Ransom DDoS attack - need help!
alvin nanog
nanogml at Mail.DDoS-Mitigator.net
Fri Dec 4 02:34:42 UTC 2015
hi lyndon
On 12/03/15 at 05:54pm, Lyndon Nerenberg wrote:
> On Dec 3, 2015, at 5:00 PM, alvin nanog <nanogml at Mail.DDoS-Mitigator.net> wrote:
> > run tcpdump and/or etherreal to capture the DDoS attacks
>
> <face palm> Of course! If we had only thought of this sooner! </face palm>
> :-)
yupperz.. the problem is, capturing is nice, you have all this data ... now what ,,
all that tcpdump jibberish needs to be converted and presented in a format
suitable for the bean counters to allocate $$$ to mitigate and minimize the
effects of the "free n hopefully relatively harmless" DDoS attacks occuring
every second
lets assume required services are properly configured and excluded
- acl's only for your own dns queries
- ssh only from specific ip#
- ntp to/from your isp
lets assume you allow incoming ssh only from w.x.y.z ... all other connections are DoS attacks
tcpdump -n -l ! host w.x.y.z and port 22
lets assume mail is your mail server .. all traffic NOT on port 25 are DoS attacks
tcpdump -n -l host mail.example.com and ! port 25
lets assume www is your web server .. all traffic NOT on port 80 are DoS attacks
tcpdump -n -l host mail.example.com and ! port 80
if you are running all the services ( mail + apache + mysql ) on one servr
the remaining tcp connections are DoS attacks
tcpdump -n -l host mail.example.com and \( ! port 80 and ! port 80 and ! port 3306 \)
lets assume dns is your dns server .. i consider all tcp traffic from outside as DoS attacks
tcpdump -n -l tcp host dns.example.com
to see possible udp attacks .. don't forget to exclude your own DNS and NTP queries
tcpdump -n -l udp
to see possible icmp attacks
tcpdump -n -l icmp
too many gazillions options makes the world go round n round ...
- where does it end :-) ... it doesn't ...
if you get a screenful of data flying by of stuff you don't recognize,
you're probably under light DDoS attacks
magic pixie dust
alvin
http://DDoS-Mitigator.net/cgi-bin/IPtables-GUI.pl
More information about the NANOG
mailing list