How to reflect ddos on the site?

Evgeny Kuznetsov2012-10-29 17:40:58

DDoS Protection

Evgeny Kuznetsov, 2012-10-29 17:40:58

For the past 5 days, the site has been under a ddos attack, first of all, after it was handed over to me, I set up nginx (req_limit, etc.), installed fail2ban and configured it to monitor the nginx error log, the site came to life and worked fine until other guys came to ddos... This botnet turned out to be more serious, and this scheme no longer worked, it was decided to roll up geoip for nginx, and cache it all the same, after that the server felt better. But, these bastards littered the entire port, so the site opens every other time, so the question is:

1. How to fasten geoip to iptables in order to cut them down! (all instructions for installing this module do not fit iptables)
2. Why do
iptables -I INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 15 -j REJECT
I get when I execute the command:
iptables: No chain/target/match by that name
there is an INPUT chain.

PS. Debian 5 axis

Answer the question

In order to leave comments, you need to log in

6 answer(s)

egorinsk, 2012-10-30
@egorinsk

You are into drug addiction. Instead of randomly installing different modules, you need to sit down to read the logs, identify the patterns used by the attacker and ban the collected IPs via iptables + ipset.

serjs, 2012-10-29
@serjs

getpocket.com/a/read/98338296 I do not advertise, but I did it at one time (for 5 too)
And with nochain lsmid | grep connlimit doesn't output anything? You need to load the module, only in Debian 5 I won’t say if it is native, because. everywhere switched to 6 already.

shadowalone, 2012-10-29
@shadowalone

What core is on the axis? If the module does not get up, then this is due to the old kernel.
Since you want to slaughter limits in the firewall, do not.
If you have an old kernel and the module does not get up, then you can generate networks of a specific country to which to open, and close everything else, but the iptables rules will then be cumbersome, and it is better to separate them into a separate chain.

BasilioCat, 2012-10-30
@BasilioCat

Try to configure fail2ban in a more aggressive way, or if the attackers have some kind of pattern - user agent, cookie, header, request URL (tcpdump will help you), then filter them right on the firewall - see the string module. So you will reduce the channel load on the server. But it probably won't help. A botnet of a couple of thousand machines will be able to fill a 100 Mbps channel. And out of ten thousand, it will kill him with SYN requests alone. A provider is rarely interested in filtering an attack (Russian providers, on the contrary, are interested in squeezing more money for traffic as a result of an attack), and a gigabit channel costs not quite budget money.
If the site is almost static (or can be cached for a long time, at least the attacked URL), you can transfer the return of the site to CDNs - this solves the channel bandwidth problem. Well, specialized services for protection against DDoS have not been canceled either, there are quite budget solutions, but mostly not with us

gunya, 2012-10-30
@gunya

Be careful with iptables. The server with on FreeBSD with pf under 200k SYN-flood lays down. If you turn off pf and fight back with nginx, the server immediately becomes easier.

wvitalik, 2014-03-20
@wvitalik

nginx handles ddos best, but with attacks over 100,000 pps, the server will not have time to ban addresses and it will be overloaded, as a result of which the resource will be unavailable. And with such attacks, you need to let domain traffic through an A-record on the IP of a secure proxy server like Simply Proxy