Block IP using iptables’ Rule

by YOUNG JIN LEE 카테고리: Law | 24 views

When a DDoS attack occurs through changing the IP pattern as follows:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
15.177.18.21 - - [25/Aug/2024:17:23:36 +0000] "GET / HTTP/1.1" 301 -
15.177.6.152 - - [25/Aug/2024:17:23:36 +0000] "GET / HTTP/1.1" 301 -
15.177.22.36 - - [25/Aug/2024:17:23:36 +0000] "GET / HTTP/1.1" 301 -
15.177.10.173 - - [25/Aug/2024:17:23:36 +0000] "GET / HTTP/1.1" 301 -
15.177.54.102 - - [25/Aug/2024:17:23:37 +0000] "GET / HTTP/1.1" 301 -
15.177.62.236 - - [25/Aug/2024:17:23:39 +0000] "GET / HTTP/1.1" 301 -
43.129.185.154 - - [25/Aug/2024:17:23:39 +0000] "POST /xmlrpc.php HTTP/1.1" 200 271
15.177.14.109 - - [25/Aug/2024:17:23:41 +0000] "GET / HTTP/1.1" 301 -
15.177.38.78 - - [25/Aug/2024:17:23:42 +0000] "GET / HTTP/1.1" 301 -
103.254.194.94 - - [25/Aug/2024:17:23:50 +0000] "POST /xmlrpc.php HTTP/1.1" 200 271
15.177.26.152 - - [25/Aug/2024:17:23:51 +0000] "GET / HTTP/1.1" 301 -
15.177.30.201 - - [25/Aug/2024:17:23:51 +0000] "GET / HTTP/1.1" 301 -
15.177.34.74 - - [25/Aug/2024:17:23:52 +0000] "GET / HTTP/1.1" 301 -
15.177.58.20 - - [25/Aug/2024:17:23:55 +0000] "GET / HTTP/1.1" 301 -
15.177.50.211 - - [25/Aug/2024:17:23:57 +0000] "GET / HTTP/1.1" 301 -
13.67.78.117 - - [25/Aug/2024:17:23:57 +0000] "POST /xmlrpc.php HTTP/1.1" 200 271
15.177.42.60 - - [25/Aug/2024:17:23:58 +0000] "GET / HTTP/1.1" 301 -
15.177.46.195 - - [25/Aug/2024:17:23:59 +0000] "GET / HTTP/1.1" 301 -
15.177.2.58 - - [25/Aug/2024:17:24:02 +0000] "GET / HTTP/1.1" 301 -
170.64.132.32 - - [25/Aug/2024:17:24:06 +0000] "POST /xmlrpc.php HTTP/1.1" 200 271
15.177.18.21 - - [25/Aug/2024:17:24:06 +0000] "GET / HTTP/1.1" 301 -
15.177.22.36 - - [25/Aug/2024:17:24:06 +0000] "GET / HTTP/1.1" 301 -
15.177.6.152 - - [25/Aug/2024:17:24:06 +0000] "GET / HTTP/1.1" 301 -
15.177.10.173 - - [25/Aug/2024:17:24:07 +0000] "GET / HTTP/1.1" 301 -
15.177.54.102 - - [25/Aug/2024:17:24:07 +0000] "GET / HTTP/1.1" 301 -
15.177.62.236 - - [25/Aug/2024:17:24:09 +0000] "GET / HTTP/1.1" 301 -
15.177.14.109 - - [25/Aug/2024:17:24:11 +0000] "GET / HTTP/1.1" 301 -
15.177.38.78 - - [25/Aug/2024:17:24:12 +0000] "GET / HTTP/1.1" 301 -

Blocks ‘15.177.0.0/16’ bandwidth/range access more than 15 times in 60 seconds.

1
2
3
sudo iptables -A INPUT -s 15.177.0.0/16 -m recent --update --seconds 60 --hitcount 15 --name HTTP -j DROP
// cf. iptables -A INPUT -p tcp --dport 80 -m recent --update --seconds 1 --hitcount 10 --name HTTP -j DROP
// Blocks access to port 80 more than 10 times in 1 second.

(Application 1) Blocks ‘15.177.0.0/16’ bandwidth/range access more than 3 times in 30 seconds.

1
sudo iptables -A INPUT -s 15.177.0.0/16 -m recent --update --seconds 30 --hitcount 3 -j DROP

(Application 2) Blocks ‘15.177.0.0/16’ filter ‘GET / HTTP/1.1’ string.

1
2
sudo iptables -A INPUT -s 15.177.0.0/16 -m string --string 'GET / HTTP/1.1' --algo bm -j DROP
// result: changed "GET / HTTP/1.1" 301 - to "-" 408 -

(Application 3) Rule that blocks access to TCP 2 packets per minute after 10 packets are matched in one session. (effective)

1
2
3
4
sudo iptables -A INPUT -s 15.177.0.0/16 -p tcp -m limit --limit 2/s -j DROP
// cf. iptables -A INPUT -p tcp -m limit --limit 100/m --limit-burst 10 -j DROP
// default '--limit-burst 5' when not specified
// ad 'iptables -A INPUT -s 15.177.0.0/16 -p tcp -m limit --limit 4/s -j DROP'

답글 남기기

이메일 주소는 공개되지 않습니다. 필수 필드는 *로 표시됩니다