我相信我的网络服务器目前正遭受 DDOS 攻击,消息日志中充满了以下类型的消息:
May 13 15:51:19 kernel: nf_conntrack: table full, dropping packet.
May 13 15:51:19 last message repeated 9 times
May 13 15:51:24 kernel: __ratelimit: 78 callbacks suppressed
May 13 15:51:24 kernel: nf_conntrack: table full, dropping packet.
May 13 15:52:06 kernel: possible SYN flooding on port 80. Sending cookies.
并且 netstat 具有大量下列内容:
tcp 0 0 my.host.com:http bb176da0.virtua.com.br:4998 SYN_RECV
tcp 0 0 my.host.com:http 187.0.43.109:2694 SYN_RECV
tcp 0 0 my.host.com:http 109.229.4.145:1722 SYN_RECV
tcp 0 0 my.host.com:http 189-84-163-244.sodobr:63267 SYN_RECV
tcp 0 0 my.host.com:http bd66839d.virtua.com.br:3469 SYN_RECV
tcp 0 0 my.host.com:http 69.101.56.190.dsl.int:52552 SYN_RECV
tcp 0 0 my.host.com:http pc-62-230-47-190.cm.vt:2262 SYN_RECV
tcp 0 0 my.host.com:http 189-84-163-244.sodobr:63418 SYN_RECV
tcp 0 0 my.host.com:http pc-62-230-47-190.cm.vt:1741 SYN_RECV
tcp 0 0 my.host.com:http zaq3d739320.zaq.ne.jp:2141 SYN_RECV
tcp 0 0 my.host.com:http netacc-gpn-4-80-73.po:52676 SYN_RECV
tcpdump 显示:
7:11:08.564510 IP 187-4-1xx-4.xxx.ipd.brasiltelecom.net.br.54821 > my.host.com.http: S 999692166:999692166(0) win 65535 <mss 1452,nop,nop,sackOK>
17:11:08.566347 IP 114-44-171-67.dynamic.hinet.net.1129 > my.host.com.http: S 605369055:605369055(0) win 65535 <mss 1440,nop,nop,sackOK>
17:11:08.570210 IP 200-101-13-130.pvoce300.ipd.brasiltelecom.net.br.5590 > my.host.com.http: S 2813379182:2813379182(0) win 16384 <mss 1460,nop,nop,sackOK>
17:11:08.571290 IP dsl-189-143-30-99-dyn.prod-infinitum.com.mx.1615 > my.host.com.http: S 281542700:281542700(0) win 65535 <mss 1452,nop,nop,sackOK>
17:11:08.583847 IP dsl-189-143-30-99-dyn.prod-infinitum.com.mx.1617 > my.host.com.http: S 499413892:499413892(0) win 65535 <mss 1452,nop,nop,sackOK>
17:11:08.588680 IP 170.51.229.112.2569 > my.host.com.http: S 2195084898:2195084898(0) win 65535 <mss 1460,nop,nop,sackOK>
17:11:08.588773 IP gw2-1.211.ru.3180 > my.host.com.http: F 2315901786:2315901786(0) ack 2620913033 win 64240
17:11:08.590656 IP 200-101-13-130.pvoce300.ipd.brasiltelecom.net.br.5614 > my.host.com.http: S 2813715032:2813715032(0) win 16384 <mss 1460,nop,nop,sackOK>
17:11:08.591212 IP 203.82.82.54.15848 > my.host.com.http: S 4070423507:4070423507(0) win 16384 <mss 1400,nop,nop,sackOK>
17:11:08.591254 IP 203.82.82.54.2545 > my.host.com.http: S 1790910784:1790910784(0) win 16384 <mss 1400,nop,nop,sackOK>
17:11:08.591289 IP 203.82.82.54.28306 > my.host.com.http: S 578615626:578615626(0) win 16384 <mss 1400,nop,nop,sackOK>
17:11:08.591591 IP gw2-1.211.ru.3191 > my.host.com.http: F 2316435991:2316435991(0) ack 2634205972 win 64240
17:11:08.591790 IP 200-101-13-130.pvoce300.ipd.brasiltelecom.net.br.5593 > my.host.com.http: S 2813659017:2813659017(0) win 16384 <mss 1460,nop,nop,sackOK>
17:11:08.593691 IP gw2-1.211.ru.3203 > my.host.com.http: F 2316834420:2316834420(0) ack 2629074987 win 64240
我不确定我能做些什么来限制/缓解这种情况,目前没有提供任何网页,如能得到任何帮助我将不胜感激。
答案1
我已经设法解决了这个问题,下面是解决方案,希望它能对任何人有所帮助:
netstat -an | grep :80 | grep SYN_RECV
这将显示参与此次攻击的所有 IP,只需在防火墙中阻止此列表,攻击就不会产生任何影响。(我使用 APF,因此对每个 IP 都只需执行 apf -d 即可)
在你阻止 IP 之后,你可能需要运行这个命令几次,因为我认为 netstat 仅限于它所显示的 IP 数量,我必须运行它几次,然后命令才不显示 IP。