3

Someone is DOSing my server. It is not a DDOS attack as there is only one server involved in this attack. I simply put following iptable rule to drop all the packets coming from the attacker:

iptables -I INPUT 1 -s IP_OF_ATTACKER -j DROP

This rule worked all fine. I could see his traffic coming to my server using iftop command. However, all my services were going smoothly even under DOS attack. He kept DOSING my server for 2-3 days but iptables rules worked great to drop his packets. However, today he ran his DOS attack again with same bandwidth but my server was dead. I captured/analyzed packets but iptables successfully dropped all the packets.

I also ran following command to see how much traffic was blocked by IP tables:

iptables -nvL --line-numbers

22G traffic was blocked for 2-3 days:

num   pkts bytes target     prot opt in     out     source               destination
1    3203K   22G DROP       all  --  *      *       ATTACKER_IP          0.0.0.0/0

Only 3gb traffic was blocked. However, he DOSed our server for the whole day and there was more than 100GB traffic (IMHO).

num   pkts bytes target     prot opt in     out     source               destination
1     707K 3553M DROP       all  --  *      *       ATTACKER_IP         0.0.0.0/0

Why the server was still down? What things could have been changed? Is there any other rule or protection that I can do to stop him? I already reported his IPs to hosting company but they take 7-8 days for investigation to shut his servers down.

Vik
  • 41
  • 4

1 Answers1

3

A host based firewall might protect your services, but the offending traffic still needs to be delivered to your host before it can be discarded.

Your uplink is still a finite resource and if the amounts of garbage your attacker sends increases so will the risk for a detrimental effect on legitimate traffic. You might want to contact your hosting provider if they can support you (maybe at the edge of their network).

HBruijn
  • 77,029
  • 24
  • 135
  • 201
  • How come my iptable rules blocked all the traffice before but now it's not? If you look at the stats in my question, iptable blocked GBs of traffic. However, the attacker changed something and he can still DoS me. I captured traffic using tcpdump and it captures lots of packets coming from that ip. It means he found a way to bypass iptable rules. – Vik Jun 15 '15 at 22:06
  • PS: my hosting already said they don't provide such services. I have a contract with them for 1 year. It's a dedicated server. – Vik Jun 15 '15 at 22:41
  • Wireshark shows port as IPV4 for the flood packets. It's not even UDP :/ could this be the reason that iptables aren't block the attack now? – Vik Jun 15 '15 at 23:00
  • Sorry, I mean protocol as IPV4, it doesn't show tcp or http protocol. Could you please also answer that why in past iptable rules showed that it blocked GBs of traffic and now it doesn't? – Vik Jun 16 '15 at 01:23