Floods

Floods

[Michał Margula]

Hello!

	I have problem, quite big one. I don't know how to deal with it. Tried 
everything i know. I have a 2 x Xeon 2.66 server with 1 Gig ram. Everything 
based on Intel e100 and e1000 NICs. That server is my firewall and gateway.

I have common problem - viruses, worms and so on. It degrades server 
performance quite much. I am using connlimit.

-p tcp --syn -m connlimit --connlimit-above 100 -j DROP

It was working fine until today. I was hit by UDP flood coming from one of our 
100mbit networks. I found that person and disconnected, but that is not 
solution. Event "-t raw" didnt' help.

Altough after removing ip_conntrack from kernel everything goes fine. But i 
can't stop using conntrack, because of SNAT, DNAT and REDIRECT targets.

What do you recommend? Unfortunately connlimit does not work with UDP packets 
(no wonder - UDP is conection less). What should I do? I even thought about 
switch to FreeBSD (sic! :<).

Help, please!

-- 
Michał Margula, alchemyx@uznam.net.pl, http://alchemyx.uznam.net.pl/
"W życiu piękne są tylko chwile" [Ryszard Riedel]

Netfilter based application : any advice ?

[Saber zrelli]

Hi people ,

i'm new in Netfilter community ,
I'm planning to crate a network software robot acting like 'automata'
based on scripts dicting its behaviour .
i explain :

the main program basically filter packets and executes actions like
iptbles does ,  based on rules located in some file.
the difference is that the actions can also be sending specific packet.
the tool should allows for example simulation of tcp/ip connections , ftp
connections and so on.

the implentation will consist on a Netfilter module that will be added to
hook on the network activities.
now the point is :

- Is it possible to send packets with Netfilter or not? ( if not i guess
using libnet will resolve the pb but better to have  
  every thing based on the same infrastructure)

- I would like to have the tool work with wireless protocol , does
Netfilter support non Ethernet proto and 802.11 particulary?


any advices will be really appreciated.
also , any partner for the project is welcome.

Regards.

-- 
  Saber Zrelli
  kanazawa university international house 
  kakuma-machi , kanazawa , Ishikawa 
  920-1192 Japan. 

Re: Netfilter based application : any advice ?

[Pablo Neira]

Hi,

Saber zrelli wrote:

>- Is it possible to send packets with Netfilter or not? ( if not i guess
>using libnet will resolve the pb but better to have  
>  every thing based on the same infrastructure)
>  
>

If you can do that in user space, have a look at libnet.You can forge
packets in inject them.


>- I would like to have the tool work with wireless protocol , does
>Netfilter support non Ethernet proto and 802.11 particulary?
>  
>

This is transparent to netfilter since it's in OSI layer 3/4.

regards,
Pablo

Re: Netfilter based application : any advice ?

[Saber zrelli]

hi ,
so if i well understood  ; 
Netfilter doesn't offer packet injection , and i have to use libnet .
then , the other point :
I would like to capture in link level , 
Netfilter can aceess MAC adresses and other Ethernet parameters cause it
support it ,
but if for example i'm using wireless network and want to filter wireless
packets , does ethernet offer 802.11 specific methods , or is there a
standard link layer methods that supports all kind of protocols ?

thanks for clarifications.



On Mon, 15 Mar 2004 09:51:05 +0100, "Pablo Neira" <pablo@eurodev.net>
said:
> Hi,
> 
> Saber zrelli wrote:
> 
> >- Is it possible to send packets with Netfilter or not? ( if not i guess
> >using libnet will resolve the pb but better to have  
> >  every thing based on the same infrastructure)
> >  
> >
> 
> If you can do that in user space, have a look at libnet.You can forge
> packets in inject them.
> 
> 
> >- I would like to have the tool work with wireless protocol , does
> >Netfilter support non Ethernet proto and 802.11 particulary?
> >  
> >
> 
> This is transparent to netfilter since it's in OSI layer 3/4.
> 
> regards,
> Pablo
> 
-- 
  Saber Zrelli
  kanazawa university international house 
  kakuma-machi , kanazawa , Ishikawa 
  920-1192 Japan. 

Re: Netfilter based application : any advice ?

[Pablo Neira]

hi,

Saber zrelli wrote:

>hi ,
>so if i well understood  ; 
>Netfilter doesn't offer packet injection , and i have to use libnet .
>  
>
you can inject packets in kernel space, but I recommend you working from
user space.

>then , the other point :
>I would like to capture in link level , 
>Netfilter can aceess MAC adresses 
>
if you want to work in link layer, have a look at ebtables.

http://ebtables.sourceforge.net/

regards,
Pablo

Re: Floods

[Alexander Samad]

[-- Attachment #1: Type: text/plain, Size: 1273 bytes --]

On Sun, Mar 14, 2004 at 07:30:29PM +0100, Micha? Margula wrote:
> Hello!
> 
> 	I have problem, quite big one. I don't know how to deal with it. Tried 
> everything i know. I have a 2 x Xeon 2.66 server with 1 Gig ram. Everything 
> based on Intel e100 and e1000 NICs. That server is my firewall and gateway.
> 
> I have common problem - viruses, worms and so on. It degrades server 
> performance quite much. I am using connlimit.
> 
> -p tcp --syn -m connlimit --connlimit-above 100 -j DROP
> 
> It was working fine until today. I was hit by UDP flood coming from one of our 
> 100mbit networks. I found that person and disconnected, but that is not 
> solution. Event "-t raw" didnt' help.
> 
> Altough after removing ip_conntrack from kernel everything goes fine. But i 
> can't stop using conntrack, because of SNAT, DNAT and REDIRECT targets.
> 
> What do you recommend? Unfortunately connlimit does not work with UDP packets 
> (no wonder - UDP is conection less). What should I do? I even thought about 
> switch to FreeBSD (sic! :<).
What about using the rate-limit module ?

> 
> Help, please!
> 
> -- 
> Micha? Margula, alchemyx@uznam.net.pl, http://alchemyx.uznam.net.pl/
> "W ?yciu pi?kne s? tylko chwile" [Ryszard Riedel]
> 
> 

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: Floods

[Michał Margula]

Dnia pon 15. marca 2004 01:34, Alexander Samad napisał:
> > What do you recommend? Unfortunately connlimit does not work with UDP
> > packets (no wonder - UDP is conection less). What should I do? I even
> > thought about switch to FreeBSD (sic! :<).
>
> What about using the rate-limit module ?

How? One rule per one IP? Wouldn't it kill performance? I was thinking about 
dstlimit but applying patch-o-matic-ng does not create files for iptables.

-- 
Michał Margula, alchemyx@uznam.net.pl, http://alchemyx.uznam.net.pl/
"W życiu piękne są tylko chwile" [Ryszard Riedel]

Re: Floods

[Nuutti Kotivuori]

Micha wrote:
> What do you recommend? Unfortunately connlimit does not work with
> UDP packets (no wonder - UDP is conection less). What should I do? I
> even thought about switch to FreeBSD (sic! :<).

See if the 'dstlimit' would help in your case. It is in patch-o-matic.

-- Naked

Re: Floods

[Michał Margula]

Dnia pon 15. marca 2004 16:14, Nuutti Kotivuori napisał:
> Micha wrote:
> > What do you recommend? Unfortunately connlimit does not work with
> > UDP packets (no wonder - UDP is conection less). What should I do? I
> > even thought about switch to FreeBSD (sic! :<).
>
> See if the 'dstlimit' would help in your case. It is in patch-o-matic.
>
> -- Naked

But it does not support '--mode srcip' and I failed trying to adpot patch from 
before few months that tried to add that option.

-- 
Michał Margula, alchemyx@uznam.net.pl, http://alchemyx.uznam.net.pl/
"W życiu piękne są tylko chwile" [Ryszard Riedel]

Re: Floods

[Nuutti Kotivuori]

Micha wrote:
> Dnia pon 15. marca 2004 16:14, Nuutti Kotivuori napisał:
>> Micha wrote:
>>> What do you recommend? Unfortunately connlimit does not work with
>>> UDP packets (no wonder - UDP is conection less). What should I do? 
>>> I even thought about switch to FreeBSD (sic! :<).
>>
>> See if the 'dstlimit' would help in your case. It is in
>> patch-o-matic.
>
> But it does not support '--mode srcip' and I failed trying to adpot
> patch from before few months that tried to add that option.

The patch-o-matic help is outdated, this is what it supports now:

,----
| --dstlimit-mode <mode>         mode
|                                        dstip
|                                        dstip-dstport
|                                        srcip-dstip
|                                        srcip-dstip-dstport
`----

There is no srcip mode, but srcip-dstip might be enough for you.

-- Naked