There’s lots of bad stuff on the Internet these days. In this post and the next few, I’m going to talk about some of the kinds of bad stuff and what you can do to protect yourself. The first one we’re going to talk about is a Distributed Denial of Service, or DDOS. It’s mainly called DDOS so we don’t have to type out Distributed Denial of Service every time (I admit, I copy and pasted that second one so I didn’t have to type it the second time).

A DDOS is where the attacker tries to overwhelm the target with so much traffic that they can’t do anything. Imagine your connection to the Internet as a pipe.

The Internet as a Pipe

The pipe flows both ways. It lets you send traffic to the Internet (like sending an email) or receive traffic (like reading https://computerlamp.net/). A DDOS attack fills that pipe up by sending you so much traffic you can’t do anything. You can’t send packets out, nor can you surf the web. You’re basically knocked off the net.

When a company is DDOS’d, they can lose money. For example, if I sell computer lamps on my website and someone DDOS’s it, I can’t take any more orders. I’m losing money because of this attack.

We’ve talked about how a DDOS can deny your service from happening, but where does the word distributed come in? In the old days, a massive amount of traffic would come to your computer from one IP address. It turns out, firewalls stop that attack really well.

The bad guys had to find a new way to attack and they did it by sending the traffic from many IP addresses. Blocking one IP address is easy, blocking 10,000 is not so easy. Especially when they change during the attack.

What do you do if you’re the victim of a DDOS attack? Well, if it’s just your home computer, you can probably wait it out. Or if you’re using DHCP, you can change your IP address and hope they don’t find you. If that doesn’t help, contact your ISP.

Last post we talked about firewalls and what they mean. I did a lot of talking about what the firewall should do, not how to do them. I also said the program that Linux uses is called iptables.

This time, we’ll talk about how to configure firewalls. Now, these are commands that can only be run as root, not as computerlamp or yourself. This is an informative post, not one you should run out and try. Unless you really really need firewall rules, then I suggest you Google for a more definitive list.

A firewall rule doesn’t exist by itself, it’s part of a collection. iptables calls these chains.

So, iptables has lots of flags. Lots and lots of flags. These are just a few:

The loopback (link) interface (lo) is the one where the computer talks to itself. The computer wants to talk to itself, so the command looks like:

iptables -A INPUT -i lo -j ACCEPT

That means add this rule to the INPUT chain. Now, for the loopback interface, accept all traffic coming in.

iptables -A OUTPUT -i lo -j ACCEPT

Add this rule to the OUTPUT chain and accept all traffic on the loopback interface.

Now suppose my friend is being really annoying and is attempting to hack my computer. I know what IP address his computer has, so I want to stop him at my firewall. Then he can be annoying all he wants, and I’ll never know.

iptables -A INPUT -s 8.8.8.8 -j DROP

Drop all traffic from the source 8.8.8.8 and don’t forget, add this rule to the INPUT chain.

Now 8.8.8.8 is Google’s public DNS server, so I don’t necessarily want to drop all traffic from there. I just didn’t want to publish my friend’s IP address.

Read the man page for iptables and you’ll see there’s all sorts of flags I didn’t mention. Remember, this isn’t for you to run out and try to change the firewall on your Linux system, it’s just to talk about what you could do.

We don’t want all the traffic we could possibly get to our Linux system. Some of it could be good, but some of it could also be bad. Some could just be, y’know, there. Like dust in the wind. But anyway, there’s traffic we don’t want near our system, like the traffic from people who want to do bad things to or with our computer. To prevent this, we use a firewall.

A physical firewall is a wall to prevent the spread of fire.

A Firewall for Fire

That would be spiffy, wouldn’t it? Surrounding the computer with a nice wall that prevents traffic. It would also make the computer weigh too much.

Instead, a computer firewall is a program. It’s designed to allow some traffic in and prevent other traffic from coming in. Similarly, it lets some traffic out but can prevent other traffic from going out.

For example, you want to surf the net, right? A firewall should let you do that. A web server is a server that hosts web pages (I know, I think it should have a spiffier name.) It runs on ports 80 and 443.

If you’re not running a web server, then there shouldn’t be any traffic trying to access that port. This being the Internet though, I bet someone does try. Just to be safe, let’s block it. We don’t actually put a block up like a physical firewall, we just drop the traffic. The computer says ‘what traffic? Never heard of it’.

On the other hand, if I start a connection to a web server and it says ‘well, today I’m going to reply on port 80’, you don’t want your firewall to drop that connection. You’d like your content, right? Give me http://www.computerlamp.net/ or bust!

That’s why there’s a rule that says ‘if I started the connection, let it finish’.

The standard firewall program for Linux is iptables. The rules can get quite complex, but so far, I’ve just talked about what we want the rules to do, not how to do them.

That’s next!