2

Have a CentOS-5.x box that appears to be going down as a result of PINGs. If the server gets PINGs it stops replying to ssh/http connections. Appears iptable is one approach, but I want to make sure I'm doing everything I should do.

Tom O'Connor
  • 27,480
  • 10
  • 73
  • 148
blunders
  • 813
  • 7
  • 14
  • 30
  • 1
    Just how many pings are you talking about here? To bring down a server that's connected to the net through anything bigger than a cable modem, you're talking millions per minute. You piss of somebody on IRC who owns a botnet? – Paul Tomblin Oct 10 '10 at 15:38
  • @Paul_Tomblin - I don't know, and agree I thinking it's not in the order of millions per minute. All I know is that pings bring appear to cause ssh/http timeouts. What's the best way to count/log/view pings? Since ICMP traffic is not over a port, I can't use something like [# netstat -n | grep :80 |wc -l]. It appears that [# snoop -q -o tmp/filename.txt], kill snoop, then [snoop -t r -v -i filename.txt] would work, but I'm not sure. Whatever the cmd, it has to work while if I lose connection to the box, since ssh/http traffic is up and down. – blunders Oct 10 '10 at 16:40

2 Answers2

2

Doing everything is complicated and depends on the magnitude of the denial of service. It may involve contacting your ISP, their upstream provider and maybe other providers too. But for the case of a single server, the cooperation of those who manage your default gateway is needed. IP tables will not stop traffic from coming to the server. They simply set the policy of how to deal with traffic that reaches it. If you need to stop ICMP traffic from reaching the server, you must first contact the administrators of your default gateway.

adamo
  • 6,925
  • 3
  • 30
  • 58
1

You should try to stop the incoming ICMP traffic through the firewall.

This will drop the packets at a low level, preventing the OS from allocating and processing the requests (and also associated logging, if any). It will also prevent malformed packets to go up to analysis.

Besides ICMP, there are other packets you may want to block. See this page.

This page explains specifically how to block ICMP packets.

Déjà vu
  • 5,546
  • 9
  • 36
  • 55