Linux Iptables writing new rule for limit a DoS Attack

Question

Recently, I have experienced a DoS attack so i decide write a new rule to stop the attack but my knownledge is not enough to do this,

so any hint or help will be appreciated

Attack log attachment-ed below, Also my current tables is attached too

My Rules:

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
# Allow LoopBack
-A INPUT -i lo -j ACCEPT

# Allow New Connection Only On Ports ( 22 - 3724 - 3799 ) And Maximum Connection Limited At 15
-A INPUT -i eth0 -p tcp -m multiport --dports 22,3724,3799 -m state --state NEW,ESTABLISHED -m connlimit --connlimit-upto 15 --connlimit-mask 32 --connlimit-saddr -j ACCEPT

# Allow Ping ( Only 2x Ping Per a Sec )
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -m limit --limit 2/sec --limit-burst 2 -j ACCEPT

# Allow LoopBack
-A OUTPUT -o lo -j ACCEPT

# Allow Established Connection
-A OUTPUT -o eth0 -p tcp -m multiport --sports 22,3724,3799 -m state --state ESTABLISHED -j ACCEPT

# Allow Ping ( Only 2x Ping Per a Sec )
-A OUTPUT -o eth0 -p icmp -m icmp --icmp-type 0 -m limit --limit 2/sec --limit-burst 2 -j ACCEPT
COMMIT

Attack Log: http://paste.ubuntu.com/12019024/

Also if my rules need rewrite/edit tell me

Thank you

Answer 1

According to your log, the SYN packets are originating in your loopback interface and your eth0 is sending SYN ACK in response to a lot of random public IPs. As @Oliver pointed out in the comment above, your server may be compromised. I would remove server off the network and look into how to rectify a compromised server.

http://www.ducea.com/2006/07/17/how-to-restore-a-hacked-linux-server

How do I know if my Linux server has been hacked?

https://major.io/2011/03/09/strategies-for-detecting-a-compromised-linux-server/