https://i.imgur.com/nDbaXqH.png https://i.imgur.com/nDbaXqH.png
https://i.imgur.com/Y5259wW.png
It is now on a daily bases and it is starting to suck.
nifty
On 2/20/21 2:25 AM, niftybunny wrote:
https://i.imgur.com/nDbaXqH.png https://i.imgur.com/nDbaXqH.png
https://i.imgur.com/Y5259wW.png https://i.imgur.com/Y5259wW.png
Yep, I do wonder if sth like
netstat --tcp -n -4 | perl -wane ' BEGIN { $Hist=(); } { next unless (m/^tcp/); ($Remote) = split(/:/, $F[4]); $Hist{$Remote}++; } END { foreach my $key (sort { $Hist{$b} <=> $Hist{$a} || $a cmp $b } keys %Hist) { printf("%-15s %5i\n", $key, $Hist{$key}) } }' | head -n 40
would help in any case ?
-- Toralf
Glad to hear its nothing personal. Putin still loves me ♥️
Thats Perl? I have no clue what it does.
We already changed the timers on the TCP connections and we have scripts running which are blocking IPs who will send us x0000 connections. Right now they changed tactics and for me it looks like SYNC flood from datacenter IP ranges and a few 100 IPs which undermine the easy blocking. Everything over 2,5 million TCP connections and the servers are more or less overloaded and I now learned that 3 million TCP connections is the point where the servers are dead as dead can be.
For a one time attack I would congratulate them but now daily it really is starting to suck. I also suxx that we have a direct 10G connection to the largest Russia ISP so they can DDOS us even faster …
On 20. Feb 2021, at 12:06, Toralf Förster toralf.foerster@gmx.de wrote:
On 2/20/21 2:25 AM, niftybunny wrote:
https://i.imgur.com/nDbaXqH.png https://i.imgur.com/nDbaXqH.png
https://i.imgur.com/Y5259wW.png https://i.imgur.com/Y5259wW.png
Yep, I do wonder if sth like
netstat --tcp -n -4 | perl -wane ' BEGIN { $Hist=(); } { next unless (m/^tcp/); ($Remote) = split(/:/, $F[4]); $Hist{$Remote}++; } END { foreach my $key (sort { $Hist{$b} <=> $Hist{$a} || $a cmp $b } keys %Hist) { printf("%-15s %5i\n", $key, $Hist{$key}) } }' | head -n 40
would help in any case ?
-- Toralf _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
niftybunny abuse-contact@to-surf-and-protect.net wrote:
Glad to hear its nothing personal. Putin still loves me ??
Thats Perl? I have no clue what it does.
We already changed the timers on the TCP connections and we have scripts running which are blocking IPs who will send us x0000 connections. Right now they changed tactics and for me it looks like SYNC flood from datacenter IP ranges and a few 100 IPs which undermine the easy blocking. Everything over 2,5 million TCP connections and the servers are more or less overloaded and I now learned that 3 million TCP connections is the point where the servers are dead as dead can be.
For a one time attack I would congratulate them but now daily it really is starting to suck. I also suxx that we have a direct 10G connection to the largest Russia ISP so they can DDOS us even faster ?
Do you have pf available as a packet filter? pf's synproxy is designed to mitigate that sort of thing, when it is used. IIRC, it doesn't pass a connection on to the application until all the SYN/ACK handshaking is completed. It may also enforce an early timeout on waiting for the next step after the initial response, but I really don't recall because I haven't used it in many years.
Scott Bennett, Comm. ASMELG, CFIAG ********************************************************************** * Internet: bennett at sdf.org *xor* bennett at freeshell.org * *--------------------------------------------------------------------* * "A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army." * * -- Gov. John Hancock, New York Journal, 28 January 1790 * **********************************************************************
On 2/20/21 12:29 PM, niftybunny wrote:
We already changed the timers on the TCP connections and we have scripts running which are blocking IPs who will send us x0000 connections. Right now they changed tactics and for me it looks like SYNC flood from datacenter IP ranges and a few 100 IPs which undermine the easy blocking.
Would an iptables ruel with "recent" and "limit" be a solution here ? If yes, how do you use that (do you have a code snippet)?
-- Toralf
Not at home but its just a cronjob running every x minutes and checking via netstat how many connections I get from every single IP. If I get say 20000 connections from a single IP it would be blocked with iptables.
Nothing fancy at all but it works as long as there are very few IPs ddosing me. It fails if there is a botnet and/or multiple /22 who connect to only a few ports per IP. I am sure a fancy Cisco Next Generation Firewall would be much better but I am too poor to even look at it.
Tracking every connection with iptables is very cpu intensive if you have a few 100k connections running on every server … so not really doable.
Right now my problem is: Whats all this about.
- I got no love letter beginning with: "If you want to stay online send us x Bitcoins to …. “ so this is not blackmailing me …
- In case some abuse pissed someone off and they decided to shut me down. This is an expensive attack over multiple days and high amounts of traffic. I doubt that someone is throwing a bunch of money in this just because they are pissed.
- State actors aka Russia trying to shut the network down? In this case they should be attacking others too. No answers in here = doesn't look like they do …
On 21. Feb 2021, at 12:12, Toralf Förster toralf.foerster@gmx.de wrote:
On 2/20/21 12:29 PM, niftybunny wrote:
We already changed the timers on the TCP connections and we have scripts running which are blocking IPs who will send us x0000 connections. Right now they changed tactics and for me it looks like SYNC flood from datacenter IP ranges and a few 100 IPs which undermine the easy blocking.
Would an iptables ruel with "recent" and "limit" be a solution here ? If yes, how do you use that (do you have a code snippet)?
-- Toralf _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On 2/21/21 12:37 PM, niftybunny wrote:
If I get say 20000 connections from a single IP it would be blocked with iptables.
Even much less looks unusal
With this command
watch -d -x bash -c 'ss --all --numeric --processes state syn-recv | sort -k 5 -n'
I do see a handful of addresses - and at least one (rather new) Tor relay is among them - which makes one SYN-RECV after the other w/o finishing the handshake.
-- Toralf
On 21.02.2021 12:12, Toralf Förster wrote:
Would an iptables ruel with "recent" and "limit" be a solution here ? If yes, how do you use that (do you have a code snippet)?
Example SSH:
*filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0]
## Drop incoming connections which make more than 4 connection attempts upon port 22 within ten minutes -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --name ssh --set -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --name ssh --update --seconds 600 --hitcount 4 -j DROP
## To list these damned IP's: 'nano /proc/net/xt_recent/ssh' or ## 'cat /proc/net/xt_recent/ssh > recent-ssh.txt'
Multiport example: # Up to 15 ports can be specified. A port range (port:port) counts as two ports. # Drop incoming connections which make more than 10 connection attempts upon ports x-y within 1 minute -A INPUT -p tcp -m multiport --dports xx:yy -m state --state NEW -m recent --name syfloo --set -A INPUT -p tcp -m multiport --dports xx:yy -m state --state NEW -m recent --name syfloo --update --seconds 60 --hitcount 10 -j DROP
Be sure to look for ip_list_tot:number of IPs to remember per list cat /sys/module/xt_recent/parameters/ip_list_tot
nifty must increase to 10000 ;-)
https://ipset.netfilter.org/iptables-extensions.man.html --connlimit-upto & --connlimit-above looks interesting too.
On 2/22/21 1:01 AM, lists@for-privacy.net wrote:
Multiport example: # Up to 15 ports can be specified. A port range (port:port) counts as two ports. # Drop incoming connections which make more than 10 connection attempts upon ports x-y within 1 minute -A INPUT -p tcp -m multiport --dports xx:yy -m state --state NEW -m recent --name syfloo --set -A INPUT -p tcp -m multiport --dports xx:yy -m state --state NEW -m recent --name syfloo --update --seconds 60 --hitcount 10 -j DROP
yeah, cool, I do wonder if "-m multiport --dports xx:yy" is needed ?
--connlimit-upto & --connlimit-above looks interesting too.
That I got never to work
-- Toralf
tor-relays@lists.torproject.org
-
lists@for-privacy.net -
niftybunny -
Scott Bennett -
Toralf Förster