Skip to content

Instantly share code, notes, and snippets.

@peerapach
Created October 24, 2018 12:19
Show Gist options
  • Save peerapach/2809080978e3a8edd7cdf2bbce42e037 to your computer and use it in GitHub Desktop.
Save peerapach/2809080978e3a8edd7cdf2bbce42e037 to your computer and use it in GitHub Desktop.
Build Your Own DDoS Protection With Linux & IPtables
DEV=eth0
PORT=80
### Use SYNPROXY ###
/sbin/iptables -t raw -A PREROUTING -i $DEV -p tcp -m tcp --syn --dport $PORT -j CT --notrack
/sbin/iptables -t mangle -A INPUT -i $DEV -p tcp -m conntrack --ctstate INVALID,UNTRACKED --dport $PORT -j SYNPROXY \
--sack-perm --timestamp --wscale 7 --mss 1460
/sbin/iptables -t mangle -A INPUT -i $DEV -p tcp -m conntrack --ctstate INVALID --dport $PORT -j DROP
/sbin/sysctl -w net/ipv4/tcp_timestamps=1
/sbin/sysctl -w net/ipv4/tcp_syncookies=1
/sbin/sysctl -w net/netfilter/nf_conntrack_tcp_loose=0
/sbin/sysctl -w net/netfilter/nf_conntrack_max=5000000
echo 5000000 > /sys/module/nf_conntrack/parameters/hashsize
##--------------------------------------------------------------------------------------------------------------------##
### DROP packets that are NEW, coming too faster than 200 SYN pps per src subnet ###
/sbin/iptables -t raw -A PREROUTING -i $DEV -p tcp -m tcp --dport $PORT --syn -m hashlimit --hashlimit-above 200/sec \
--hashlimit-burst 1000 --hashlimit-mode srcip --hashlimit-name syn --hashlimit-htable-size 2097152 \
--hashlimit-srcmask 24 -j DROP
##--------------------------------------------------------------------------------------------------------------------##
### Drop SYN packets with suspicious MSS value ###
/sbin/iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
##--------------------------------------------------------------------------------------------------------------------##
### Block spoofed packets ###
/sbin/iptables -t mangle -A PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP
## Method 1
/sbin/iptables -t mangle -A PREROUTING -s 224.0.0.0/3 -j DROP
/sbin/iptables -t mangle -A PREROUTING -s 169.254.0.0/16 -j DROP
/sbin/iptables -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP
/sbin/iptables -t mangle -A PREROUTING -s 192.0.2.0/24 -j DROP
/sbin/iptables -t mangle -A PREROUTING -s 192.168.0.0/16 -j DROP
/sbin/iptables -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP
/sbin/iptables -t mangle -A PREROUTING -s 0.0.0.0/8 -j DROP
/sbin/iptables -t mangle -A PREROUTING -s 240.0.0.0/5 -j DROP
## Method 2
ipset -N SpoofedPackets nethash
ipset -A SpoofedPackets 224.0.0.0/3
ipset -A SpoofedPackets 169.254.0.0/16
ipset -A SpoofedPackets 172.16.0.0/12
ipset -A SpoofedPackets 192.0.2.0/24
ipset -A SpoofedPackets 192.168.0.0/16
ipset -A SpoofedPackets 10.0.0.0/8
ipset -A SpoofedPackets 0.0.0.0/8
ipset -A SpoofedPackets 240.0.0.0/5
iptables -t mangle -A PREROUTING -m set --match-set SpoofedPackets src -j DROP
##--------------------------------------------------------------------------------------------------------------------##
### SSH brute-force protection ###
/sbin/iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set
/sbin/iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP
##--------------------------------------------------------------------------------------------------------------------##
### Protection against port scanning ###
/sbin/iptables -N port-scanning
/sbin/iptables -A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN
/sbin/iptables -A port-scanning -j DROP
##--------------------------------------------------------------------------------------------------------------------##
### Drop fragments in all chains ###
/sbin/iptables -t mangle -A PREROUTING -f -j DROP
##--------------------------------------------------------------------------------------------------------------------##
### Block packets with bogus TCP flags ###
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
##--------------------------------------------------------------------------------------------------------------------##
### Block smurf attacks
iptables -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP
iptables -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP
iptables -A INPUT -p icmp -m icmp -j DROP
##--------------------------------------------------------------------------------------------------------------------##
### Drop excessive RST packets to avoid smurf attacks
iptables -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT
##--------------------------------------------------------------------------------------------------------------------##
### How to identify the IP that is attacking you
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
### How to disconnect clients from your network interfaces (apt-get install dsniff)
tcpkill host xxx.xxx.xxx.xxx
# Hint: Monitor nf_conntrack usage searched, found, new, etc.:
lnstat -c -1 -f nf_conntrack
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment