Build Your Own DDoS Protection With Linux & IPtables

iptables-ddos-protection.txt

DEV=eth0
PORT=80


### Use SYNPROXY ###
/sbin/iptables -t raw -A PREROUTING -i $DEV -p tcp -m tcp --syn --dport $PORT -j CT --notrack         
/sbin/iptables -t mangle -A INPUT -i $DEV -p tcp -m conntrack --ctstate INVALID,UNTRACKED --dport $PORT -j SYNPROXY \
         --sack-perm --timestamp --wscale 7 --mss 1460         
/sbin/iptables -t mangle -A INPUT -i $DEV -p tcp -m conntrack --ctstate INVALID --dport $PORT -j DROP

         
/sbin/sysctl -w net/ipv4/tcp_timestamps=1
/sbin/sysctl -w net/ipv4/tcp_syncookies=1
/sbin/sysctl -w net/netfilter/nf_conntrack_tcp_loose=0
/sbin/sysctl -w net/netfilter/nf_conntrack_max=5000000
echo 5000000 > /sys/module/nf_conntrack/parameters/hashsize

##--------------------------------------------------------------------------------------------------------------------##
### DROP packets that are NEW, coming too faster than 200 SYN pps per src subnet ###
/sbin/iptables -t raw -A PREROUTING -i $DEV -p tcp -m tcp --dport $PORT --syn -m hashlimit --hashlimit-above 200/sec \
         --hashlimit-burst 1000 --hashlimit-mode srcip --hashlimit-name syn --hashlimit-htable-size 2097152 \
         --hashlimit-srcmask 24 -j DROP
       
##--------------------------------------------------------------------------------------------------------------------##       
### Drop SYN packets with suspicious MSS value ###
/sbin/iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP

##--------------------------------------------------------------------------------------------------------------------##
### Block spoofed packets ###
/sbin/iptables -t mangle -A PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP   

## Method 1
/sbin/iptables -t mangle -A PREROUTING -s 224.0.0.0/3 -j DROP
/sbin/iptables -t mangle -A PREROUTING -s 169.254.0.0/16 -j DROP
/sbin/iptables -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP
/sbin/iptables -t mangle -A PREROUTING -s 192.0.2.0/24 -j DROP
/sbin/iptables -t mangle -A PREROUTING -s 192.168.0.0/16 -j DROP
/sbin/iptables -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP
/sbin/iptables -t mangle -A PREROUTING -s 0.0.0.0/8 -j DROP
/sbin/iptables -t mangle -A PREROUTING -s 240.0.0.0/5 -j DROP

## Method 2

ipset -N SpoofedPackets nethash
ipset -A SpoofedPackets 224.0.0.0/3
ipset -A SpoofedPackets 169.254.0.0/16
ipset -A SpoofedPackets 172.16.0.0/12
ipset -A SpoofedPackets 192.0.2.0/24
ipset -A SpoofedPackets 192.168.0.0/16
ipset -A SpoofedPackets 10.0.0.0/8
ipset -A SpoofedPackets 0.0.0.0/8
ipset -A SpoofedPackets 240.0.0.0/5
iptables -t mangle -A PREROUTING -m set --match-set SpoofedPackets src -j DROP


##--------------------------------------------------------------------------------------------------------------------##
### SSH brute-force protection ###
/sbin/iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set
/sbin/iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP

##--------------------------------------------------------------------------------------------------------------------##
### Protection against port scanning ###
/sbin/iptables -N port-scanning
/sbin/iptables -A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN
/sbin/iptables -A port-scanning -j DROP

##--------------------------------------------------------------------------------------------------------------------##
### Drop fragments in all chains ###
/sbin/iptables -t mangle -A PREROUTING -f -j DROP

##--------------------------------------------------------------------------------------------------------------------##
### Block packets with bogus TCP flags ###
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

##--------------------------------------------------------------------------------------------------------------------##
### Block smurf attacks
iptables -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP
iptables -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP
iptables -A INPUT -p icmp -m icmp -j DROP

##--------------------------------------------------------------------------------------------------------------------##
### Drop excessive RST packets to avoid smurf attacks
iptables -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT

##--------------------------------------------------------------------------------------------------------------------##
### How to identify the IP that is attacking you
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n 

### How to disconnect clients from your network interfaces (apt-get install dsniff)
tcpkill host xxx.xxx.xxx.xxx

# Hint: Monitor nf_conntrack usage searched, found, new, etc.:
lnstat -c -1 -f nf_conntrack