DDoS 攻击 - Iptables 配置错误

DDoS 攻击 - Iptables 配置错误

我有 Ubuntu 20.04.4 LTS。我遭受了 DDoS 攻击,不知道如何限制多个 IP(最多 500 个)的连接数。

我看到了一些帖子,比如或者,但不知道如何正确按照步骤解决这种情况。

我当前的规则是:

## Accept some ports
iptables -A INPUT -p tcp --dport 28261 -j ACCEPT
iptables -A INPUT -p tcp --dport 3724 -j ACCEPT
### Prevent port scan ###
iptables -N port-scan 
iptables -A port-scan -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 3 -j RETURN 
iptables -A port-scan -j DROP
### SSH brute-force protection ###
/sbin/iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set
/sbin/iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP
### 1: Drop invalid packets ###
/sbin/iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP
## 2: Drop TCP packets that are new and are not SYN ###
/sbin/iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
/sbin/iptables -A INPUT -p tcp ! --syn -m state --state NEW -j REJECT
### 8: Limit connections per source IP ###
/sbin/iptables -A INPUT -p tcp -m connlimit --connlimit-above 10 -j REJECT --reject-with tcp-reset
### 9: Limit RST packets ###
/sbin/iptables -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP
### 10: Limit new TCP connections per second per source IP ###
/sbin/iptables -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 10/s --limit-burst 5 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP

这个配置有什么问题?哪些规则没用,哪些规则是我需要的?

提前致谢!

答案1

可能没有通用的 iptables 规则来处理所有分布式“SYN Flood”攻击。我总是不得不创建一些规则来处理特定的攻击,有时会造成附带损害(即阻止合法数据包,我不在乎)。以下示例跨越了 11 年的时间。

传奇:

# The location of the iptables program
#
IPTABLES=/sbin/iptables

#Setting the EXTERNAL and INTERNAL interfaces and addresses for the network
#
EXTIF="enp1s0"
INTIF="br0"
EXTIP="173.XXX.YYY.ZZZ" (hidden)
EXTOTHERIP="173.XXX.YYY.ZZQ" (hidden)
INTNET="192.168.111.0/24"
INTIP="192.168.111.1/32"
UNIVERSE="0.0.0.0/0"

示例 1:针对端口 80 的 SYN Flood 攻击,其源端口也是 80。真正的网络浏览客户端不会有 80 的源端口,因此应阻止它:

# Related to SYN flood attacks on port 80.
# Drop packets that have source port = destination port = 80, as they seem to come forever
# via (I think) the ESTABLISHED,RELATED path and are never caught by the bad guy detector.
#
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -p tcp --sport 80 --dport 80 -j DROP

示例 2 和 3:SYN 洪水攻击,其中 TCP 窗口大小始终相同:

# SYN Flood (trickle, actually) attack of 2011.02:
# Always had same TCP window size of 61690 (0xF0FA), which was unique to this attack.
# TOS (type of service) offset = 6 ; TCP service = 6 ; Window size offset = 32
#
#$IPTABLES -A INPUT -i $EXTIF -m u32 --u32 "6&0xFF=0x6 && 32&0xFFFF=0xF0FA" -j LOG --log-prefix "BADZ:" --log-level info
#$IPTABLES -A INPUT -i $EXTIF -m u32 --u32 "6&0xFF=0x6 && 32&0xFFFF=0xF0FA" -j DROP
#
# SYN Flood (trickle, actually) attack of 2016.05 - ??:
# Always had same TCP window size of 32120 (0x7D78), which was not unique to this attack, but very rare
# TOS (type of service) offset = 6 ; TCP service = 6 ; Window size offset = 32
#
$IPTABLES -A INPUT -i $EXTIF -m u32 --u32 "6&0xFF=0x6 && 32&0xFFFF=0x7D78" -j LOG --log-prefix "BADZ:" --log-level info
$IPTABLES -A INPUT -i $EXTIF -m u32 --u32 "6&0xFF=0x6 && 32&0xFFFF=0x7D78" -j DROP

示例4:使用非法源端口号的SYN Flood攻击:

# Ver 0.39: Current SYN flood attack uses illegal ports. Filter based on port 0 to get rid of them.
# Ver 0.40: Comment out. Event has ended.
#
#$IPTABLES -A INPUT -i $EXTIF -m recent --update --hitcount 2 --seconds 5400 --name BADGUY_SYN -j LOG --log-prefix "SYN BAD:" --log-level info
#$IPTABLES -A INPUT -i $EXTIF -m recent --update --hitcount 2 --seconds 5400 --name BADGUY_SYN -j DROP
#$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --sport 0 --dport 80 -m recent --set --name BADGUY_SYN -j DROP

示例 5:SYN Flood 攻击并不那么“分散”,主要来自一个 IP 地址子网。只需阻止整个子网即可。我有很多这样的攻击,此外还用来ipset阻止整个俄罗斯、中国和其他一些国家:

$IPTABLES -A INPUT -i $EXTIF -s 184.105.0.0/16 -d $UNIVERSE -j DROP

相关内容