Trying to drop a DDoS attack using TTL and Length in iptables

Considering that there is a fairly big amount of DDoS attacks going around and not so many free tools available to work against this on a server level everyone will try to get the best of what he has available and why not use IPtables if you are on a Unix server.

Trying to check for an easy way to stop a DDoS attack and do not involve php or such scripts i ended up learning something about IPtables and that is that it is fairly simple to use TTL and Length of packets to stop or at least bring down to a reasonable amount an attack. This does not work all the time but for the last two times worked pretty well and this because of the bots that are being used to tun the attack.

As a first thing we should try and find out a few IPs that are being used to attack the server and this can easy be done using netstat like:

netstat -tn --inet 2>/dev/null | grep ":80" | \ awk '/tcp[\ ]*[0-9]+[\ ]*[0-9]+[\ ]+[^\ ]+[\ ]*[^\ ]*/ {print $5}' | \ cut -d":" -f1 | sort | uniq -c | sort -n

or more simple:

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

The IPs with a high connections number(eg. over 150) can be considered as being part of the attack even if a big intensity attack will make you see IPs with over 600-700 connections.

Now that we found the attack lets run a tcpdump and check for the TTl values on a few of the IPs to see if they match and if they do we will have a winner. Just take 2-3 IPs using by the attackers and run a tcpdump to see the values :

tcpdump -nn -vvv host y.y.y.y |grep x.x.x.x – x.x.x.x being the IP attacking and y.y.y.y is the IP being attacked(eg. your main IP)

The output will show something like:

16:34:41.715401 IP (tos 0x0, ttl 113, id 8270, offset 0, flags [DF], proto 6, length: 40) x.x.x.x.12144 > y.y.y.y.80: . [tcp sum ok] 1158:1158(0) ack 100999 win 17520[]

We can see that the TTL value is 113.
Now run tcpdump for the other IPs also and look for a pattern to see if the TTL values match. This is a precaution to make sure that you will not block legit traffic.

If the TTL values match on all the IPs you see attacking the server then go ahead and block them using an IPtables rule based on TTL:

iptables -A INPUT -p tcp -s -d y.y.y.y -m ttl --ttl-eq=113 -j DROP

Now check and see if the attack intensity is dropping, if it is not then you may not have found the right TTL value or this may not be working at all.

There may still be a few bots using other TTL values then the ones you found and to enforce the rules you can use Length of packets to block the remaining IP’s

Run same tcpdump like the one to find the TTL for the remaining IPs and in the output the following will represent the length of the packets:

proto 6, length: 40

If this is a match(you may want to make sure and check a few other IPs for a match) then go ahead and block it using IPtables with a rule like:

iptables -A INPUT -p tcp -d y.y.y.y -m length -length 6:40 -j DROP

Check the attack intensity and hopefully it dropped.

y.y.y.y - the main IP of your server
x.x.x.x - one of the IPs attacking the server
Verify multiple IPs and not only one as you may end up blocking a good portion of legit traffic
If the attack is high in intensity you can stop/start apache in order to do your tests