rejetto forum

From Russia With Hate

0 Members and 1 Guest are viewing this topic.

Offline teslaman

  • Occasional poster
  • *
    • Posts: 17
    • View Profile
Hey guys, I've had something odd happening that I can't explain. Someone has been doing DoS style attacks on my HFS server (version 2.3 build 287), mostly from Russia. I've managed to block them now via other means, but banning them on HFS did nothing to stop them. Also, I know HFS doesn't reply to pings and my router is set to block them anyways, so how is this even possible? All I get is a bunch of fast Connect/Disconnects, with no information requested from the server. Oddly, it overloads HFS to where it can't respond to any other requests, but my internet connection is otherwise still working fine.

Is there some tactic I'm not aware of that would allow this to happen? I've been running HFS as a personal server for...I don't even know how many years...but this is the first time this has happened.


Offline bmartino1

  • Tireless poster
  • ****
    • Posts: 901
  • I'm only trying to help i mean no offense.
    • View Profile
    • My HFS Google Drive Shared Link
Double check you ban settings, and make sure you have (Disconnect without reply!)

see wiki explains how to setup bans...:
http://www.rejetto.com/wiki/index.php?title=HFS:_IP_masks

(mostly they are spiders re-sending some form of html check, i get a bunch form Japan/China/Russia...)
Reported most of them and some stopped and other slowed.

(Peer blocker is a possible solution!)
http://peerblock.googlecode.com/files/PeerBlock-Setup_v1.1_r518.exe

although it is better to have a firewall/better network solution to block them as in the networking world regardless of what the other side does, the ports are open to "attack" a machine...


Files i try to keep and share can be found on my google drive:

https://drive.google.com/drive/folders/1FOWi3Gqaldld6JLXvZ-biDv4RSguf0IC


Offline teslaman

  • Occasional poster
  • *
    • Posts: 17
    • View Profile
Thanks Bmartino1. :)

Ban settings are good, with "Disconnect..." checked since I had already successfully blocked a few IPs in the past. I wonder if it's possible that HFS can't ban this type of connection request? Or maybe it's a bug? I dunno...

In my case, it is definitely an attacker with a grudge, using what looks to be a proxy program.

Hehe, yup, PeerBlock is one solution I have going now. v1.2 is out now too. :) It was working good for stopping the requests, but yesterday he found a good proxy in France that let him go on for a couple of hours at least. PeerBlock was blocking it, but the constant traffic was overwhelming my old router. That was an easy fix though, as I have a surplus of routers laying around, lol.

He probably thinks it's ticking me off, but he doesn't know me. Things that fight against me, only fuel my passion, lol. :D
« Last Edit: June 20, 2014, 11:57:20 AM by teslaman »


Offline LeoNeeson

  • Tireless poster
  • ****
    • Posts: 729
  • Status: On hiatus (sporadically here)
    • View Profile
    • twitter.com/LeoNeeson
He probably thinks it's ticking me off, but he doesn't know me. Things that fight against me, only fuel my passion, lol. :D
That's right, don't give up (let's punch those DoS!). 8)

This make me think if it's possible to run HFS behind a proxy or TOR, to hide your own IP address and avoid DoS attacks. Is it possible?...
« Last Edit: June 28, 2014, 03:32:54 AM by LeoNeeson »
HFS in Spanish (HFS en Español) / How to compile HFS (Tutorial)
» Currently taking a break, until HFS v2.4 get his stable version.


Offline rejetto

  • Administrator
  • Tireless poster
  • *****
    • Posts: 13307
    • View Profile
it's much better to to configure the ban on your router instead


Offline bmartino1

  • Tireless poster
  • ****
    • Posts: 901
  • I'm only trying to help i mean no offense.
    • View Profile
    • My HFS Google Drive Shared Link
A failry cheap and somewhat portective way to block ips!
--------------------------------
(I d not guarantee it is a permanent way to block, as no device connected to the internet is safe!)
Here is may be something you might be wanting:

Buy a fairly cheap old linksys g router and setup the "dmz"/port forward to the ip of old router to your router as network diagram shown:

isp internet > ddwrt router > current router

The ddwrt would then be a "firewall router"

So:
BLOCK INCOMING IP USING DD-WRT (IPTABLES)

First, log into DDWRT router

(*if ssh acess is aviable you can test the comands via option >my firewall via ssh to get a rule in place immediately:)
Command:
iptables -I CHAIN -s xxx.xxx.xxx.xxx -j DROP
(Listing the rules:
Command:
iptables -L --line-number

which will show somethign like this:
1 DROP 0 — ppp-xxx.xxx.xxx.xxx.revip.proen.co.th anywhere

(upon restart if your router as if commands are only add it via ssh, it will be gone!)
--------------------
--------------------
so we need to save our Commands:

iptables -I CHAIN -s xxx.xxx.xxx.xxx -j DROP
--------------------

open your router's web gui

xxx.xxx.xxx.xxx/Diagnostics.asp
(administrations > Commands)


iptables -I CHAIN -s xxx.xxx.xxx.xxx -j DROP

Clicked the “Save Firewall” button.

That's it, this guarantees that upon reboot that ddwrt firewall will not let the ip address in!

-----As i'[m curently testing htis as i write it--------
I went ahead and rebooted to confirm the new rule was loaded at startup.
No more auth attempts from that IP.

NOTE 1: This method will drop ALL TRAFFIC from the listed IP. Play for keeps!
NOTE 2: If this is your Public IP, you need to check yo’ self before you wreck yo’ self… :)

ddwrt iptable commands:
http://www.dd-wrt.com/wiki/index.php/Iptables_command

Files i try to keep and share can be found on my google drive:

https://drive.google.com/drive/folders/1FOWi3Gqaldld6JLXvZ-biDv4RSguf0IC


Offline teslaman

  • Occasional poster
  • *
    • Posts: 17
    • View Profile
Thanks guys and sorry for the very late reply! The newer router seems to have stopped them, or they just gave up on that tactic after the IP change. Looks like they are just trying to brute force into my email server now...good luck with that! lol :P I haven't tried the newer router's IP blocking yet, since PeerBlock is working well enough and is easier to maintain. Nice info there bmartino1! Good to know, just in case. 8)

Putting HFS behind Tor would be interesting, even just for privacy/anonymity, but I'm not sure how well that would work?