Turning off network during Incoming DDOS
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}
Sometimes on a server of mine, there is unsolicited incoming traffic (mix of random ports & random protocols beyond tcp/udp/icmp also) which starts peaking at 1 to 2 GBit/s while the outgoing remains normal (which usually is zero/negligible). I noticed that if I leave it as it is, it takes 5-10 mins to subside. But if I turn the network off using:
ifdown eth0
and turn it up after a minute, the menace is mostly gone. But cutting off net access like this isn't really ideal for a server and was wondering whether a rule like:
iptables -I INPUT -i eth0 -j DROP
iptables -I OUTPUT -i eth0 -j DROP
(with some exceptions in the firewall) is equivalent to the ifdown in this context? Will it have the same effect? If yes, which iptables table (raw?) would be best for blocking all the traffic.
Thanks.
linux networking firewall iptables denial-of-service
add a comment |
Sometimes on a server of mine, there is unsolicited incoming traffic (mix of random ports & random protocols beyond tcp/udp/icmp also) which starts peaking at 1 to 2 GBit/s while the outgoing remains normal (which usually is zero/negligible). I noticed that if I leave it as it is, it takes 5-10 mins to subside. But if I turn the network off using:
ifdown eth0
and turn it up after a minute, the menace is mostly gone. But cutting off net access like this isn't really ideal for a server and was wondering whether a rule like:
iptables -I INPUT -i eth0 -j DROP
iptables -I OUTPUT -i eth0 -j DROP
(with some exceptions in the firewall) is equivalent to the ifdown in this context? Will it have the same effect? If yes, which iptables table (raw?) would be best for blocking all the traffic.
Thanks.
linux networking firewall iptables denial-of-service
1
If it were a DDoS it wouldn’t stop because you shut the interface down. So we’re making some assumptions here that don’t really add up. Therefore, without a proper diagnosis of what is actually happening it’s not possible to say if setting firewall rules will do the same thing as bouncing the interface. The two things are not the same. edit your post and explain why you think it is a DDoS. What diagnostic procedures did you use to come to that conclusion? Also explain your network configuration.
– Appleoddity
Mar 9 at 6:09
1
What @Appleoddity said. On top of that: even if you establish firewall rules that drop the packets, the packets still eat bandwidth on the wire to the interface, and CPU time to drop them. The only reasonable thing would be to ask your ISP for help.
– tink
Mar 9 at 8:47
Are you sure that there is really an external attack, or is this maybe a malfunction with your router or some other device on your local network?
– harrymc
Mar 9 at 17:10
add a comment |
Sometimes on a server of mine, there is unsolicited incoming traffic (mix of random ports & random protocols beyond tcp/udp/icmp also) which starts peaking at 1 to 2 GBit/s while the outgoing remains normal (which usually is zero/negligible). I noticed that if I leave it as it is, it takes 5-10 mins to subside. But if I turn the network off using:
ifdown eth0
and turn it up after a minute, the menace is mostly gone. But cutting off net access like this isn't really ideal for a server and was wondering whether a rule like:
iptables -I INPUT -i eth0 -j DROP
iptables -I OUTPUT -i eth0 -j DROP
(with some exceptions in the firewall) is equivalent to the ifdown in this context? Will it have the same effect? If yes, which iptables table (raw?) would be best for blocking all the traffic.
Thanks.
linux networking firewall iptables denial-of-service
Sometimes on a server of mine, there is unsolicited incoming traffic (mix of random ports & random protocols beyond tcp/udp/icmp also) which starts peaking at 1 to 2 GBit/s while the outgoing remains normal (which usually is zero/negligible). I noticed that if I leave it as it is, it takes 5-10 mins to subside. But if I turn the network off using:
ifdown eth0
and turn it up after a minute, the menace is mostly gone. But cutting off net access like this isn't really ideal for a server and was wondering whether a rule like:
iptables -I INPUT -i eth0 -j DROP
iptables -I OUTPUT -i eth0 -j DROP
(with some exceptions in the firewall) is equivalent to the ifdown in this context? Will it have the same effect? If yes, which iptables table (raw?) would be best for blocking all the traffic.
Thanks.
linux networking firewall iptables denial-of-service
linux networking firewall iptables denial-of-service
edited Mar 9 at 6:03
Sam
asked Mar 9 at 5:58
SamSam
64
64
1
If it were a DDoS it wouldn’t stop because you shut the interface down. So we’re making some assumptions here that don’t really add up. Therefore, without a proper diagnosis of what is actually happening it’s not possible to say if setting firewall rules will do the same thing as bouncing the interface. The two things are not the same. edit your post and explain why you think it is a DDoS. What diagnostic procedures did you use to come to that conclusion? Also explain your network configuration.
– Appleoddity
Mar 9 at 6:09
1
What @Appleoddity said. On top of that: even if you establish firewall rules that drop the packets, the packets still eat bandwidth on the wire to the interface, and CPU time to drop them. The only reasonable thing would be to ask your ISP for help.
– tink
Mar 9 at 8:47
Are you sure that there is really an external attack, or is this maybe a malfunction with your router or some other device on your local network?
– harrymc
Mar 9 at 17:10
add a comment |
1
If it were a DDoS it wouldn’t stop because you shut the interface down. So we’re making some assumptions here that don’t really add up. Therefore, without a proper diagnosis of what is actually happening it’s not possible to say if setting firewall rules will do the same thing as bouncing the interface. The two things are not the same. edit your post and explain why you think it is a DDoS. What diagnostic procedures did you use to come to that conclusion? Also explain your network configuration.
– Appleoddity
Mar 9 at 6:09
1
What @Appleoddity said. On top of that: even if you establish firewall rules that drop the packets, the packets still eat bandwidth on the wire to the interface, and CPU time to drop them. The only reasonable thing would be to ask your ISP for help.
– tink
Mar 9 at 8:47
Are you sure that there is really an external attack, or is this maybe a malfunction with your router or some other device on your local network?
– harrymc
Mar 9 at 17:10
1
1
If it were a DDoS it wouldn’t stop because you shut the interface down. So we’re making some assumptions here that don’t really add up. Therefore, without a proper diagnosis of what is actually happening it’s not possible to say if setting firewall rules will do the same thing as bouncing the interface. The two things are not the same. edit your post and explain why you think it is a DDoS. What diagnostic procedures did you use to come to that conclusion? Also explain your network configuration.
– Appleoddity
Mar 9 at 6:09
If it were a DDoS it wouldn’t stop because you shut the interface down. So we’re making some assumptions here that don’t really add up. Therefore, without a proper diagnosis of what is actually happening it’s not possible to say if setting firewall rules will do the same thing as bouncing the interface. The two things are not the same. edit your post and explain why you think it is a DDoS. What diagnostic procedures did you use to come to that conclusion? Also explain your network configuration.
– Appleoddity
Mar 9 at 6:09
1
1
What @Appleoddity said. On top of that: even if you establish firewall rules that drop the packets, the packets still eat bandwidth on the wire to the interface, and CPU time to drop them. The only reasonable thing would be to ask your ISP for help.
– tink
Mar 9 at 8:47
What @Appleoddity said. On top of that: even if you establish firewall rules that drop the packets, the packets still eat bandwidth on the wire to the interface, and CPU time to drop them. The only reasonable thing would be to ask your ISP for help.
– tink
Mar 9 at 8:47
Are you sure that there is really an external attack, or is this maybe a malfunction with your router or some other device on your local network?
– harrymc
Mar 9 at 17:10
Are you sure that there is really an external attack, or is this maybe a malfunction with your router or some other device on your local network?
– harrymc
Mar 9 at 17:10
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1412594%2fturning-off-network-during-incoming-ddos%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1412594%2fturning-off-network-during-incoming-ddos%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
If it were a DDoS it wouldn’t stop because you shut the interface down. So we’re making some assumptions here that don’t really add up. Therefore, without a proper diagnosis of what is actually happening it’s not possible to say if setting firewall rules will do the same thing as bouncing the interface. The two things are not the same. edit your post and explain why you think it is a DDoS. What diagnostic procedures did you use to come to that conclusion? Also explain your network configuration.
– Appleoddity
Mar 9 at 6:09
1
What @Appleoddity said. On top of that: even if you establish firewall rules that drop the packets, the packets still eat bandwidth on the wire to the interface, and CPU time to drop them. The only reasonable thing would be to ask your ISP for help.
– tink
Mar 9 at 8:47
Are you sure that there is really an external attack, or is this maybe a malfunction with your router or some other device on your local network?
– harrymc
Mar 9 at 17:10