I have someone flooding me with random packets on random ports that are closed.
My server is responding to this with tcp-reset packets I think which is chewing up the outbound bandwidth too.
How do I use iptables to block tcp-reset packets?
SnapOverflow
The
DROPtarget is the one you want.If you only have the single box and no other machines in your network are making connections to it, you could get away with blocking all
RESETpackets.See packet-filtering-HOWTO-7 for details
This is not very polite to legitimate connections if you happen to be down and it can cause unneeded timeouts in established connections that need to use a
RESETpacket. It's not a great idea permanently but if it allows you to handle a DDoS then it should be OK temporarily.If your normal usage of this box relies on
RESETpackets working for normal users and you want to only block theRESETpackets for the attacker, you will want to identify the malicious packets so we can block only those.Are these packets truly random or is there something they all have in common?
If you add a
LOGline to the end of your iptables config, you can use that log to analyse the inbound packets to see if there's a pattern. A scatter plot of the source and destination port numbers will probably be useful. Plotting the IP addresses on an IP-space map could possibly help to identify malicious and benign ranges although I suspect this is less likely to produce useful results. Simply counting the number of attacking IP addresses will be useful. If it's a small enough number, you can simply add them all to the iptables config.Even if you don't find a pattern, since there is definitely a pattern based on "too many reset packets" you can create a fail2ban rule that will add a
DROPrule for any IP address that causes more than xRESETpackets in y seconds.You can '-j DROP' instead of '-j REJECT --with-tcp-reset'.