DOS prevention

[Andrew Beals]

If they're coming from just the single IP, then black-hole'ing their IP is
easier.  If the address they're coming from is 128.115.1.1, then simply
paste this at a shell prompt and give it your password when sudo asks for
it:

sudo route add 128.115.1.1 gw 127.0.0.1 lo

This will cause all packets destined to go back to them to get dropped on
the floor and should be sufficient.  You'd really prefer to do this (or
just add them to the naughty list which is something that I believe the SW
can do, even with ancient builds of their SW) on your SonicWall box, but
you can get away with doing it on your server.

Adding an IP tables (again, if you can't convince your SW to just drop
packets from them) is more efficient, of course, but it's hairier to set up.


On Mon, Mar 18, 2013 at 2:19 PM, J. Wade Michaelis <
jwade at userfriendlytech.net> wrote:

> I have a CentOS web server that has recently been brought to a halt on two
> separate occasions.  Checking the access.log, it appears that it was a
> Denial of Service (DOS) attack (hundreds of HTTP requests in a very short
> time, all from a single IP address).
>
> I want to prevent these types of attacks from bringing the server to its
> knees.  We have a hardware firewall (SonicWall) in place, but it isn't
> quite new enough to run the firmware that allows rate-limiting.
>
> I have found a number of tutorials that show how to do this type of thing
> with IPTABLES.  Is there a better solution?
>
> Supposing I go with IPTABLES, do I need to include rules to allow FTP and
> SSH (the only other services on the server)?
>
> Would any of you be willing to assist me with this?
>
> Thanks,
> ~ j.
> jwade at userfriendlytech.net
>
> _______________________________________________
> KCLUG mailing list
> KCLUG at kclug.org
> http://kclug.org/mailman/listinfo/kclug
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kclug.org/pipermail/kclug/attachments/20130318/2a5264ee/attachment.html>