Home>

Assumption:
CentOS6.5

I am under a DDOS attack using memcached as a springboard.
We would like to ask you about the appropriate countermeasures.

Sites that refer to how to deal with

With reference to the above site, the settings of memcached have been modified as follows.

/ etc/sysconfig/memcached
PORT = "11211"
USER = "memcached"
MAXCONN = "1024"
CACHE SIZE = "64"
OPTIONS = "-l 127.0.0.1 -U 0"

I know that this fix controls IP restrictions and udp port access,
Since the attack continues even after restarting memcached, I would like to impose IP restrictions on the firewall.

The iptables settings at this stage are as follows.

#Firewall configuration written by system-config-firewall
#Manual customization of this file is not recommended.
* filter
: INPUT ACCEPT [0: 0]
: FORWARD ACCEPT [0: 0]
: OUTPUT ACCEPT [0: 0]
-A INPUT -m state --state ESTABLISHED, RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 2049 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 2049 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 111 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 111 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 892 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 892 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 5432 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 11211 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 5001 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

The reference site states that the following will be implemented,
I would like to know what kind of effect this will have.

sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED, RELATED -j ACCEPT
sudo iptables -A INPUT -p tcp -s/32 --dport 11211 -m conntrack --ctstate NEW, ESTABLISHED -j ACCEPT
sudo iptables -P INPUT DROP

I am not very familiar with it, and I am very sorry, but thank you.