service attacks (DoS)

service attacks (DoS)

[Askar Ali Khan]

hi,

im try to protect my server from various type of DoS for example
Syn-flood protection,  Furtive port scanner, Ping of death. Its our
server B protected by firewall machine A.

client traffic follow A-------------->B
                          (fw)              (server)

what I did first to log packets on Server B to check with (thanks to Anthony)

# To log avoid various denial of service attacks (DoS) with a faster
rate to increase responsiveness
iptables -N LogPackets

# Call the chain right at the top of the INPUT table so we see all the packets
iptables -I INPUT -j LogPackets

# Create a unique log entry for each type of packet we want to know about
##Syn-flood protection
iptables -A LogPackets -p tcp --syn -m limit --limit 1/s  -j LOG
--log-prefix "Syn-flood "

## Furtive port scanner
iptables -A LogPackets -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit
--limit 1/s -j LOG --log-prefix "Furtive port scanner "

## Ping of death
iptables -A LogPackets -p icmp --icmp-type echo-request -m limit
--limit 1/s -j LOG --log-prefix "Ping of death "

when i do "iptables -L LogPackets -nvx" im getting lot of  new packets/s

 iptables -L LogPackets -nvx
Chain LogPackets (1 references)
    pkts      bytes target     prot opt in     out     source         
     destination
      25     1248 LOG        tcp  --  *      *       0.0.0.0/0        
   0.0.0.0/0           tcp flags:0x16/0x02 limit: avg 1/sec burst 5
LOG flags 0 level 4 prefix `Syn-flood '
      24      960 LOG        tcp  --  *      *       0.0.0.0/0        
   0.0.0.0/0           tcp flags:0x17/0x04 limit: avg 1/sec burst 5
LOG flags 0 level 4 prefix `Furtive port scanner '
       3      192 LOG        icmp --  *      *       0.0.0.0/0        
   0.0.0.0/0           icmp type 8 limit: avg 1/sec burst 5 LOG flags
0 level 4 prefix `Ping of death '

My question: 
1)                 what exactly im not getting is  "-m limit --limit
1/s", what values to set for my enviroment, with 100 users connected
at any time?

2) ACCEPTed or DROPed ?

regards
Askar

Re: service attacks (DoS)

[Nick Drage]

On Thu, Aug 19, 2004 at 05:47:49PM +0500, Askar Ali Khan wrote:
> hi,
> 
> im try to protect my server from various type of DoS for example
> Syn-flood protection,  Furtive port scanner, Ping of death. Its our
> server B protected by firewall machine A.
> 
> client traffic follow A-------------->B
>                           (fw)              (server)

You might find this useful for some of those:

http://web.lemuria.org/Software/iptables.html


> # Create a unique log entry for each type of packet we want to know about
> ##Syn-flood protection
> iptables -A LogPackets -p tcp --syn -m limit --limit 1/s  -j LOG
> --log-prefix "Syn-flood "

To be honest one request a second isn't much of a flood... actually I
don't know much about the "limit" option, but won't that trigger
everytime you receive a SYN?

> ## Furtive port scanner
> iptables -A LogPackets -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit
> --limit 1/s -j LOG --log-prefix "Furtive port scanner "

I wouldn't worry about the limit for the SYN,ACK,FIN,RST packets.... but
won't the RST only get triggered all the time?

> ## Ping of death
> iptables -A LogPackets -p icmp --icmp-type echo-request -m limit
> --limit 1/s -j LOG --log-prefix "Ping of death "

If anyone pings you this rule will be triggered, which is a little
drastic.  You want to guard against ping floods, but really the old
"ping of death", an large ICMP echo request IIRC, is an old, *old*
vulnerability that you shouldn't need to worry about now.

Which remind me, I haven't really looked into it but Snort allegedly can
differentiate between a ping generated by NMAP and a "normal" ping...
anyway for IPTables to pick up those pings?

-- 
"I think a church with a lightning rod shows a decided lack of confidence"