• Forum has been upgraded, all links, images, etc are as they were. Please see Official Announcements for more information

Ongoing DDoS attack on masternode network

Update:

- 16 h by now
- Network holding up well
- only dropped ca. 300 weak Mn's
(good flushing out weak Nodes experiment)

EjeS2Pb.png
 
Hi all, no techi guy here!
Is this attack one of the strongest we can be affected by?
I mean, it's a serious test stress or just a basic one?
I see that it is "easy" to defend against.
Some easy narrative (when and if you have time) could be appreciated, thanks.
 
i tried this command, lets see whats gonna happen thx for reply.

update; after i tried this command my masternode status at dashninja turned to unknown masternode. i think ip tables good choise :)

update 2: my masternode is working about 1 day with" ufw limit 9999/tcp" command. seems good for now
 
Last edited:
i tried this command, lets see whats gonna happen thx for reply.

update; after i tried this command my masternode status at dashninja turned to unknown masternode. i think ip tables good choise :)

Dashninja is also affected by the attack and may not display your MN status at all. Currently, all their nodes are "not responding".
 
For those less technologically savvey there are step by step instructions below for Ubuntu 16.04. If you followed TAO's set up guide this will work for you.

**************
Enter root and enter the following commands

******* First Remove ufw
sudo ufw disable
sudo apt-get -y remove ufw
sudo apt-get -y purge ufw

****** Now install persistant ip tables and say yes when the purple screen appears
apt-get install -y iptables-persistent
invoke-rc.d netfilter-persistent save
service netfilter-persistent stop
service netfilter-persistent start

***** Now remove the old iptables file and paste in the new rules
rm /etc/iptables/rules.v4
joe /etc/iptables/rules.v4

************** Now paste in these rules and save, Note- change port 22 if you moved ssh to another port.
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:LOGNDROP - [0:0]
:OUTPUT ACCEPT [0:0]
#
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A INPUT -p tcp -m tcp --dport 9999 -j ACCEPT
# some tcp ddos
-A INPUT -i eth0 -p tcp -f -m tcp -j DROP
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK -j DROP
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -i eth0 -p tcp -m tcp --dport 0 -j DROP
#
-A INPUT -i eth0 -p tcp -m tcp --dport 9998 -j REJECT --reject-with tcp-reset
-A INPUT -i eth0 -p tcp -m tcp --dport 9999 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 8 --connlimit-mask 24 --connlimit-saddr -j DROP
-A INPUT -i eth0 -p tcp -m tcp --dport 9999 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 2 --connlimit-mask 32 --connlimit-saddr -j DROP
-A INPUT -i eth0 -p tcp -m tcp --dport 9999 -m conntrack --ctstate NEW -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource
-A INPUT -i eth0 -p tcp -m tcp --dport 9999 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 3 --name DEFAULT --mask 255.255.255.255 --rsource -j DROP
#
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 3 --name DEFAULT --mask 255.255.255.255 --rsource -j DROP
#
-A INPUT -i eth0 -p tcp -m tcp --dport 9999 -j ACCEPT
#
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
#
-A INPUT -j LOGNDROP
-A LOGNDROP -p tcp -m limit --limit 32/min -j LOG --log-prefix "Denied TCP: " --log-level 7
-A LOGNDROP -p udp -m limit --limit 32/min -j LOG --log-prefix "Denied UDP: " --log-level 7
-A LOGNDROP -p icmp -m limit --limit 32/min -j LOG --log-prefix "Denied ICMP: " --log-level 7
-A LOGNDROP -j DROP
COMMIT
#Remember to leave an extra space at the bottom

******* and save, then to check it is working
iptables -L

Viola :D

Edit- Credit to chaeplin for the far superior rules
 
Last edited:
HI Guys

Attached a very nice firewall script that will help you out. It already blocks a few bad behaving IP addresses (I got those bad behaving ip's from Dash's debug log). It limits connections to your SSH and Dash ports (allows only 2 per second). It looks out for bad SYN packets (only some of them, not all).

Copy the file to your server, save in root directly "dashfirewall.sh" (remove the txt at the end, I was forced to add the .txt at the end because the forum won't allow me to upload files withtout an extension)

The execute

chmod a+x dashfirewall.sh

Then run it with

./dashfirewall.sh

If you're on Ubuntu/Debain, you can also add add "/root/dashfirewall.sh" to /etc/rc.local before "exit 0" to ensure the firewall runs when your server starts.

Hope this helps!
 

Attachments

  • dashfirewall.sh.txt
    2.8 KB · Views: 232
here new rule
- limit concurrent connection 2 per ip, 8 per c class
- limit 3 syn per ip with in 30 sec
- limit some tcp ddos
- limit ssh conn

Code:
# /etc/default/iptables
## Firewall configuration written by system-config-firewall
## Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
#
#-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
# allow established
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# allow some ip always
#-A INPUT -m state --state NEW -m tcp -p tcp -s white_ip_or_my_ip -j ACCEPT
# some tcp ddos
-A INPUT -i eth0 -p tcp -f -m tcp -j DROP
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK -j DROP
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -i eth0 -p tcp -m tcp --dport 0 -j DROP
# deny connection to rpc port
-A INPUT -i eth0 -p tcp -m tcp --dport 9998 -j DROP
# drop udp to p2p 9999
-A INPUT -i eth0 -p udp -m udp --dport 9999 -j DROP
# limit concurrent connection 2 per ip, 8 per c class
-A INPUT -i eth0 -p tcp -m tcp --dport 9999 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 8 --connlimit-mask 24 --connlimit-saddr -j DROP
-A INPUT -i eth0 -p tcp -m tcp --dport 9999 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 2 --connlimit-mask 32 --connlimit-saddr -j DROP
# limit syn to 3 / 30 sec / p2p 9999
-A INPUT -i eth0 -p tcp -m tcp --dport 9999 -m conntrack --ctstate NEW -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource
-A INPUT -i eth0 -p tcp -m tcp --dport 9999 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 3 --name DEFAULT --mask 255.255.255.255 --rsource -j DROP
# limit syn to 3 / 30 sec / ssh 22
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 3 --name DEFAULT --mask 255.255.255.255 --rsource -j DROP
# allow
-A INPUT -i eth0 -p tcp -m tcp --dport 9999 -j ACCEPT
#
-A INPUT -i eth0 -p tcp -j ACCEPT
# output allow
-A OUTPUT -o eth0 -j ACCEPT
# deny forward
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
#
COMMIT
#


if you have --mask error, you are using old kernel.
change
Code:
-A INPUT -i eth0 -p tcp -m tcp --dport 9999 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 3 --name DEFAULT --mask 255.255.255.255 --rsource -j DROP
#
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 3 --name DEFAULT --mask 255.255.255.255 --rsource -j DROP
to
Code:
-A INPUT -i eth0 -p tcp -m tcp --dport 9999 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 3 --name DEFAULT --rsource -j DROP
#
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 3 --name DEFAULT --rsource -j DROP
 
Last edited:
@Sapereaude yea I saw that. You actually posted as I was writing the reply.

For those of you who are not technically inclined, take note that my firewall script also filters out a few ip addresses that takes part in the DDOS, which should help keep your masternode ports open for real Dash connections. The attacker will probably change IP's during the course of the day. I will update a list of blocked IP's later tonight and post an updated version.
 
Was affected by the attack, woke up this morning with a email from my VPS provider that my VPS was temporary suspended.
So bought another one, so far so good!

Specs:

2048MB Memory
70GB SSD Space
4 Core Processor
Unmetered Network
3 IPv4 Addresses
3 IPv6 Addresses *

Pretty fair price 13.99 USD paid with dash debit ofc :)
 
Back
Top