Detecting a DOS attack on my iptables firewall

Thanks for all the help on my previous issues. I'm finding that this
IPTABLES firewall rocks! VERY configurable and customizable.

I am having occasional trouble with a person (or persons) trying to shutdown
my game server by flooding the game port with packets. I can pull up the
ip_conntrack file and determine who it is. Then I can drop all incoming
traffic from that IP or subnet. It works great.

Is there a method that I can use to determine when I am being flooded? It
manually takes me about 10 minutes to determine what IP/Range I need to
block. I am hoping I can find a method to run a script every minute or so
that checks the port and autoblocks if it determines there is a problem.

Ideas?

thanks again,

jf

"Jeff Franks" <jfranks1970@charter.net> writes:

> Thanks for all the help on my previous issues. I'm finding that this
> IPTABLES firewall rocks! VERY configurable and customizable.
>
> I am having occasional trouble with a person (or persons) trying to
> shutdown my game server by flooding the game port with packets. I can
> pull up the ip_conntrack file and determine who it is. Then I can drop
> all incoming traffic from that IP or subnet. It works great.
>
> Is there a method that I can use to determine when I am being flooded?

It's traditional to use rate-limiting to fix this sort of thing, for which
iptables has the limit module - see what happens if a packet traverses
these rules:

iptables -A INPUT -p udp --dport 1234 -m state --state NEW \
-m limit --limit 5/sec -j ACCEPT

iptables -A INPUT -p udp --dport 1234 -m state --state NEW \
-j DROP

The main problem with this is it's not possible to tie it down to N
packet/s per IP#; you'll have to look around to see if there's such a
module for iptables anywhere.

> It manually takes me about 10 minutes to determine what IP/Range I need
> to block. I am hoping I can find a method to run a script every minute or
> so that checks the port and autoblocks if it determines there is a
> problem.
>
> Ideas?

What do you do by hand to find the offenders? Hints:

awk '/dport=1234/ {print $5}' < /proc/net/ip_conntrack | \
sed 's/src=//' | sort | uniq -c | sort -n | tail

That might be a start; then you can grab the worst offenders with more than
a handful of connections and add them to a game_active_rate_offenders chain
in iptables, from a script, easily enoguh. (Note that I suggest a specific
chain for the purpose of folks who've been found out by this script - you
might detect abusers by other means, and you don't want to be adding the
same IP#s to the list every minute, nor do you want to flush out the list
including other folks - see, chains are your fwend :)

~Tim
--
Sapere aude |piglet@stirfried.vegetable.org.uk
|http://spodzone.org.uk/cesspit/