Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Blocking attack Ips/ddos Ips from China
New on LowEndTalk? Please Register and read our Community Rules.

Blocking attack Ips/ddos Ips from China

livserverslivservers Member
edited April 2018 in Tutorials

DDos attacks are one of the major dilemmas among hosting world, We used to get attacks from china recently and implementing below rules could prevent ddos.

  1. Need to create a bash file with below script

denychina.sh(any name)


ipset -N china hash:net

rm cn.zone

wget -P . http://www.ipdeny.com/ipblocks/data/countries/cn.zone

for i in $(cat /root/cn.zone ); do ipset -A china $i; done

iptables -I INPUT -p tcp -m set --match-set china src -j DROP


ipset // is a command utitlity comes along with ipconfig, we can set specific rules with this command

-N // indicates name of the set of rules

rm cn.zone // remove any existing zone configured

wget // Download the latest Chinese ips form ipdeny.com

-----------apply the for loop for adding ips to the hash set "china"------------------------

----------apply iptables command to block ips which match the condition in 'china' ipset------------

Last Step

Run the bash script

sh denychina.sh

=================If you wish to unblock the rules/ips in the future, simply create another file or in the same file , edit the last line to the following

iptables -D INPUT -p tcp -m set --match-set china src -j DROP

The -D option will delete the china of rules that we implemented.

==========================###############================================

Thanked by 1DewlanceVPS

Comments

  • MikeAMikeA Member, Provider
    edited April 2018

    Using CloudFlare to mitigate web attacks is easier than blocking a whole (huge) country. They let you block country codes on their end too.

    Thanked by 3Aidan YihuYon inklight

    ExtraVM - AMD Ryzen VPS starting @ $3.50
    USA (TX, VA, FL), CA, FR, UK, SGP, AU

  • @MikeA said:
    Using CloudFlare to mitigate web attacks is easier than blocking a whole (huge) country. They let you block country codes on their end too.

    cloudflare is an option, but what would happen if the client is not using cloudflare and its a shared hosting, and a sudden attack burst out.

    Client may not be aware of this attack, he only purchased the hosting but the provider should handle the scenario at the moment.

    Thanked by 1DewlanceVPS
  • MikeAMikeA Member, Provider
    edited April 2018

    @livservers said:

    @MikeA said:
    Using CloudFlare to mitigate web attacks is easier than blocking a whole (huge) country. They let you block country codes on their end too.

    cloudflare is an option, but what would happen if the client is not using cloudflare and its a shared hosting, and a sudden attack burst out.

    Client may not be aware of this attack, he only purchased the hosting but the provider should handle the scenario at the moment.

    So you're saying the shared hosting the person is using should block a whole country on the server? Anyways that's not the point of this, I understand the point, there's just easier and alternative ways to go about it.

    Thanked by 1inklight

    ExtraVM - AMD Ryzen VPS starting @ $3.50
    USA (TX, VA, FL), CA, FR, UK, SGP, AU

  • @MikeA said:

    @livservers said:

    @MikeA said:
    Using CloudFlare to mitigate web attacks is easier than blocking a whole (huge) country. They let you block country codes on their end too.

    cloudflare is an option, but what would happen if the client is not using cloudflare and its a shared hosting, and a sudden attack burst out.

    Client may not be aware of this attack, he only purchased the hosting but the provider should handle the scenario at the moment.

    So you're saying the shared hosting the person is using should block a whole country on the server? Anyways that's not the point of this, I understand the point, there's just easier and alternative ways to go about it.

    ddos attacks are sometimes uncontrollable and we experienced it, in my post, the last section describes, how to delete the rules once the ddos is stopped.

    If the ddos stopped or after a few hours, you can enable the ips,

    this is a matter of time/work saving procedure at crucial situation.

  • CdoeCdoe Member

    @livservers said:

    @MikeA said:

    cloudflare is an option, but what would happen if the client is not using cloudflare and its a shared hosting, and a sudden attack burst out.

    So how exactly do you have root access and iptables on shared hosting?

    Thanked by 1dedicados
  • akbakb Member

    Instead of fetching & saving the file, then looping through every line and running ipset add so many times, you can also do:

    ipset -N china hash:net
    iptables -I INPUT -p tcp -m set --match-set china src -j DROP
    
    wget -q -O- http://www.ipdeny.com/ipblocks/data/countries/cn.zone \
    |sed '[email protected]^[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}/[0-9]\{1,3\}[email protected] china \0 [email protected];t;d' \
    |ipset restore
    
  • NomadNomad Member

    pfSense with Snort / Suricata and pfBlockerNG is a way better choice if you are not afraid of NAT IP addresses.

    ...
    ...

  • unfortunately

  • China isn't the only country bad traffic comes from. That being said there are much better alternatives like investing in actual ddos protection.

    Thanked by 1inklight
  • FHRFHR Member, Provider

    @AlexJones said:
    China isn't the only country bad traffic comes from. That being said there are much better alternatives like investing in actual ddos protection.

    Or paying someone to do remote DDOS protection for you.

    SkylonHost - affordable hourly-billed KVM VPS in Prague, CZ!
    Featuring own high performance network AS202297 | RIPE NCC member

  • randvegetarandvegeta Member, Provider

    @AlexJones said:
    China isn't the only country bad traffic comes from. That being said there are much better alternatives like investing in actual ddos protection.

    Damn near impossible in Asia. Bandwidth costs are so high that you need to spend an actual fortune every month to ensure sufficient capacity to mitigate the attack.

    You could mitigate the DDoS overseas in the US or EU where bandwidth is much cheaper, but that has an effect on performance.

    Many DDoS these days are well above 1G and mostly above 10G, and even 100M can be expensive in Asia. Most carriers in HK would charge about US$3,000 /month for 100M, so getting 1G and 10G is unrealistic for most.

    But that's just Asia. Much different situation in EU/US.

  • GFW help u!

  • Bookmarked

  • WebProjectWebProject Member, Provider

    Great. We do getting lately a lot of orders from fakeland China, as their national identity now is to use fake names on internet like Tammy Jones (we do have at least 30 of them) and fake details.

    VPS Price Match Guarantee on: All our range of DDOS protected VPS Plans
    Are you looking for best price for self-managed VPS? See WebProVPS website for more details.
  • @randvegeta said:

    @AlexJones said:
    China isn't the only country bad traffic comes from. That being said there are much better alternatives like investing in actual ddos protection.

    Damn near impossible in Asia. Bandwidth costs are so high that you need to spend an actual fortune every month to ensure sufficient capacity to mitigate the attack.

    You could mitigate the DDoS overseas in the US or EU where bandwidth is much cheaper, but that has an effect on performance.

    Many DDoS these days are well above 1G and mostly above 10G, and even 100M can be expensive in Asia. Most carriers in HK would charge about US$3,000 /month for 100M, so getting 1G and 10G is unrealistic for most.

    But that's just Asia. Much different situation in EU/US.

    Host some porn or dissident stuff on it, inform chinese government, have the GFW do the thing for you?

    Thanked by 2Aidan masteri

    I like my uptime down low and my servers all hacked. Can see me droppin' twenty-fours with a router in the rack.
    Ya like ya Switch-Ports hot and ya servers all hacked. If ya pings real high and ya networks pitch black.

  • DewlanceVPSDewlanceVPS Member, Provider

    @livservers said:

    Thanks for sharing it. Very helpful tutorial. For some people Cloudflare is everything. (They will suggest you to use CloudFlare in heavy traffic while driving vehicle ;)

    DemoTiger.com - custom cPanel branded Videos for your KB/YouTube,etc.
  • MikeAMikeA Member, Provider

    @DewlanceVPS said:
    Thanks for sharing it. Very helpful tutorial. For some people Cloudflare is everything. (They will suggest you to use CloudFlare in heavy traffic while driving vehicle ;)

    Because CloudFlare can handle uhh, a bit more traffic than a few dollar VPS.

    ExtraVM - AMD Ryzen VPS starting @ $3.50
    USA (TX, VA, FL), CA, FR, UK, SGP, AU

  • MrMMrM Member

    nice dude ? thank you

  • @MikeA said:

    @DewlanceVPS said:
    Thanks for sharing it. Very helpful tutorial. For some people Cloudflare is everything. (They will suggest you to use CloudFlare in heavy traffic while driving vehicle ;)

    Because CloudFlare can handle uhh, a bit more traffic than a few dollar VPS.

    Yeah this is very true. I find setting UAM for Asian countries/Russia and then using a load monitor to apply more aggressive rules makes CF nearly impossible to bypass. All for $0

  • USA is the second biggest source of DDOS, could you ad them too to the script?

    Thanked by 1Ole_Juul
  • @teamacc said:

    Host some porn or dissident stuff on it, inform chinese government, have the GFW do the thing for you?

    No, sensitive history events or names of head of government, you know what and who, are more effective.

  • I suppose multiple countries can be added in 1 file too yea?

  • JohnMiller92JohnMiller92 Member
    edited June 2018

    Reported for racist topic title.

  • CdoeCdoe Member
    edited June 2018

    @JohnMiller92 said:
    Reported for racist topic title.

    China isn't a race.

  • williewillie Member

    closing necro

    #lexit spread the word.

This discussion has been closed.