Networking :: System / Script To Detect Outgoing DOS Flood?
Oct 16, 2010
I run a Centos server that quite a few people have access to. I trust every user on the system, but i've had problems before like one user's account gets hacked and someone starts using my box to DDOS. Each user has their own ip.. And I would like to write a script or use an existing solution (if one exists) to monitor number of tcp/udp connections each minute and see if it's unusually high. I don't want it to stop the flooding or anything, I just want to be notified by email or something.
View 1 Replies
ADVERTISEMENT
Aug 3, 2011
I want to test syn flood attack in my pc
but i dnt know how to generate it, can you tell me
how to generate syn flood attack in pc
View 2 Replies
View Related
Jun 26, 2011
one thing I'm not quite certain about is suitable limit rates for SYN, LOG & ping flood prevention. I suppose it depends a bit on traffic, as well as bandwidth. However, I don't want to limit the former. FWIW, I expect about as much traffic as a country road in the middle of nowhere, and my bandwidth for requests is 15 Mbps (Don't laugh. Content delivery is a pathetic 2 Mbps. That's a residential cable connection for ya...)Of all the tutorials/examples, I chose to go with Rusty Russel's limits, though they're dated 2002. Thus an excerpt of my firewall "script":
Code:
#!/bin/sh
# Saved in /etc/init.d, runlevels 2 3 4 5
[code]...
View 4 Replies
View Related
Sep 29, 2010
I have looked through many different forums and ..... tutorials on how to get Samba to work. I am new to Ubuntu (Linux in general). I am able to access my shared folders on my Windows 7 system with my Ubuntu system. I cannot access the shared files on my Ubuntu though on my Windows 7.
View 1 Replies
View Related
Jul 10, 2011
I've been trying to revive my old Acer Aspire 3680, which is supposed to have Acer InviLink 802.11b/g Wi-Fi CERTIFIED solution, supporting Acer SignalUp wireless technology, as shown is in Specification.The system simply doesn't detect Wi-fi and I don't know how to make it work.
View 9 Replies
View Related
Dec 8, 2009
I have a Broadcom Corporation BCM4312 802.11b/g (rev 01) wireless card. I installed these packages:
broadcom-wl-5.10.91.9.3-1.fc12.noarch
akmod-wl-5.10.91.9.3-3.fc12.6.x86_64
kmod-wl-2.6.31.6-145.fc12.x86_64-5.10.91.9.3-3.fc12.8.x86_64
[code]....
uname -a says:
Linux boz.alafkhar 2.6.31.6-145.fc12.x86_64 #1 SMP Sat Nov 21 15:57:45 EST 2009 x86_64 x86_64 x86_64 GNU/Linux
and:
# lsmod | grep wl
wl 1278432 0
lib80211 6436 2 lib80211_crypt_tkip,wl
[code]....
My networkmanager understands that the card is installed. But it can not find any network. Also iwlist scan gives me no result. I did not have this problem on earlier fedora releases. Recently I upgraded to F12 from F11. I should mention that I have another USB DLink wireless card and when I plug it, everything works fine with that card. I also tested wl_apsta driver using fw-cutter. I did not work neither.
View 6 Replies
View Related
Feb 7, 2011
I have a postfix system that sends allot of emails to customers and web site visitors. A lot of visitors just enter an invalid email in the WEB form just to download some files or do other tasks. Is it possible to BLACKLIST specific email addresses so the system does not send to those addresses? I can grep from the postfix mail log all those fake emails and place them somewhere.
View 4 Replies
View Related
Jun 23, 2010
I am testing my setup which will have 2 public servers. HTTP & MAIL both with reverse DNS established.
www.mydomain.no -> xxx.xxx.xxx.034 -> internal name server
mail.mydomain.no -> xxx.xxx.xxx.035 -> internal name mail
Both addresses are on the same NIC with 34 being the main address.
The system work fine except one thing. The IP address mail sends out from is the Firewall Address _FW. I can see why as the default gateway set on the mail server is the FW_IP (The main gateway ip)How can I get the MAIL server to send through it's own public IP.I understand I can change the Firewall public IP to that of the Mail server and that would cure the problem for now. If it's possible I would like to learn a little in the process.
View 10 Replies
View Related
Dec 7, 2010
Unsure about IP tables lingo, so excuse me for not looking this up:I have a server, running IP tables, that I do not want to allow any type of outgoing traffic to 192.168.1.21
View 3 Replies
View Related
Jun 11, 2009
I have a network like
Node A to Vlan Switch
Node B to Vlan Switch
Node C to Vlan Switch
Node B is set up to be a middle man between A and C.
All nodes have 1 NIC.
They are all linux boxes. Node B can ping Node C. When I try to ping Node C from Node A, the ping just hangs forever.
When I use Wireshark to sniff What's going on with Node B during a ping from Node A to Node C, I can see an ICMP request with src = Node A and dest = Node C. I'd like to know if that ICMP packet was received by B from A or if it is going out. If it's going out, that makes no sense since B knows how to send to C. If B is only getting the requests but not forwarding them, then I know there is something wrong with B's configuration.
So I'd like to be able to sniff incoming packets only, or outgoing packets only. Is there a way to do this?
View 1 Replies
View Related
Jan 22, 2011
how to do iptables log to file UDP Flood under 64 packages?
View 14 Replies
View Related
May 15, 2010
specs: toshiba lappy
110gb hdd, 1gb ram, core 2 duo 1.6ghz, nvidia 7600
windows xp pro service pack 3
jaunty jackalope
my problem is: i wanted to repartition (shrink xp and create partition for data storage) my hdd using gparted live cd 0.5.2-9. everything went fine until i clicked exit and reboot. after the cd tray automatically ejected i got a flood of "VFS: busy inodes on changed media or resized disk srO". this doesnt stop until i press enter. after that it reboots normally and there is no problem with the os.
my questions: 1) is that flood anything bad, is there a way to avoid this. i read somewhere that the problem is solved when using the terminal sudo eject - then push back the cd tray - then sudo eject -t. i tried that but it said failed because gparted cd is in use.
2) the first time that happened i didnt know what to do, so it flooded like for 15min or more until i pressed enter. my question is if the flood is being saved anywhere on the pc so that i have to delete it?
and a question regarding extended partition: 3) i have 50gb left that i want to use for data storage. i read that you can only have one extended partition. so since there is already one extended partition from ubuntu, i cant have another one for windows? so i can only make the data partition as primary or is there another reason why the "create extended partition" is greyed out?
last question: 4) when i set up the partition for swap i made it 1032gb big but in gparted it shows 980.53mb. is that still enough or why is it like that because somehow the sizes of the partitions seem a bit different than how they originally should be. im actually used in seeing the size shrinking a bit but i found it weird that the ubuntu partition shows 4.76 when it should be 4.5gb. i know its not much different but im just curious to know why..
partitions order: windows - unallocated (-->data partition) - ubuntu (primary) - home folder (extended) - swap
in windows the partitions are shown as: windows xp (31,74gb) - unallocated (50,05gb) - 4,76gb unkown - 24,27gb unkown - 981mb uknown
in gparted: its almost the same, only difference: there is unallocated space (7 or 8mb) between home folder and swap
View 6 Replies
View Related
Feb 21, 2011
Banning the IP is the best way to protect your server but of course, attacker can use another IP and use a lot of your bandwidth until you find and ban the IP. So the only thing we can do to prevent this is, block the packets my iptables length module.
I check the bandwidth usage through "iftop". Incoming traffic is always like 120kb/second and that has to be that way because the traffic enters my server no doubt that it gets dropped by iptables later.
The actual thing what the Ddos ( UDP Flood ) does it that it causes an outbound traffic that eats up like 5mb/second easily and my servers lag. Only if the IP is banned, the outbound traffic comes to an end.
Now I want to use the length module to block it but it just won't work. I've tried the following and shuffled them too but no help.
Code:
iptables -I INPUT -p udp -m length --length 15 -j DROP
iptables -A INPUT -p udp -m length --length 15 -j DROP
Packet length is 15 according to tcpdump:
Code:
19:49:34.504864 IP fms-02.colt.net.belgamanagement.be.56413 > nyc.v1servers.com.20100: UDP, length 15
View 10 Replies
View Related
Jul 6, 2011
is there any way to point certain packets from my outgoing traffic to a LAN : port ?
can iptables do this ? if yes how ?some like this [URL] ?
View 1 Replies
View Related
Oct 11, 2010
On our webhosting servers, where is primary running apache, sometimes starts huge outgoing traffic to random IP addressess (each time of attack is it just one IP). It's always UDP,and according to my investigation tcpdump, it looks like p2p. The problem is in big outgoing traffic, and secondly in filling ip_conntract table /proc/net/ip_conntrack. I think, that one of our webhosting users has some virus uploaded on his FTP, which is time to time ran. I think, that if I can map outgoing traffic to particular process ID, it will be easy to find the PID in access log of webserver and than see what URL it causes.
What I have checked already:
- outgoing UDP connections are not listed in netstat - so cannot get PID from there
- Apache with PHP is in safe mode - cannot exec binaries, cgi is disabled
- I can see tons of records in tcpdump, but from the dump I'm not able to get PID
- In time of attack I was trying to run `lsof`, but nothing to see - didn't found the attacker
- I went through apache access log - I took time of attack -i.e. 02:22 am - grep from access log all hits between 02:20 and 02:29 am and try to call all them again - problem didn't occured
- checked the POST records from access log - nothing
- grepped all php files for keyword 'fsockopen' and 'torrent'
- from iptables --log-uid I have found user nobody (under apache is ran)
I think that the key is able to match outgoing connection to PID, than it will be easy.
View 1 Replies
View Related
Dec 6, 2010
I've been trying to redirect all outgoing packets (destined for a specified ip address) from my slack box back to itself. I thought this could be done with iptables, but if I fire up wireshark I can clearly see that the packets are getting out to the real server and I'm getting responses from it.
So here's what I tried:
All looks good and fine, and then I even try to visit 194.28.157.42 with firefox (by the way I am running a webserver, that is set to show a page when you visit 127.0.0.1) and I get an error page that reads: 502 Bad Gateway.
I ignored this message to see what the program I'm trying to interrupt does, and when I start wireshark and then start the program that is using that website, I can clearly see that the packets make it to the real 194.28.157.42 and get back responses.
View 1 Replies
View Related
Feb 22, 2010
How would one forward a specific outgoing port to a local computer?
E.G.
Router: 192.168.1.1
Comp 1: 192.168.1.100
Comp 2: 192.168.1.200
When Comp 1 tries to browse to an internet page, forward that connection via the router to comp 2 to display a custom webpage. Using WRT54GS
View 6 Replies
View Related
Nov 10, 2010
my computer froze solid, and it would not react to anything. X didn't react to Ctrl+Alt+Backspace, not Ctrl+Alt+Del, so I had to turn it off using the power button.
This is the first time my computer freezes like this, the log files did not reveal any HW errors. Is it possible that someone in the channel did not like my level of Java skill, and flooded me to disconnect?
By the way; Im using slackware 13.1 with the default kernel (2.6.33.4) and irssi as IRC client.
I know that if you eg. ICMP-flood someone, the traffic will be denied and, but can it provoke other behavior from the computer?
So my question is; can a IRC flood/DDoS attack cause a computer to freeze sub zero?
View 4 Replies
View Related
Nov 13, 2010
I have a couple of interfaces in a Fedora 14 box:
eth0: internet provided by an adsl router
eth1: LAN
I set up system-config-firewall to masquerade all outgoing traffic in eth0, as I did in other Fedora 13 boxes, but it seems it doesn't work. It sets to 1 /proc/sys/net/ipv4/ip_forward and also set the appropriate rules in iptables. But all traffic is blocked from the LAN to the Internet. "ping www.google.com" works in the Fedora box, but doesn't work in the LAN computers using the F14 IP as gateway. I have another F13 computer elsewhere configured this way and it works fine. But this one has Fedora 14.
View 2 Replies
View Related
Jun 9, 2011
I use a server with 3 nics,
eth0 192.168.2.100 (internal Web, Mail)
eth1 192.168.3.100 (Default Gateway nic for clients)
eth2 192.168.3.110 (should be default Gateway for all outgoing traffic not belonging to 192.168.2.100 and 192.168.3.100)
They are all on the same machine
i cannot set eth1 or eth2 as default gateway, as outside requests to eth0 would be handled in a false manner (somehow)
is there an easy iptables-rule to say, that outgoing traffic, not belonging to my networks can be redirected to a specific NIC (eth2)?
View 3 Replies
View Related
Feb 16, 2010
I'm running Ubuntu 8.04.3 server on my XP Pro SP3 machine using VMWare. I'm trying to set up a static IP address but I can no longer ping anything except my router (not even the XP machine it's hosted on). I'm using "bridged" mode in VMware
Here's my /etc/network/interfaces file:
Code:
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 192.168.1.50
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
gateway 192.168.1.1
View 4 Replies
View Related
Apr 27, 2010
I have CentOS 5.3 ISPConfig 3 installed. I have noticed that some mail I sent out were lost. Expecially, email with subject like "a" or "aa". I think Amavis block my email. Please tell me how to configure amavis to allow all outgoing email by postfix?
View 1 Replies
View Related
Aug 2, 2010
My server ended up on 1 (just 1) block list and I'm finding it very difficult to convince myself that it was just an error of some kind.Can anyone think of any giveaways at the packet or port level that some program is sending spam from my server without using the normal MTA (nothing suspicious is showing up in the sendmail logs)
View 9 Replies
View Related
Nov 4, 2009
I have a Linux IPTables firewall on Centos 5.3.It has one physical interface to the internet and 2 internal interfaces to a DMZ and TRUSTED zone respectively.There are 10 virtual interfaces linked to the physical public interface.Emails are being sent from my server in the DMZ out to the internet, but it is being shown as coming from the firewall IP address.It must show as coming from one of the virtual interfaces.
View 4 Replies
View Related
Dec 15, 2010
it�s been several years since i played with iptables. I have setup like this:eth0 is the only physical device on box and eth0:0 is aliased. Traffic going out of the box to internet uses eth0eth0 116.55.58.1eth0:0 116.55.58.2I have a service listening on port 80 on 116.55.58.2Lets say my client connect to 116.55.58.2:80 through 116.55.58.1 , how do I force (mangle you name it) with iptables that the outgoing source address will be always 116.55.58.2?
View 1 Replies
View Related
Oct 11, 2010
Trying to install 10.10 netbook edition on my MSI U230 netbook from a USB drive. Keep getting the error "hyper transport sync flood error occurred on last boot" Press F1 to Resume. F1 causes just a reboot and the same thing happens. Anyone seen this error? It happens with both the netbook and desktop version.
View 9 Replies
View Related
Oct 5, 2010
In my Fedora13 machine, while in mobile broadband, i can ping and skype outside, but cannot browse/yum etc. Few output that may be of relevence are here:
$ netstat -s
IP:
149468 total packets received
6 with invalid headers
16174 with invalid addresses
0 forwarded
0 incoming packets discarded
118821 incoming packets delivered
101331 requests sent out
124 outgoing packets dropped
866 dropped because of missing route .....
View 3 Replies
View Related
Aug 12, 2010
I've noticed recently that a lot of outgoing internet traffic is generated by my laptop (running Ubuntu 10.04 - 64 bit). This wasn't the case previously. I only found out because my wireless broadband traffic allowance suddenly was used up very quickly. I've installed ntop to try to find out where all this traffic is going to.
I did find that there were a very high number (at one stage over 11.000) of active TCP/UDP sessions (see attached screenshot). Although the traffic generated by each is only small (about 100 bits/bytes - not sure what) multiplied by thousands, makes a fair bit of traffic. I wonder if I've got some kind of a virus/bug or do I have a configuration problem with my laptop?
View 6 Replies
View Related
Jan 6, 2011
I need to configure iptables to block incoming traffic (except specific ports), but allows all outgoing traffic.
I am able to block incoming traffic, but doing so also prevents outgoing traffic (tested by telnet [URL] 80)
The following was used:
iptables -A INPUT -p tcp --dport ssh -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -I INPUT 1 -i lo -j ACCEPT
iptables -A INPUT -j DROP
Also, even allowing NOT SYN requests still prevents outgoing traffic.
iptables -I INPUT 1 -p tcp ! --syn -j ACCEPT
Another point:
# modinfo ipt_state
modinfo: could not open /lib/modules/2.6.18-028stab070.14/modules.dep
How to install ipt_state module on ubuntu?
View 2 Replies
View Related
May 6, 2010
I have a need to make a rather odd filter in tcpdump- I would like to capture only all those packages on interface eth0, that are outgoing(in other words from IP 192.168.1.1, which is IP for eth0 in this computer) and doesn't have src MAC address 11:22:33:44:55:66. However, fallowing command says, that syntax is wrong:
Code:
tcpdump -n -p -i eth0 src host 192.168.1.1 ether src not 11:22:33:44:55:66
Is this possible? If yes, then what is the correct command?
View 3 Replies
View Related
