I asked many questions about this same subject, for example: here, and here.
The answer said I should set up the rule like this:
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
Then start adding the rest as follows:
# Dynamic Badguy List. Detect and DROP Bad IPs that try to access port 20000.
# Once they are on the BADGUY list then DROP all packets from them.
iptables -A INPUT -i eth0 -m recent --update --hitcount 5 --seconds 90000 --name BADGUY -j LOG --log-prefix "Port 20000 BAD:" --log-level info
iptables -A INPUT -i eth0 -m recent --update --hitcount 5 --seconds 90000 --name BADGUY -j DROP
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 20000 -m recent --set --name BADGUY -j ACCEPT
I did this exactly, but some IPs can still open 100+ connections per IP, so what is the proper way to limit IP connections?
From which we are particularly interested in:
tcp 0 75981 45.233.22.66:22 77.101.61.108:49746 ESTABLISHED
tcp 0 77442 45.233.22.66:22 77.101.61.108:49866 ESTABLISHED
tcp 0 106643 45.233.22.66:22 77.101.61.108:49662 ESTABLISHED
tcp 0 75826 45.233.22.66:22 77.101.61.108:49727 ESTABLISHED
tcp 97 0 45.233.22.66:22 77.101.61.108:50448 CLOSE_WAIT
tcp 0 105924 45.233.22.66:22 77.101.61.108:49798 ESTABLISHED
tcp 0 77441 45.233.22.66:22 77.101.61.108:49852 ESTABLISHED
tcp 0 77442 45.233.22.66:22 77.101.61.108:49813 ESTABLISHED
tcp 0 75223 45.233.22.66:22 77.101.61.108:49655 ESTABLISHED
and
tcp 0 73838 45.233.22.66:22 212.252.97.90:24457 ESTABLISHED
tcp 0 73502 45.233.22.66:22 212.252.97.90:24101 ESTABLISHED
tcp 0 74848 45.233.22.66:22 212.252.97.90:24397 ESTABLISHED
tcp 0 70703 45.233.22.66:22 212.252.97.90:24315 ESTABLISHED
tcp 0 70620 45.233.22.66:22 212.252.97.90:24292 ESTABLISHED
tcp 0 73501 45.233.22.66:22 212.252.97.90:24362 ESTABLISHED
tcp 0 73500 45.233.22.66:22 212.252.97.90:24122 ESTABLISHED
which seem to be more connections than the hit count rule should have allowed.
here is the iptable vxnl
Chain INPUT (policy ACCEPT 35537 packets, 4077701 bytes)
pkts bytes target prot opt in out source destination
1939108 97521172 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 flags:0x17/0x02 #conn src/32 > 2 reject-with tcp-reset
1112785 217196313 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
69985 3510824 LOG all -- eth0 * 0.0.0.0/0 0.0.0.0/0 recent: UPDATE seconds: 90000 hit_count: 5 name: BADGUY side: source mask: 255.255.255.255 LOG flags 0 level 6 prefix "Port 22 BAD:"
69985 3510824 DROP all -- eth0 * 0.0.0.0/0 0.0.0.0/0 recent: UPDATE seconds: 90000 hit_count: 5 name: BADGUY side: source mask: 255.255.255.255
217171 11052690 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 recent: SET name: BADGUY side: source mask: 255.255.255.255
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 3258297 packets, 496362303 bytes)
pkts bytes target prot opt in out source destination
Best Answer
A proposed iptables rule set solution to your viscous DDOS attack is the following script:
After debugging this script, and if you want to make loading it automatic when booting, add a pre-up directive to your
/etc/network/intefaces
file. Here is my file as an example:The permissions on my script file are:
or 755.