Optimize OVH Protection

[Leon]

Hello,

OVH Enterprise DDoS Protection blocks everything good.

But one flood called XTS3 floods TS3 with 1-2MB/S.

OVH dont block anything of them.

Anyone can help me to setup iptables to block like more than 500kb/s udp on port 9987 or anything else.

Thanks.

 

[ixM7MDz]

You can make a rule in iptables to make each ip just can get 10Kb when he joined

 

[Leon]

You can make a rule in iptables to make each ip just can get 10Kb when he joined

And how?

 

[ixM7MDz]

I will give you a firewall rules

just you you need to past it on a file as firewall.sh
after you past it just type this on the ssh ( putty)
./firewall.sh

you need to have iptables on your vps
script :

# Flush rules
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -t raw -F PREROUTING
iptables -t raw -F OUTPUT
# List policies first
iptables -P INPUT DROP; iptables -P FORWARD DROP; iptables -P OUTPUT ACCEPT;
# Disable connection tracking on voice server ports
iptables -A PREROUTING -t raw -p udp --dport 9987 -j NOTRACK
iptables -A OUTPUT -t raw -p udp --sport 9987 -j NOTRACK
# Allow TCP inbound
iptables -A INPUT -p tcp -m state --state NEW -m multiport --dports 21,22 -j ACCEPT
# Drop invalid UDP
iptables -A PREROUTING -t raw -p udp --dport 9987 -m length --length 0:32 -j DROP
iptables -A PREROUTING -t raw -p udp --dport 9987 -m length --length 2521:65535 -j DROP
iptables -A PREROUTING -t raw -p udp --dport 9987 -m length --length 98 -j DROP
# Drop TS3 booter methods
iptables -A PREROUTING -t raw -p udp --dport 9987 -m string --hex-string '|fa163eb402096ac8|' --algo kmp -j DROP
iptables -A PREROUTING -t raw -p udp --dport 9987 -m string --hex-string '|71f63813d5422309|' --algo kmp -j DROP
# Allow incoming packets related to outgoing ones.
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow UDP inbound
iptables -A INPUT -p udp --dport 9987 -j ACCEPT
# Allow ICMP
iptables -A INPUT -p icmp -j ACCEPT
# Log all dropped packets to /var/log/messages
iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
iptables -A LOGGING -j DROP

 

[ikfes]

I will give you a firewall rules

just you you need to past it on a file as firewall.sh
after you past it just type this on the ssh ( putty)
./firewall.sh

you need to have iptables on your vps
script :

# Flush rules
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -t raw -F PREROUTING
iptables -t raw -F OUTPUT
# List policies first
iptables -P INPUT DROP; iptables -P FORWARD DROP; iptables -P OUTPUT ACCEPT;
# Disable connection tracking on voice server ports
iptables -A PREROUTING -t raw -p udp --dport 9987 -j NOTRACK
iptables -A OUTPUT -t raw -p udp --sport 9987 -j NOTRACK
# Allow TCP inbound
iptables -A INPUT -p tcp -m state --state NEW -m multiport --dports 21,22 -j ACCEPT
# Drop invalid UDP
iptables -A PREROUTING -t raw -p udp --dport 9987 -m length --length 0:32 -j DROP
iptables -A PREROUTING -t raw -p udp --dport 9987 -m length --length 2521:65535 -j DROP
iptables -A PREROUTING -t raw -p udp --dport 9987 -m length --length 98 -j DROP
# Drop TS3 booter methods
iptables -A PREROUTING -t raw -p udp --dport 9987 -m string --hex-string '|fa163eb402096ac8|' --algo kmp -j DROP
iptables -A PREROUTING -t raw -p udp --dport 9987 -m string --hex-string '|71f63813d5422309|' --algo kmp -j DROP
# Allow incoming packets related to outgoing ones.
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow UDP inbound
iptables -A INPUT -p udp --dport 9987 -j ACCEPT
# Allow ICMP
iptables -A INPUT -p icmp -j ACCEPT
# Log all dropped packets to /var/log/messages
iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
iptables -A LOGGING -j DROP

That's my script and it misses the TCP 30033 port for fileserver. If you run it as it is above, your client's can't load usergroup/channelgroup icons or any images/banners you might upload to the server.

Either edit this:
iptables -A INPUT -p tcp -m state --state NEW -m multiport --dports 22,30033 -j ACCEPT (You don't need 21 if you use SFTP)
or add:
iptables -A INPUT -p tcp --dport 30033 -j ACCEPT
under the similar 9987 UDP rule.

 

[FarisDev]

@ikfes, I have a web server (apache2) How protection it?

 

[root012]

You can very easy to block this method.

 

[FarisDev]

@root012 How?

 

[MwZ]

When using a modern protection system, you can sleep just fine and nothing is necessary to be done in iptables...

 

[FarisDev]

@MwZ What is "modern protection system" more details please.

 

[MwZ]

@MwZ What is "modern protection system" more details please.

There are companies that provides you with a system that handles literally all these attacks, even if they use custom UDP payloads... Although, they aren't as cheap as OVH, it's simple as this.