2

How I can limit UDP/TCP packets per IP send to my host (or better PORT) per second or minute ? Would be nice to ban that IP for 12/24 hours or even for ever.

I got Windows Server 2008 and I'm very poor in Windows administration but quite good in Linux.

EDIT: By basic problem is that They sending a lot of rubbish UPD and TCP packets.. TCP packets without SYNCH, fragmented UDP packets so my servers stop responding..

So I need to cut off users (IPs) sending more than X packets per second. I need solution witch provides me, somehow, configurable: X packets of certain type (UDP, TCP or both - lets say parameter named Z ) are allowed to be received by IP on Y port, otherwise this packet should be DROPPED.

My virtual hosts are hosted by VirtualBox and I'm able to forward all incoming packets certain type and certain port to the specific Virtual Host, but I need to DROP them before my VirtualBox receive them.

My Net

WBAR
  • 71
  • 1
  • 6
  • You have no control over what other people send to your host. Even if you "ban that IP", they'll still be sending the packets to you. You need to understand exactly how these packets are hurting you to form a strategy about how to deal with them. It's not as simple as "just ban the IP". – David Schwartz Oct 11 '12 at 11:01
  • undex LINUX i can simply DROP packets to avoid to many packets send to my server – WBAR Oct 11 '12 at 14:43
  • Yes, you can drop them at a router or firewall to stop them from getting sent to the host. But at the host, you can't do anything about packets being sent to you. No matter what you do to them at the host, the same amount will still be sent to you. To get a useful answer, you have to identify how the traffic is hurting you. For example, if it's overwhelming your inbound bandwidth, a firewall on the host won't help. If the replies are overwhelming your outbound bandwidth, then it will. So how you fix it depends on why you need to. – David Schwartz Oct 11 '12 at 15:01
  • Let's simplify that.. when IP reach X UDP/TCP packets send to Y port, Firewall should drop all packets from that IP for next Z hours / or drop them infinity. – WBAR Oct 11 '12 at 17:22
  • Rather than work on a solution that probably won't work to an unknown problem, you're much more likely to accomplish something useful if you describe the problem you're actually having and let people suggest solutions that are actually likely to work to you. – David Schwartz Oct 11 '12 at 23:26
  • Here's a tip that's *extremely* valuable across disciplines: Any time you're solving a relatively common problem and you propose a solution so unusual it doesn't seem anyone's even ever done that before and none of the common tools seems to fit your solution well, you're probably looking at a solution that's wrong. If it was the best solution to a common problem, everyone would be doing things that way and every guide about that common problem would tell you how to implement that solution. – David Schwartz Oct 11 '12 at 23:42

1 Answers1

1

To be onest with you, D-DOS attacks are very hard to remediate without creating redundanci a the network and server level and loadbalancing and blocking offending machines, even there if there is such a coordianted effort to bring you down and they have more resources than you, well, you are sol.

What i would recomend as the best solution, would be to invest money on a hardware solution to weed out bad traffic. the Juniper SRX branch firewalls support ddos protection and other cool features to protect your network at a relative accesible budget.

the second solution would be to use a software based firewall and create customs scripts that poll the network usage and reacts blocking this device.

i would recomend WIPFW http://wipfw.sourceforge.net/ wich comes from the BSD world

WIPFW is a MS Windows operable version of IPFW for FreeBSD OS. You can use the same functionality and configure it as only you work with IPFW.

IPFW is a packet filtering and accounting system which resides in the kernelmode, and has a user-land control utility, ipfw. Together, they allow you to define and query the rules used by the kernel in its routing decisions.

There are two related parts to ipfw. The firewall section performs packet filtering. There is also an IP accounting section which tracks usage of the router, based on rules similar to those used in the firewall section. This allows the administrator to monitor how much traffic the router is getting from a certain machine, or how much WWW traffic it is forwarding, for example.

As a result of the way that ipfw is designed, you can use ipfw on non-router machines to perform packet filtering on incoming and outgoing connections. This is a special case of the more general use of ipfw, and the same commands and techniques should be used in this situation.

Hugo Garcia
  • 478
  • 1
  • 3
  • 18
  • I was thinking about this but can You provide EXACTLY commands I need to enter? I don't want to lose Remote Accesses (server is located nearly 300 miles (450 km) away from me.. – WBAR Oct 13 '12 at 15:09