hack protection

[kris914g]

hi today i has been contacted by a guy why wanted money, else he would D-dos or just do something there would give my host downtime. and ofc. i would never pay him to stop. but how can i protection myself against something like that?

[Meltie]

OP: The best thing you can do, is to harden your host from these kind of attacks. There is a free Shell Script that can help filter DoS Traffic. Its called DoS Deflate. If you need help on this, feel free to ask me. I'm sure I can help you out.

Remember, anything over 180Gbps (175M PPS), it will not stop.

[AdmiralMorketh]

A DOS attack is primarily a half open connection a DDOS attack is also a half open connection from SEVERAL hosts at once in 3 simple firewall rules you can clean out INVALID (half open) connections and close them about as fast they can be opened by remote hosts.

iptables -t raw -I PREROUTING -p tcp -m tcp --syn -j CT --notrack
iptables -I INPUT -p tcp -m tcp -m state --state INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460
iptables -A INPUT -m state --state INVALID -j DROP

a break down of each rule is as follows:

The raw table handles untracked connections, the "CT" stands for conntrack and the --notrack options excludes them from tracking.

Second rule matches the SYN packets (UNTRACKED as per previous rule) and ACK packets (INVALID as per „nf_conntrack_tcp_loose=0“) and forwards them to the SYNPROXY target, which then verifies the syncookies (parallel, which wasn't possible previously) and establishes the full TCP connections. And finally we add a rule that drops every packet that the previous rule didn't catch, read bad packets/DDoS.

Your server should be able to handle multiple millions of packets per second, as long as your NIC doesn't crumble and your ISP doesn't nullroute your IP.

[Foereaper]

This is something you would have to take up with your hosting company, as this is not related to Mangos in general

[AdmiralMorketh]

This is something you would have to take up with your hosting company, as this is not related to Mangos in general

depending on the hosting company this is normally not there responsibility. in the event that it's not and you have a Linux box you can use iptables to stop DOS traffic:

iptables -A INPUT -p tcp -m multiport --dports 8085,3724,7878,3443 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT

this example should work with Mangosd Realmd SOAP and Remote Access (if enabled)

--dports can be changed to any port you want to protect from DOS this will limit 25 NEW connections per minute with a burst of 100 most people are not going to open 25 connection a minute on servers

once the burst limmit is hit the 25 per minute rule kicks in and connections exceeding this limit will be silently dropped take note this will not effect other connections.

this is a PER ADDRESS connection limit so you can have over 100 open connections to the server but it will only allow 25 NEW Per Client Per Minute.

very effective Anti DOS rule i use this on almost all of my services

[cabfever]

depending on the hosting company this is normally not there responsibility. in the event that it's not and you have a Linux box you can use iptables to stop DOS traffic:

iptables -A INPUT -p tcp -m multiport --dports 8085,3724,7878,3443 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT

this example should work with Mangosd Realmd SOAP and Remote Access (if enabled)

--dports can be changed to any port you want to protect from DOS this will limit 25 NEW connections per minute with a burst of 100 most people are not going to open 25 connection a minute on servers

once the burst limmit is hit the 25 per minute rule kicks in and connections exceeding this limit will be silently dropped take note this will not effect other connections.

this is a PER ADDRESS connection limit so you can have over 100 open connections to the server but it will only allow 25 NEW Per Client Per Minute.

very effective Anti DOS rule i use this on almost all of my services

Thanks for your iptables entry! But couldn't someone for example just use different ports like 80, 8080, 443? And this method wouldn't block the traffic right? So you would be still not reachable if the traffic of the attack is bigger then your maximum network traffic (in most cases this would be like 100Mbit or 1Gbit).

[krill]

Thanks for your iptables entry! But couldn't someone for example just use different ports like 80, 8080, 443? And this method wouldn't block the traffic right? So you would be still not reachable if the traffic of the attack is bigger then your maximum network traffic (in most cases this would be like 100Mbit or 1Gbit).

Changing default ports won't have any effect. You can use a port scanner to find out any open ports on the host.

[cabfever]

Oh, I think I misswrote something there. I know this. I meant: his iptables entry does not check those ports like 80,8080,443 etc pp.

So they could still attack those ports.

[AdmiralMorketh]

Oh, I think I misswrote something there. I know this. I meant: his iptables entry does not check those ports like 80,8080,443 etc pp.

So they could still attack those ports.

indeed very good eye. The way you would fix that is to append the ports you want to protect to the rule that was provided thats what the multiport option in iptables is for

--dports can be changed to any port you want to protect

As this is a MaNGOS forum id rather not get to in-depth on the workings of iptables as that's an OS specific implementation to the Kernel your using. If you want to read up on iptables you can use

man iptables

that should get you to the manual page for your systems version of netfilter. also a better place to look for detailed support on iptables would probably be there homepage.