Re: Protecting against DoS

[Michael Gale <mgale@utilitran.com>]

Hello,

	First make sure you are using tcpsyn_cookies:

echo 1 > /proc/sys/net/ipv4/tcp_syncookies -- if you have not compiled it into the kernel. This will help prevent DOS by assigning each incoming syn packet a cookie instead of a actually connection state. A connection state will be created once the three way hand shake is completed.

Second -- you should be dropping all packets on all interfaces and then only allow connections you have to pass.

Michael.


On Tue, 9 Dec 2003 17:43:34 +0200
Pasi Kärkkäinen <pasik@iki.fi> wrote:

> Hello!
> 
> I was thinking about the correct or best way to protect my Linux/netfilter 
> box againts DoS-attacks. 
> 
> Some time ago one of the windows users in my LAN managed to get nimda (or
> some other) worm to his computer. The worm started scanning the internet
> for other vulnerable boxes, opening big amount of tcp-connections all the
> time without closing them. 
> 
> So after a while I hit the limit of max. open connections
> (/proc/sys/net/ipv4/ip_conntrack_max), and the firewall-box is basicly
> DoS:ed. With the default settings, open tcp-connections stay in the state
> table for 5 days, so it takes a looong time to get things running again if
> you don't reload the modules or reboot the box..
> 
> Now I have a couple of questions to be sure about the facts while setting 
> up the correct limits to prevent this kind of DoS-attacks..
> 
> 
> 1) Is the correct formula to calculate the maximum number of connections
> (for /proc/sys/net/ipv4/ip_conntrack_max) free_memory_in_bytes / 350 ? This
> is what I got from the Netfilter FAQ: "You can easily increase the number of
> maximal tracked connections, but be aware that each tracked connection eats
> about 350 bytes of non-swappable kernel memory!"
> 
> 2) Netfilter FAQ: "To optimize performance, please also raise the number of
> hash buckets by using the hashsize module loadtime parameter of the
> ip_conntrack.o module." What's the correct formula to calculate good value
> for hashsize?
> 
> 3) Is there some problem other than the idle tcp-connections dying sooner if I
> lower the the value of TCP_CONNTRACK_ESTABLISHED in
> /usr/src/linux/net/ipv4/netfilter/ip_conntrack_proto_tcp.c from 5 days to 1
> day or even less (to get the possible non-closed tcp-connections out from the state
> table sooner) ?
> 
> 4) What's the correct place to set up limits for new connections (to prevent
> the state table being filled up in DoS) ? Is it better to do in the 
> mangle-table/PREROUTING-chain something like "-m state --state NEW -m limit 
> --limit 5/sec -j RETURN && -j DROP" than later in the filter-table/FORWARD-chain?
> I'm thinking about performance here..
> 
> 5) I'm thinking about measuring average "new connections per second"-rate
> and setting up limits to obey that.. is this good way?
> 
> 6) Do you have some other tips? What are the biggest problems in addition to
> getting the state table filled up..
> 
> 
> Thanks for your replies!
> 
> -- Pasi Kärkkäinen
>        
>                                    ^
>                                 .     .
>                                  Linux
>                               /    -    \
>                              Choice.of.the
>                            .Next.Generation.
> 


-- 
Michael Gale
Network Administrator
Utilitran Corporation