What is the best way to log DoS/DDoS attacks?

Question

What is the best way to log DoS/DDoS attacks?

general

I've been receiving gigabit packet floods every day for the past few days, and I'm genuinely concerned on how I should go about investigating who is generating these attacks. The main thing is I just don't know how to log the IP address of the attacking servers properly. I tried running a packet sniffer but all that did was cause me to instantly fill up my filesystem when the next attack came (oops). I run game servers for a fairly closely nit community, so the general success of finding the attackers in this situation is probably higher than normal. Basically I just need some sort of software that will log general statistics about any addresses that produce more than a certain amount of data in a short period of time. The attacks are swift and are usually over before I can even open up BMON to confirm that they're happening, I just end up seeing them in the Linode overview a few minutes later.

Does anyone have any advice on what I can do to try and appropriately log the attacking addresses?

1 Reply

forum:Vance · Answer 1 · Jan. 31, 2016, 6:57 p.m.

forum:Vance 8 years, 7 months ago

You could create an iptables (firewall) rule to log the traffic. The hashlimit module lets you match on the source or destination IP/port, while connlimit matches on a specified number of simultaneous connections from a single IP. Either of these can be used with "-j LOG" to log connections. I'm afraid I don't know enough to give you specific examples.

While this does generate less data than capturing packet dumps, with sufficient volume it can still fill up your disk. If this is a problem, you could consider getting a second Linode in the same datacenter and using it as a remote syslog target.

Compute

Storage

Databases

Networking

Developer Tools

Delivery

Security

Services

Industries

Pricing

Community

Engage With Us

What is the best way to log DoS/DDoS attacks?

1 Reply

Reply

Tips: