IPTABLES / DDOS PROTECTION

[chuga2]

This Is Some IPTABLES Can Help You To Block Some DDos Attacks


#block udp with a 0-byte payload
iptables -A INPUT -p udp -m u32 --u32 "22&0xFFFF=0x0008" -j DROP

#block all packets from ips ending in .255.255
iptables -A INPUT -m u32 --u32 "12&0xFFFF=0xFFFF" -j DROP

#block common Camfrog-specific attacks
iptables -A INPUT -m u32 --u32 "28&0x00000FF0=0xFEDFFFFF" -j DROP

#block udp containing "farewall"
iptables -A INPUT -m string --algo bm --from 28 --to 29 --string "farewell" -j DROP

#block udp starting with alternating spaces
iptables -A INPUT -p udp -m u32 --u32 "28 & 0x00FF00FF = 0x00200020 && 32 & 0x00FF00FF = 0x00200020 && 36 & 0x00FF00FF = 0x00200020 && 40 & 0x00FF00FF = 0x00200020" -j DROP

#block tcp ack 0 of length 40
iptables -I INPUT -p tcp -m tcp -m string --hex-string "|000000005010|" --algo kmp --from 28 --to 29 -m length --length 40 -j DROP

#block udp containing "SAMP"
iptables -I INPUT -p udp -m udp -m string --hex-string "|53414d50|" --algo kmp --from 28 --to 29 -j DROP

#block udp starting with "std" and 00s
iptables -I INPUT -p udp -m udp -m string --hex-string "|7374640000000000|" --algo kmp --from 28 --to 29 -j DROP

#block udp containing 16 null (00) chars
iptables -I INPUT -p udp -m udp -m string --hex-string "|00000000000000000000000000000000|" --algo kmp --from 32 --to 33 -j DROP

#block udp containing "AAAAAAAAAAAAAAAA"
iptables -A INPUT -p udp -m udp -m string --algo bm --from 32 --to 33 --string "AAAAAAAAAAAAAAAA" -j DROP

#block udp containing "0123456789ABCDE"
iptables -A INPUT -p udp -m udp -m string --algo bm --from 28 --to 29 --string "0123456789ABCDE" -j DROP

#block all packets from ips ending in .0.0
iptables -A INPUT -m u32 --u32 "12&0xFFFF=0" -j DROP

#block Source Split Packets
iptables -A INPUT -p udp -m u32 --u32 "26&0xFFFFFFFF=0xfeff" -j DROP

#block udp containing "0123456789"
iptables -A INPUT -p udp -m udp -m string --algo bm --from 44 --to 45 --string "0123456789" -j DROP

#block udp containing "a cat is fine too"
iptables -A INPUT -p udp -m udp -m string --algo bm --from 28 --to 29 --string "A cat is fine too" -j DROP

#block udp containing "flood"
iptables -A INPUT -p udp -m udp -m string --algo bm --from 28 --to 29 --string "flood" -j DROP

#block udp containing "q00000000000000"
iptables -A INPUT -m string --algo bm --from 32 --to 33 --string "q00000000000000" -j DROP

#block udp containing "statusResponse"
iptables -A INPUT -m string --algo bm --from 32 --to 33 --string "statusResponse" -j DROP

#block icmp
iptables -A INPUT -p icmp -j DROP

#block udp methode "NTP"
iptables -A INPUT -i lo -p udp --destination-port 123 -j DROP
iptables -A INPUT -p udp --source-port 123:123 -m state --state ESTABLISHED -j DROP

#block udp methode "CODE"
iptables -I INPUT -p udp -m udp -m string --hex-string "|ffffffff6765746368616c6c656e676520302022|" --algo kmp -j DROP

#block TCP expect port 80,22
iptables -A INPUT -p tcp -m tcp -m multiport ! --dports 80,22 -j DROP

#block udp methode "SSDP"
iptables -I INPUT -p udp --dport 16000:29000 -m string --to 75 --algo bm --string 'HTTP/1.1 200 OK' -j DROP

#block protocols other than tcp, udp, and icmp [block all traffic]
iptables -A INPUT -p udp -m u32 --u32 "6&0xFF=0,2:5,7:16,18:255" -j DROP

 

[User_2995]

Thx for rules.
Is it better to put them in prerouting instead of input?
The future is nftables. I think it is worth moving on to it.

 

[skill1917]

Thx for rules.
Is it better to put them in prerouting instead of input?
The future is nftables. I think it is worth moving on to it.

you can't filter in prerouting

 

[User_2995]

you can't filter in prerouting

You are right but i found this:

So you want to know why your iptables DDoS protection rules suck? It’s because you use the filter table and the INPUT chain to block the bad packets!

The best solution to dramatically increase the performance of your iptables rules and therefore the amount of (TCP) DDoS attack traffic they can filter is to use the mangle table and the PREROUTING chain!

 

[MrFunken]

You are right but i found this:

So you want to know why your iptables DDoS protection rules suck? It’s because you use the filter table and the INPUT chain to block the bad packets!

The best solution to dramatically increase the performance of your iptables rules and therefore the amount of (TCP) DDoS attack traffic they can filter is to use the mangle table and the PREROUTING chain!

You can put some TCP rules in the prerouting table. But.. they can't be verry complex.
Also.. a DDoS Protection based on iptables will always sucks. Ususal servers don't have more then 1Gbit/s. Ususal DDoS attacks are between 5-40Gbit/s. So.. your server will always be down without a right DDoS Protection on the routing/ISP level.

 

[mizu9797]

Hi,
I was used this rules without last and my bots query were blocked.
Which rule block query ?

 

[InVaDeR359]

Hi,
I was used this rules without last and my bots query were blocked.
Which rule block query ?

Apparently this

#block TCP expect port 80,22
iptables -A INPUT -p tcp -m tcp -m multiport ! --dports 80,22 -j DROP

So, if your query port is the default 10011, you can change that rule to this one :
iptables -A INPUT -p tcp -m tcp -m multiport ! --dports 80,22,10011 -j DROP

 

[chuga2]

Hi,
I was used this rules without last and my bots query were blocked.
Which rule block query ?

Rule For Block Query
iptables -A INPUT -p tcp -m tcp --dport 10011 -j DROP

Rule For Accept Query Ip
ᅟᅟᅟᅟᅟᅟᅟᅟᅟᅟ(add ip here)
ᅟᅟᅟᅟᅟᅟᅟᅟᅟᅟᅟᅟv
ᅟᅟᅟᅟᅟᅟᅟᅟᅟᅟᅟᅟv
iptables -A INPUT -s 192.168.l.l -p tcp -m tcp --dport 10011 -j ACCEPT


BUT FIRST ADD RULE ACCEPT AND ADD RULE BLOCK

 

[InVaDeR359]

Rule For Block Query
iptables -A INPUT -p tcp -m tcp --dport 10011 -j DROP

Rule For Accept Query Ip
ᅟᅟᅟᅟᅟᅟᅟᅟᅟᅟ(add ip here)
ᅟᅟᅟᅟᅟᅟᅟᅟᅟᅟᅟᅟv
ᅟᅟᅟᅟᅟᅟᅟᅟᅟᅟᅟᅟv
iptables -A INPUT -s 192.168.l.l -p tcp -m tcp --dport 10011 -j ACCEPT


BUT FIRST ADD RULE ACCEPT AND ADD RULE BLOCK

I think he was asking what rule of the above was blocking his Query Port not asking for a way to block them.

 

[MobVPN]

You can put some TCP rules in the prerouting table. But.. they can't be verry complex.
Also.. a DDoS Protection based on iptables will always sucks. Ususal servers don't have more then 1Gbit/s. Ususal DDoS attacks are between 5-40Gbit/s. So.. your server will always be down without a right DDoS Protection on the routing/ISP level.

This isn't true sir.
We utilize our own DDoS Protection system which monitors the real time traffic & sorts everything out. We've have attacks in the past that surpassed 400Gbps, on hosts that protect up to 120Gbps. We always dedicated at least 4GBs( 8GBs Preferred) of memory to handle these intensive tasks. We rarely have ever had one of our servers go down, except in the rare occurrence - where someone found an unfiltered port we had open - to communicate with our server hub. We fixed that with ease, by restricting the route by source.
Then again, it really matters what rules you have in place, to handle these type of attacks that seem to happen more frequent.

 

[DebianMain]

I think is better use CSF FIREWALL

 

[MwZ]

Any 'in-kernel' firewalls, will not be able to cope with any mid sized ddos attack, it can help with small stuff, but for other cases, you indeed, need a DDoS Protected Network, to cover your server properly...

 

[Jonaxio]

i used this and now my script are not working. My scripts downlaod something from server outdoors