Deprecated: mb_split(): Passing null to parameter #2 ($string) of type string is deprecated in /www/wwwroot/qzone.work/usr/themes/Mirages/lib/I18n.php on line 50 利用 iptables 简单防御 Ack Flood

今年以来我这个小博客一直被人盯着恶意刷流量，导致我抛弃了CDN，换到了这个3Mbps的小水管，但是依然逃脱不了，上行宽带长期被占满，体验极差！

网络监控.png

今天~~忙里偷闲~~（摸鱼）决定好好看一下，通过 iptables -j LOG 命令发现大量 TCP ACK包来自上海的一个IP 114.226.31.8，明显是 ACK_FLOOD攻击。

1732690638 2024-11-27 14:57:18 [  605.167813] [TCP_ACK_443]IN=ens5 OUT= MAC=00:16:3e:05:ae:32:ee:ff:ff:ff:ff:ff:08:00 SRC=106.92.98.233 DST=172.21.120.59 LEN=40 TOS=0x14 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=58014 DPT=443 WINDOW=65535 RES=0x00 ACK FIN URGP=0 
1732690638 2024-11-27 14:57:18 [  605.167831] [TCP_ACK_443]IN=ens5 OUT= MAC=00:16:3e:05:ae:32:ee:ff:ff:ff:ff:ff:08:00 SRC=106.92.98.233 DST=172.21.120.59 LEN=40 TOS=0x14 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=57950 DPT=443 WINDOW=65535 RES=0x00 ACK FIN URGP=0 
1732690638 2024-11-27 14:57:18 [  605.167953] [TCP_ACK_443]IN=ens5 OUT= MAC=00:16:3e:05:ae:32:ee:ff:ff:ff:ff:ff:08:00 SRC=106.92.98.233 DST=172.21.120.59 LEN=40 TOS=0x14 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=57950 DPT=443 WINDOW=65535 RES=0x00 ACK FIN URGP=0 
1732690638 2024-11-27 14:57:18 [  605.177081] [TCP_ACK_443]IN=ens5 OUT= MAC=00:16:3e:05:ae:32:ee:ff:ff:ff:ff:ff:08:00 SRC=106.92.98.233 DST=172.21.120.59 LEN=40 TOS=0x14 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=58014 DPT=443 WINDOW=65535 RES=0x00 ACK URGP=0 
1732690638 2024-11-27 14:57:18 [  605.177186] [TCP_ACK_443]IN=ens5 OUT= MAC=00:16:3e:05:ae:32:ee:ff:ff:ff:ff:ff:08:00 SRC=106.92.98.233 DST=172.21.120.59 LEN=40 TOS=0x14 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=58014 DPT=443 WINDOW=65535 RES=0x00 ACK URGP=0 
1732690638 2024-11-27 14:57:18 [  605.177208] [TCP_ACK_443]IN=ens5 OUT= MAC=00:16:3e:05:ae:32:ee:ff:ff:ff:ff:ff:08:00 SRC=106.92.98.233 DST=172.21.120.59 LEN=40 TOS=0x14 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=57950 DPT=443 WINDOW=65535 RES=0x00 ACK URGP=0 
1732690638 2024-11-27 14:57:18 [  605.177724] [TCP_ACK_443]IN=ens5 OUT= MAC=00:16:3e:05:ae:32:ee:ff:ff:ff:ff:ff:08:00 SRC=106.92.98.233 DST=172.21.120.59 LEN=40 TOS=0x14 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=57950 DPT=443 WINDOW=65535 RES=0x00 ACK URGP=0

配合AI折腾出一个简单规则，利用 iptables 和 ipset，内容如下：

ipset create ack_flood hash:ip timeout 86400
iptables -I INPUT 1 -p tcp --dport 443 -m set --match-set ack_flood src -j DROP
iptables -I INPUT 2 -p tcp --dport 443 --tcp-flags ACK ACK -m recent --name rate_limit --set
iptables -I INPUT 3 -p tcp --dport 443 --tcp-flags ACK ACK -m recent --name rate_limit --rcheck --seconds 3 --hitcount 255 -j SET --add-set ack_flood src
iptables -I INPUT 4 -p tcp --dport 443 --tcp-flags ACK ACK -j LOG --log-prefix "[TCP_ACK_443]" --log-level debug

具体含义：针对 tcp 443 端口的 ACK数据包一秒内超过50个时自动拉黑24小时。
脚本内容丢到 /etc/rc.local配合开机自启，最后重启服务器，效果有了；该规则对大量下载的请求可能存在误封，如果您使用可能需要自己调整频率。

使用效果.png