Iptables and DDoS attacks

Iptables and DDoS attacks

[Hack3rcon]

Hello iptables Team,
Is it possible to protect a server against DDoS attacks using iptables?

Thank you.

Re: Iptables and DDoS attacks

[Reindl Harald]

Am 10.08.23 um 09:16 schrieb Hack3rcon@mail2tor.com:
> Hello iptables Team,
> Is it possible to protect a server against DDoS attacks using iptables?

depends on the attack - if it's bandwith *nothing* on your side can do 
anything against it

for request-based attacks xt_recent for ratelimits works well

Re: Iptables and DDoS attacks

[Hack3rcon]

>
>
> Am 10.08.23 um 09:16 schrieb Hack3rcon@mail2tor.com:
>> Hello iptables Team,
>> Is it possible to protect a server against DDoS attacks using iptables?
>
> depends on the attack - if it's bandwith *nothing* on your side can do
> anything against it
>
> for request-based attacks xt_recent for ratelimits works well
>

Hello,
Thank you so much for your reply.
How do hardware firewalls that use Linux prevent these attacks?

Can you show me some iptables rules about limitation?

Re: Iptables and DDoS attacks

[imnozi]

The first thing to do is:
  iptables -t mangle -I 1 PREROUTING -m state --state INVALID -j DROP

This will drop all TCP packets that have an INVALID state (to wit, netfilter is unable to correlate these packets to an existing connection). Since they are INVALID, do not spend even a nanosecond more time processing them; just dump them in the bit bucket.

After that, add rules that drop all packets to and from internet hosts and networks that you already know you want no contact with (pron, sleaze, warez, et alia); ipset is good for this.

In order to reduce said traffic on your downlink, you would have to ask your upstream (ISP?) to implement some sort of rate limiting on your link to let more legitimate traffic through.

The only way to possibly thwart DDoS is to require all ISPs and other leaf providers to implement reverse path filtering. Packets that claim to arrive on their downstream links that have IP addresses that do not reside on their DS links are to be dropped. E.g., if a Comcrash customer started sending packets purporting to be from 8.8.8.8, Comcrash should silently drop those packets (well, unless Google is a customer), and warn the security team when a customer persists in spoofing SRC IP addresses. (Of course, this likely doesn't address all forms of DDoS; your mileage will vary.)

N

On Sun, 13 Aug 2023 15:34:32 -0400
Hack3rcon@mail2tor.com wrote:

> >
> >
> > Am 10.08.23 um 09:16 schrieb Hack3rcon@mail2tor.com:  
> >> Hello iptables Team,
> >> Is it possible to protect a server against DDoS attacks using iptables?  
> >
> > depends on the attack - if it's bandwith *nothing* on your side can do
> > anything against it
> >
> > for request-based attacks xt_recent for ratelimits works well
> >  
> 
> Hello,
> Thank you so much for your reply.
> How do hardware firewalls that use Linux prevent these attacks?
> 
> Can you show me some iptables rules about limitation?
> 

Re: Iptables and DDoS attacks

[Joshua Moore]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset="utf-8-sig", Size: 1562 bytes --]

For volumetric attacks (bandwidth), hardware routers/firewalls export flow analytics to a flow analyzer which then in turn has detection logic which triggers scripts. One example is triggering a script for a remotely triggered black hole (RTBH) which signals to upstream ISPs to drop traffic to the destination /32 host that is attacked. Other mitigation mechanisms include triggering traffic to be redirected to a scrubbing server to consume the attack and “scrub” the traffic clean and to redirect traffic to a low bandwidth “garbage” ISP connection intended to drop the attack at the edge.

In all cases, you cannot stop the attacks with simple iptables/nftable rules because they by nature need to drop packets AFTER they hit the wire which is too late.

The *right* solution for you would all depend on your network and goals. Happy to discuss more if you want to ping my company email directly as we implement this kind of thing regularly: jmoore@archous.tech

> On Aug 13, 2023, at 4:23 PM, Hack3rcon@mail2tor.com wrote:
> 
> 
>>> Am 10.08.23 um 09:16 schrieb Hack3rcon@mail2tor.com:
>>> Hello iptables Team,
>>> Is it possible to protect a server against DDoS attacks using iptables?
>> depends on the attack - if it's bandwith *nothing* on your side can do
>> anything against it
>> for request-based attacks xt_recent for ratelimits works well
> 
> Hello,
> Thank you so much for your reply.
> How do hardware firewalls that use Linux prevent these attacks?
> 
> Can you show me some iptables rules about limitation?