRUSHv2, just posting a method and renaming it to v2
# Port 3283 | Used by ARD | UDP AMP
iptables -t mangle -A PREROUTING -p udp --sport 3283 -m length --length 1048 -j DROP

# OVH-CRUSH Patch | OVH Bypass Patch | Found on Rebirth Panel by SelfRepNetis
# Port 3283 | Used by ARD | UDP AMP
iptables -t mangle -A PREROUTING -p udp --sport 3283 -m length --length 1048 -j DROP

# NFO-LAG Patch | NFO Method Patch | Found on Rebirth Panel by SelfRepNetis
# Port 32414 | Used by PlexMediaServers | UDP
iptables -t mangle -A PREROUTING -p udp --sport 32414 -j DROP
# Port 177 | Used by XDMCP | UDP
iptables -t mangle -A PREROUTING -p udp --sport 177 -j DROP

# NFO-CLAP Patch | NFO Method Patch | Found on Rebirth Panel by SelfRepNetis
# Port 6881 | Used by BitTorrent | UDP
iptables -t mangle -A PREROUTING -p udp --sport 6881 -m length --length 320:330 -j DROP

# R6-LAG Patch | Method Patch | Found on Rebirth Panel by SelfRepNetis
# Port 32414 | Used by PlexMediaServers | UDP
iptables -t mangle -A PREROUTING -p udp -m length --length 280:300 --sport 32414 -j DROP
 

Asphyxia

Owner
Administrator
Apr 25, 2015
1,842
2
2,194
327
@Asphyxia

[email protected]:/home# ./kasiddos.sh
iptables v1.6.1: too many ports specified
Try `iptables -h' or 'iptables --help' for more information.


Code:
#!/bin/sh

# All these methods are shitty AMP attacks that are supposed to be called "bypasses"

# Summary to patch all his shitty methods and some more that he will possibly release soon
# Dropping all common AMP source ports
iptables -t mangle -A PREROUTING -p udp -m multiport --sports 3283,37810,7001,17185,3072,3702,32414,177,6881,5683,41794,2362,11211,53413,17,1900,10001,389,137,5351,502 -j DROP

# FN-LAG Patch | Method Patch | Found on Rebirth Panel by SelfRepNetis
# Port 37810 | Used by DVR IP Camera | UDP
iptables -t mangle -A PREROUTING -p udp --sport 37810 -j DROP

# OVH-KILL Patch | OVH Bypass Patch | Found on Rebirth Panel by SelfRepNetis
# Port 7001 | Used by Andrew File System (AFS) | UDP
iptables -t mangle -A PREROUTING -p udp --sport 7001 -j DROP
iptables -I INPUT -p udp -m length --length 100:140 -m string --string "nAFS" --algo kmp -j DROP
iptables -I INPUT -p udp -m length --length 100:140 -m string --string "OpenAFS" --algo kmp -j DROP

# OVH-SLAP Patch | OVH Bypass Patch | Found on Rebirth Panel by SelfRepNetis
# Port 17185 | Used by vxWorks//VoIP | UDP
iptables -t mangle -A PREROUTING -p udp --sport 17185 -j DROP

# OVH-DOWN & OVH-DOWNv2 Patch | OVH Bypass Patch | Found on Rebirth Panel by SelfRepNetis
# Port 3072 | Used by WSD | TCP or UDP
iptables -t mangle -A PREROUTING -p udp -m multiport --sports 3072,3702 -j DROP
iptables -t mangle -A PREROUTING -p tcp -m multiport --sports 3072,3702 -j DROP

# OVH-CRUSHv2 Patch | OVH Bypass Patch | Found on Rebirth Panel by SelfRepNetis
# Literally no difference in OVH-CRUSH and OVH-CRUSHv2, just posting a method and renaming it to v2
# Port 3283 | Used by ARD | UDP AMP
iptables -t mangle -A PREROUTING -p udp --sport 3283 -m length --length 1048 -j DROP

# OVH-CRUSH Patch | OVH Bypass Patch | Found on Rebirth Panel by SelfRepNetis
# Port 3283 | Used by ARD | UDP AMP
iptables -t mangle -A PREROUTING -p udp --sport 3283 -m length --length 1048 -j DROP

# NFO-LAG Patch | NFO Method Patch | Found on Rebirth Panel by SelfRepNetis
# Port 32414 | Used by PlexMediaServers | UDP
iptables -t mangle -A PREROUTING -p udp --sport 32414 -j DROP
# Port 177 | Used by XDMCP | UDP
iptables -t mangle -A PREROUTING -p udp --sport 177 -j DROP

# NFO-CLAP Patch | NFO Method Patch | Found on Rebirth Panel by SelfRepNetis
# Port 6881 | Used by BitTorrent | UDP
iptables -t mangle -A PREROUTING -p udp --sport 6881 -m length --length 320:330 -j DROP

# R6-LAG Patch | Method Patch | Found on Rebirth Panel by SelfRepNetis
# Port 32414 | Used by PlexMediaServers | UDP
iptables -t mangle -A PREROUTING -p udp -m length --length 280:300 --sport 32414 -j DROP

Try running each iptables command and let me know which one it is causing the error. I will troubleshoot this, it’s likely a basic syntax issue
 

Kasi

Member
Dec 24, 2017
6
6
38
@Asphyxia

Code:
[email protected]:~# iptables -t mangle -A PREROUTING -p udp -m multiport --sports 3283,37810,7001,17185,3072,3702,32414,177,6881,5683,41794,2362,11211,53413,17,1900,10001,389,137,5351,502 -j DROP
iptables v1.6.1: too many ports specified
 

Mr-Malone

You risk and you will win
Sep 11, 2015
69
25
68
@Asphyxia

Code:
[email protected]:~# iptables -t mangle -A PREROUTING -p udp -m multiport --sports 3283,37810,7001,17185,3072,3702,32414,177,6881,5683,41794,2362,11211,53413,17,1900,10001,389,137,5351,502 -j DROP
iptables v1.6.1: too many ports specified
@Kasi
Multiport command from iptables typically supports up to 15 ports.

Try to separate the command in two commands like:

iptables -t mangle -A PREROUTING -p udp -m multiport --sports 3283,37810,7001,17185,3072,3702,32414,177,6881,5683,41794 -j DROP
iptables -t mangle -A PREROUTING -p udp -m multiport --sports 2362,11211,53413,17,1900,10001,389,137,5351,502 -j DROP

@danieljc
It should be additional protection by filtering and blocking vulnerable ports.
 

djalmasi

Well-Known Member
Sep 10, 2015
132
39
118
I've never used such firewall rules, but as an OVH VPS user I think OVH's part can be useful. My question is, are these really working and useful?
 

Asphyxia

Owner
Administrator
Apr 25, 2015
1,842
2
2,194
327
I've never used such firewall rules, but as an OVH VPS user I think OVH's part can be useful. My question is, are these really working and useful?
Firewall rules need to stay recent at all times, so yes these rules protect against new attacks. Protecting against common attacks makes you less likely to get “hit offline”
 

amsaal

VIP
Jul 28, 2015
273
102
122
@Asphyxia
[email protected]:~# iptables -nvL
Chain INPUT (policy ACCEPT 11477 packets, 987K bytes)
pkts bytes target prot opt in out source destination
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 length 100:140 STRING match "OpenAFS" ALGO name kmp TO 65535
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 length 100:140 STRING match "nAFS" ALGO name kmp TO 65535

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 19625 packets, 1914K bytes)
pkts bytes target prot opt in out source destination
 

Asphyxia

Owner
Administrator
Apr 25, 2015
1,842
2
2,194
327
This is pretty dope m8 - does anyone use certain server OS shyt to block DoS/DDoS for example a router/fw OS system..
 
Top