Portal Home > Knowledgebase > Articles Database > Block all IP's from hinet.net DDOS
Block all IP's from hinet.net DDOS
| Posted by HostFill, 10-22-2013, 08:53 AM |
| There is anyway to do it?
A lot of ddos on udp 53 from that domain.
They have so many ips.
|
| Posted by NBExpert, 10-22-2013, 08:58 AM |
| Try these IPtables rules ?
iptables -A INPUT -p udp --sport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --sport 53 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p udp -j DROP
iptables -A OUTPUT -p udp -j DROP
Just block all UDP traffic incoming & outgoing.
|
| Posted by HostFill, 10-22-2013, 09:02 AM |
| Yep, but the websites goes off line if i do it. =/
Its a cpanel server, with a lot of customers.
CSF is not doing the good job on this case.
|
| Posted by HostFill, 10-22-2013, 09:05 AM |
| Its only one of the ips... but there is a lot of then... SO MANY IPS. lol
Block all asia again?
|
| Posted by NBExpert, 10-22-2013, 09:08 AM |
| Which Operating System you using ?
Also try to limit the outbound flow rate of UDP packets:
/sbin/iptables -A OUTPUT -p udp -m state --state NEW -j ACCEPT
/sbin/iptables -A OUTPUT -p udp -m limit --limit 100/s -j ACCEPT
/sbin/iptables -A OUTPUT -p udp -j DROP
You know which domain is sending out the packets ?
|
| Posted by HostFill, 10-22-2013, 09:14 AM |
| CentOS 6.4
cPanel.
I'm gonna try to limit, anyway, if someone knows how to get all ips from hinet.net will be good =)
For the domains, its sending requests for all domains inside this server.
Thanks for help NBExpert =)
|
| Posted by NBExpert, 10-22-2013, 09:16 AM |
| Scan your server once with Linux Malware Detect (http://www.rfxn.com/projects/linux-malware-detect/)
Once installed, then edit /usr/local/maldetect/conf.maldet and change
email_alert=1
email_addr="root"
quar_hits=1
scanthreads=5
maxfilesize="1024k"
quar_hits=1 that why maldet is not guarantee anything
and Scan
>>>----<<<<<
Post results for :- lsof -Pni | grep "xxx.xxx.xx.xx'
xxx.xxx.xx.xx = your server ip
|
| Posted by HostFill, 10-22-2013, 09:28 AM |
| Wow... maybe we have an malware on the server?
I'll try. Anyway, Clanav is installed and running.
RKhunter too... i have scanned with then, but nothing found.
I'll try with this =)
|
| Posted by NBExpert, 10-22-2013, 09:34 AM |
| Try this, it's results are better. Hope it helps! Because i have a feeling that your system is infected, some of domain maybe.
|
| Posted by Infinitnet, 10-22-2013, 09:37 AM |
| You could try to block that on layer 4 using iptables with string matching, like:
|
| Posted by HostFill, 10-22-2013, 09:41 AM |
| Suspect results from the lsof -Pni | grep xxx.xxx.xxx.xxx
From these IPs, its not my normal traffic.
And the Linux malware shows 0 malware
maldet(16990): {scan} scan completed on /home/*/public_html: files 22409, malware hits 0, cleaned hits 0
|
| Posted by HostFill, 10-22-2013, 09:44 AM |
| When I reuse the lsof -Pni | grep "xxx.xxx.xx.xx"
A lot of results of exim with mailnull with very stranger IPs
o.O
|
| Posted by NBExpert, 10-22-2013, 09:48 AM |
| If you're not expecting udp traffic at all I might recommend just dropping it (except for your DNS servers, of course!):
iptables -A INPUT -p udp --sport 53 -s my.dns.server1 -j ACCEPT
iptables -A INPUT -p udp --sport 53 -s my.dns.server2 -j ACCEPT
iptables -A INPUT -p udp -j DROP
|
| Posted by Infinitnet, 10-22-2013, 09:56 AM |
| You could as well try to block this with hosts.deny. Just add this to your /etc/hosts.deny file: ALL: .hinet.net
|
| Posted by HostFill, 10-22-2013, 09:58 AM |
| after that
iptables -A INPUT -p udp --dport 53 -m string --string "hinet.net" --algo bm -j DROP
From maybe 500 connections, now it shows not bad, i can see all connections on the iftop.
|
| Posted by HostFill, 10-22-2013, 10:04 AM |
| Thanks for the help NBExpert and Infinitnet
Now it shows solved.
I'm gonna add this hinet.net on the hosts deny too.
If you Google hinet.net, a lot of criminal internet actions and spams.
How can exist a company like this? Why they are not blocked?
Just Google it and you will see a lot of claims about this hinet.net.
OMG!
|
| Posted by Infinitnet, 10-22-2013, 10:15 AM |
| So my iptables rules did the trick then? If hinet IPs are connecting to other ports than 53 too, you could also modify the rules like this, to block any packet that contains the string "hinet.net":
iptables -A INPUT -m string --string "hinet.net" --algo bm -j DROP
|
| Posted by NBExpert, 10-22-2013, 10:21 AM |
| Am glad if i come helpful in anyway.
|
| Posted by Infinitnet, 10-22-2013, 10:26 AM |
| Oh any by the way.. you might want to add my rule to the CSF scripts, so they are being added again after a CSF or server restart. To do that, you can add them to /etc/csf/csfpre.sh
|
| Posted by HostFill, 10-23-2013, 08:00 AM |
| What is wrong with this?
iptables -A INPUT -p udp --dport 53 -m string --string "hinet.net" --algo bm -j DROP
Not working =/
|
| Posted by Infinitnet, 10-23-2013, 08:13 AM |
| Didn't you say that this was blocking the attack yesterday? Try:
iptables -A INPUT -m string --string "hinet.net" --algo bm -j DROP
iptables -A OUTPUT -m string --string "hinet.net" --algo bm -j DROP
And also try to block this with hosts.deny. If it still doesn't work, it might make sense to get an external DDoS protection.
|
| Posted by HostFill, 10-23-2013, 08:20 AM |
| Start to drop when i use without dot
iptables -A INPUT -m string --string "hinet" --algo bm -j DROP
iptables -A OUTPUT -m string --string "hinet" --algo bm -j DROP
Also added yesterday on hosts.deny
ALL: .hinet.net
Strange because they had .net at the end
o.O
Another thing with help a lot:
http://sysadminnotebook.blogspot.com...1_archive.html
Very good script.
Thank you again Infinitnet =)
|
| Posted by Infinitnet, 10-23-2013, 08:27 AM |
| That's weird. Well, my rules were rather an example, as I don't know how exactly the traffic on your server looks like, it's hard to "just write something" that blocks these requests. You could also have a look at /etc/csf/csf.blocklists - CSF also includes a feature to block IPs which are on particular blacklists (Spamhaus etc.). Good luck with this and you're welcome.
|
| Posted by HostFill, 10-23-2013, 11:08 AM |
| Infinity.
I'm using these iptables on the node (host). On the VPS i have csf with blacklists activated. But with this script, i can filter before it comes to VPS.
=)
|
Add to Favourites 
Print this Article
Also Read
My server just crashed totally with Leaseweb - corrupted files - Updates hourly / daily (Views: 851)