Hi everyone. I’ve been working on a project which I use Suricata and IPTables as IPS for the system to prevent DDoS attack (in this case I use hping3 & LOIC to attack the web server).
Suricata successfully dropped the attack, but IPTables make the website unable to access.
Here is the rules that I use:
drop http any any → $HOME_NET 80 (msg:“HPING3”; ttl:64; flags:S; threshold:type threshold; track by_dst, count 100, seconds 5; classtype:attempted-dos; sid:1; rev:1; metadata:created_at 2020_06_11, updated_at 2020_06_11;)
i used this iptables command:
sudo iptables -I INPUT -p tcp --sport 80 -j NFQUEUE
sudo iptables -I OUTPUT -p tcp --dport 80 -j NFQUEUE
then I ran suricata using this command:
suricata -c /etc/suricata/suricata.yaml -q 0
and here is the result on fast.log
It successfully dropped the attack but when I accessed the web, it can’t be because iptables also blocked it.
Thanks before. -liza