Outside sources are killing my business

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
Antilycus
DD-WRT Novice


Joined: 15 Jan 2010
Posts: 45

PostPosted: Tue Jul 03, 2012 17:45    Post subject: Outside sources are killing my business Reply with quote
I can't tell if its a SQL injection or a DDOS but it's been 2 weeks straight of no access for clients, to my webpage.

I started with a Linksys WRT310v2(broadcom SOC). The support for it was weak at best but I was able to run my company on it for a few years...until I put up a FORUM and was directly hit by a DDOS.

I try to upgrade from my 3 year old firmware and there was no update and in the process I bricked it. So out to walmart to buy a 30 USD Linksys E900 (100base T only) at least to get it up and running.

Get DD-WRT on it, write the firewall script to curb the massive amounts of traffic coming in and purchase the ASUS BLACK KNIGHT N66U (dual chip) and wait for it to arrive using the E900 until then.

E900, even though it has 64k cfe is bogged, running at 100% all the time, killing the web interface 50% of the time. I don't know the SSH context well enough to edit the firewall script (if there even is one) within the CLI so the only way one can actually configure anything is to disconnect the WAN port.

Even with the firewall running, the internet pages don't load because the router can't keep up. Active connections shows 8100 out of 8146. When limiting connections to 4096 4030ish are there.

No biggie, onto the ASUS dual core dd-wrt'd N66U. Hook it up, xfer the firewall script and it has only 32kb of cfe.

Okay, ASUS @ 600mhz, cisco cheapy at @ 300mhz, this should fly...eh eh wrong. It's a million times worse. SLOW SLOW SLOW, no connection to the web interface EVER. at least on the E900 I can eventually get it to come up.

I copied the dd-wrt firewall script from http://www.dd-wrt.com/wiki/index.php/Preventing_Brute_Force_Attacks and even changed port 80 to a 1/sec limit, dropping everything else.

So what can I do beside changing my WAN address? These are all incoming connections.... would a SQL injection create incoming connections too?
Sponsor
Antilycus
DD-WRT Novice


Joined: 15 Jan 2010
Posts: 45

PostPosted: Wed Jul 04, 2012 5:25    Post subject: Reply with quote
Code:
# save firewall
## - Drop the incoming signal/ipaddress - ##
## list from www.unixhub.com/block.html ##
#iptables -I FORWARD -s 74.125.225.0/24 -j REJECT
iptables -I FORWARD -s 61.147.0.0/16 -j DROP
# yahoo start drop
iptables -I FORWARD -s 98.139.225.42 -j DROP
iptables -I FORWARD -s 98.138.49.43 -j DROP
iptables -I FORWARD -s 98.139.225.43 -j DROP
#yahoo end drop
iptables -I FORWARD -s 113.0.0.0/8 -j DROP
iptables -I FORWARD -s 199.0.0.0/8 -j DROP
iptables -I FORWARD -s 219.0.0.0/8 -j DROP
iptables -I FORWARD -s 220.0.0.0/8 -j DROP
iptables -I FORWARD -s 221.0.0.0/8 -j DROP
iptables -I FORWARD -s 222.0.0.0/8 -j DROP
iptables -I FORWARD -s 210.0.0.0/8 -j DROP
iptables -I FORWARD -s 211.0.0.0/8 -j DROP
iptables -I FORWARD -s 200.0.0.0/8 -j DROP
iptables -I FORWARD -s 17.174.60.77 -j DROP
iptables -I FORWARD -s 60.169.78.0/24 -j DROP
iptables -I FORWARD -s 60.169.78.90 -j DROP
iptables -I FORWARD -s 60.173.26.221 -j DROP
iptables -I FORWARD -s 61.160.0.0/16 -j DROP
iptables -I FORWARD -s 76.164.231.83 -j DROP
iptables -I FORWARD -s 77.244.96.0/20 -j DROP
iptables -I FORWARD -s 98.126.0.0/16 -j DROP
iptables -I FORWARD -s 98.126.253.74 -j DROP
iptables -I FORWARD -s 98.126.209.130 -j DROP
iptables -I FORWARD -s 98.126.109.27 -j DROP
iptables -I FORWARD -s 98.126.165.106 -j DROP
iptables -I FORWARD -s 108.171.241.190 -j DROP
iptables -I FORWARD -s 113.106.25.114 -j DROP
iptables -I FORWARD -s 119.15.112.0/21 -j DROP
iptables -I FORWARD -s 184.82.45.171 -j DROP
iptables -I FORWARD -s 188.120.0.0/16 -j DROP
iptables -I FORWARD -s 199.36.0.0/16 -j DROP
iptables -I FORWARD -s 199.95.207.0/24 -j DROP
iptables -I FORWARD -s 199.95.208.0/24 -j DROP
iptables -I FORWARD -s 199.36.74.127 -j DROP
iptables -I FORWARD -s 199.192.153.26 -j DROP
iptables -I FORWARD -s 204.178.112.170 -j DROP
iptables -I FORWARD -s 209.67.38.99 -j DROP
iptables -I FORWARD -s 209.204.128.0/18 -j DROP
iptables -I FORWARD -s 216.52.13.39 -j DROP
iptables -I FORWARD -s 216.52.13.23 -j DROP
#psyschz networks start
iptables -I FORWARD -s 216.24.192.0/20 -j DROP
iptables -I FORWARD -s 199.15.118.82 -j DROP
iptables -I FORWARD -s 208.87.240.0/20 -j DROP
iptables -I FORWARD -s 199.119.200.0/20 -j DROP
iptables -I FORWARD -s 199.81.212.0/20 -j DROP
iptables -I FORWARD -s 173.224.208.0/20 -j DROP
iptables -I FORWARD -s 74.117.56.0/20 -j DROP
#psychz networks end

# set rate_limit to push to job/rule
iptables -N rate_limit
iptables -F rate_limit
iptables -A rate_limit -p tcp --dport 22 -m limit --limit 3/min --limit-burst 3 -j ACCEPT
iptables -A rate_limit -p tcp --dport 80 -m limit --limit 1/sec -j ACCEPT
iptables -A rate_limit -p udp --dport 1194 -m limit --limit 3/min --limit-burst 3 -j ACCEPT
iptables -A rate_limit -p ICMP --icmp-type echo-request -m limit --limit 3/sec -j ACCEPT
#iptables -A rate_limit -p <protocol> --dport <port> -m limit --limit <x/sec/min/hr> --limit-burst X -j ACCEPT
iptables -A rate_limit -p ! ICMP -j LOG --log-prefix " Connection dropped!! "
iptables -A rate_limit -p tcp -j REJECT --reject-with tcp-reset
iptables -A rate_limit -p udp -j REJECT --reject-with icmp-port-unreachable
iptables -A rate_limit -j DROP
iptables -I INPUT -p ICMP --icmp-type echo-request -j rate_limit
iptables -I INPUT -p tcp --dport 22 -m state --state NEW -j rate_limit
iptables -I INPUT -p udp --dport 1194 -m state --state NEW -j rate_limit
iptables -I INPUT -p tcp --dport 80 -m state --state NEW -j rate_limit
#iptables -I INPUT -p <protocol> --dport <port> -m state --state NEW -j rate_limit

#route 80 traffic to .28
#iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j DNAT --to xxx.xxx.100.28:80
#iptables -A FORWARD -p tcp -d xxx.xxx.100.28 --dport 80 -j ACCEPT


This is my current firewall script. As I typed this after rebooting the router i watch my connections go from 30 to 8000 in 30 seconds.
Sash
DD-WRT Guru


Joined: 20 Sep 2006
Posts: 17619
Location: Hesse/Germany

PostPosted: Wed Jul 04, 2012 9:18    Post subject: Reply with quote
lol

what do u expect out of a few bucks hw?!

_________________
Forum Guidelines...How to get help
&
Forum Rules
&
RTFM/STFW
&
Throw some buzzwords into the WIKI search Exclamation
_________________
I'm NOT rude, just offer pure facts!
_________________
Atheros (TP-Link & Clones, etc ) debrick service in EU
_________________
Guide on HowTo be Safe, Secure and Protect Your Online Anonymity!
Antilycus
DD-WRT Novice


Joined: 15 Jan 2010
Posts: 45

PostPosted: Wed Jul 04, 2012 21:16    Post subject: Reply with quote
OH I am not ripping on DD-WRT, so please don't read it as that. I don't think the hardware is the problem. I get even worse results on the ASUS N66U which has plenty of HP to stop it, but instead it's worse than the E900 on DD-WRT (both N66U and E900 running DD-WRT).

THe point is, what am I doing wrong? What is the right path while still maintaining DD-WRT firmware?
slobodan
DD-WRT Guru


Joined: 03 Nov 2011
Posts: 1555
Location: Zwolle

PostPosted: Thu Jul 05, 2012 16:36    Post subject: Reply with quote
OTRW has services which block hack and hammer. See http://www.dd-wrt.com/phpBB2/viewtopic.php?p=696074
_________________
2 times APU2 Opnsense 21.1 with Sensei

2 times RT-AC56U running DD-WRT 45493 (one as Gateway, the other as AP, both bridged with LAN cable)

3 times Asus RT-N16 shelved

E4200 V1 running freshtomato 2020.8 (bridged with LAN cable)

3 times Linksys WRT610N V2 converted to E3000 and 1 original E3000 running freshtomato 2020.8 (bridged with LAN cable)


Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum