Hi all i was just wondering if anybody had any info regarding syn flooding and or any of the other types of attacks on ircd servers.
I am running unreal 3.2 coupled with anope services and i am running it all on a linux redhat box , I was wondering if anybody had some advice on how to limit the effects on these types of attacks , My server has been hit a few times in the past week or so and the end result being the server has of course gone down. I have only just moved accross to linux so i am still about as noob as u can be when it comes to this system , I have been doing alot of reading up on the subject and for the most part of it there is nothing i can do. Well i thought i would ask my fellow irc server runners if you have anything or have done anything that may limit or prevent these types of attacks.
Ice2003
ddos attacks
Moderator: Supporters
Well if you just have one single Server, you can't do much... It's easy to attack 1 target...
If you have a Network, you can do more...
http://www.vulnscan.org/UnrealIRCd/unre ... tml#secDoS
But it of course still is annoying...
If you have a Network, you can do more...
http://www.vulnscan.org/UnrealIRCd/unre ... tml#secDoS
But it of course still is annoying...
Since you are talking about (D)DoS attacks.. most of those floods are not targetted specificly against the ircd... A syn flood never reaches the ircd process, it's handled by the OS (and Linux can protect against that, see syncookies.. and be sure to enable them)... Most (D)DoS floods however are data floods targetted at your server, in that case there's not much you can do coz even if you somehow can block them your internet connection is already filled ('flooded'), well.. except what you probably have read already:, work together with your [upload] provider to filter it there..
Unfortunately quite often filtering the (D)DoS traffic is not possible because if the packets are not of a certain type (eg: icmp, udp, or to an unused port, or any other properties/flags) it's hard to distinguish between 'valid' and 'bad' traffic (that's true for most routers at least :p).
As Dukat says, for networks there are a few other tips.
Unfortunately quite often filtering the (D)DoS traffic is not possible because if the packets are not of a certain type (eg: icmp, udp, or to an unused port, or any other properties/flags) it's hard to distinguish between 'valid' and 'bad' traffic (that's true for most routers at least :p).
As Dukat says, for networks there are a few other tips.
He's right, you'd need to work with your ISP or NOC (Network Operations Center). It's called DDoS because it's Distributed Denial of Service. Distributed means it hits you blindly and there's no way to reject it. Well there are, but that's what Distributed is in a Denial of Service. Disabling ICMP relay and using simple methods such as ignoring ping requests are one way to limit DDoS. When it comes to SYN, which is your case, you can't really stop that, except set a script on your firewall to ignore the IPs of the attackers, which works quite effectively. Firewalls should have an IP DENY function somewhere, as far as I know. Windows firewalls normally automatically ignore the IPs for you. Unix firewalls should have a scripting language to use to modify the instruction. So yes, you can stop the attacks. I hope this helped.
About (D)DoS attacks and Linux firewalls: yes, for instance, iptables can do some things to protect yourself from, for example, syn floods, port scanners and the ping of death. See the Linux 2.4 Packet Filtering HOWTO (in the "Other Match Extensions" subsection, near the end, before the graphs), although I haven't tested those yet.