Iptables – How to block tcp-reset with iptables to combat DDoS attacks

ddosiptables

I have someone flooding me with random packets on random ports that are closed.

My server is responding to this with tcp-reset packets I think which is chewing up the outbound bandwidth too.

How do I use iptables to block tcp-reset packets?

Best Answer

The DROP target is the one you want.

If you only have the single box and no other machines in your network are making connections to it, you could get away with blocking all RESET packets.

-A OUTPUT -p tcp --tcp-flags RST RST -j DROP

See packet-filtering-HOWTO-7 for details

This is not very polite to legitimate connections if you happen to be down and it can cause unneeded timeouts in established connections that need to use a RESET packet. It's not a great idea permanently but if it allows you to handle a DDoS then it should be OK temporarily.

If your normal usage of this box relies on RESET packets working for normal users and you want to only block the RESET packets for the attacker, you will want to identify the malicious packets so we can block only those.

Are these packets truly random or is there something they all have in common?

-A INPUT -p tcp -j LOG

If you add a LOG line to the end of your iptables config, you can use that log to analyse the inbound packets to see if there's a pattern. A scatter plot of the source and destination port numbers will probably be useful. Plotting the IP addresses on an IP-space map could possibly help to identify malicious and benign ranges although I suspect this is less likely to produce useful results. Simply counting the number of attacking IP addresses will be useful. If it's a small enough number, you can simply add them all to the iptables config.

Even if you don't find a pattern, since there is definitely a pattern based on "too many reset packets" you can create a fail2ban rule that will add a DROP rule for any IP address that causes more than x RESET packets in y seconds.

Related Topic