how to find out the address pool for DDOS Attack IP addresses

Of recent I have been experiencing DDOS attacks against my mail server with a series of IP addresses. I have been blocking these IP addresses one by one using the firewall. The process was and is still a pain, so I contacted the ISP responsible for these IP addresses and nothing has been done. Right now I need to find out the address pool to which they belong so that I can simply block the whole damn pool of addresses. Anybody has an idea how to do this?

3

2 Answers

I suggest you to set iptables to limit number of connection per host. Ddos can use unlimited number of ip addresses

sudo iptables -A INPUT -p tcp --dport 25 -m state --state NEW -m limit --limit 50/minute --limit-burst 200 -j ACCEPT
sudo iptables -A INPUT -m state --state RELATED,ESTABLISHED -m limit --limit 50/second --limit-burst 50 -j ACCEPT
sudo iptables -A INPUT -j REJECT

-p tcp --dport 25 => Specifies traffic on port 25 (smtp).

-m state NEW => This rule applies to NEW connections.

-m limit --limit 50/minute --limit-burst 200 -j ACCEPT =>This is the essence of preventing DOS.

--limit-burst is a bit confusing, but in a nutshell 200 new connections (packets really) are allowed before the limit of 50 NEW connections (packets) per minute is applied.

Second rule – Limit established traffic This rule applies to RELATED and ESTABLISHED all traffic on all ports In summary, 50 ESTABLISHED (and/or RELATED) connections (packets really) are allowed before the limit of 50 ESTABLISHED (and/or RELATED) connections (packets) per second is applied.

or use set of rules for all input

sudo iptables -A INPUT -m limit --limit 50/minute --limit-burst 200 -j ACCEPT
sudo iptables -A INPUT -j REJECT

Also you have answer from Oli and usage of whois

4

For an allocation block of IPs, you can just whois the IP you have. This will only get you as far as the ISP level usually unless you're talking about a company big enough to have its own allocations. For example, here's what I see if I enter the IP address of one of my servers:

$ whois 109.74.xxx.yyy
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See
% Note: this output has been filtered.
% To receive output for a database update, use the "-B" flag.
% Information related to '109.74.192.0 - 109.74.199.255'
...

The block there is 109.74.192.0 - 109.74.199.255. You can use a subnet calculator (or big brains) to work out that that's 109.74.192.0/21, and just block that.

... But that's a lot of servers, and not just mine.


It seems unlikely that a DDoS would be coming from just one network though. The rest of this answer assumes that we're actually talking about something coming from many networks though parts of it may still apply to single-network ingress.

Unless you can get into a command-and-control situation over this botnet —which is extremely unlikely— you'll never know the full scope of it, you'll never know which IPs it contains other than the ones that connect to you.

This may well not be a denial of service attack, it might be:

  • People trying to hack the MTA. Like any service, they occasionally contain flaws that can be tested. Mailservers are particularly talkative and poorly configured which makes them a good target. There's nothing you can do about this.

  • Is it an open relay? Are spammers just relaying their email through your machine? If you are, stop running an open relay.

I generally recommend not running mailservers. People who do it professionally, as their only job tend to do it better: focussed security, bigger and more robust networks and much better spam detection that comes from scanning hundreds of billions of incoming emails a day. The cost is usually very justifiable.

2

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

You Might Also Like