How stop DoS and SYN attack..

How stop DoS and SYN attack..

[Alberto Ferrer]

¿any know a way to stop via Linux with iptables or related a SYN attack ?
¿where i can read something related to this?

Thanks in advance.

P.S: sorry for my bad english :D
--
Alberto Ferrer

Re: How stop DoS and SYN attack..

[Mogens Valentin]

Alberto Ferrer wrote:
> ¿any know a way to stop via Linux with iptables or related a SYN attack ?
> ¿where i can read something related to this?

   # Enable syn-cookies (prevent syn-flood attacks):
     echo "1" >/proc/sys/net/ipv4/tcp_syncookies

   # Reduce number of possible SYN Floods:
     echo "1024" >/proc/sys/net/ipv4/tcp_max_syn_backlog

Helps somewhat. Can also be set via sysctl.
You may wan't to look into iptables docs for the 'limit' module:

   -m limit --limit X/sec

-- 
Kind regards,
Mogens Valentin

RE: How stop DoS and SYN attack..

[Sietse van Zanen]

There's not really very much you can do about DDOS attacks with netfilter alone. You can block the traffic ofcourse, or try to fiddle with --limit, or tcp_syn_cookies.
But usually the problem is that the amount of traffic just fills your entire Internet connecection, which renders it useless. The only thing you can do in such a situation is ask yout ISP to block the attack upstream.
And often, ISPs are very unhappy about customers being DDOS-ed.

-Sietse 

-----Original Message-----
From: netfilter-bounces@lists.netfilter.org [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Alberto Ferrer
Sent: Saturday, June 03, 2006 10:33 PM
To: netfilter@lists.netfilter.org
Subject: How stop DoS and SYN attack..

¿any know a way to stop via Linux with iptables or related a SYN attack ?
¿where i can read something related to this?

Thanks in advance.

P.S: sorry for my bad english :D
--
Alberto Ferrer

Re: How stop DoS and SYN attack..

[Alberto Ferrer]

Solved at moment, some bad boy its doing a syn flood to my webserver
with 38.000 ips, i want die :) , for now, iptables and mod_evasive its
winning.

2006/6/5, Mogens Valentin <mogensv@vip.cybercity.dk>:
> Alberto Ferrer wrote:
> > i got a lot of:
> >
> > Jun  5 00:19:29 lnx1 kernel: [4322108.323000] fp=bad_packets:1 a=DROP
> > IN=eth0 OUT= MAC=00:08:54:2f:8a:ac:00:0b:46:e2:04:00:08:00
> > SRC=201.231.52.141 DST=200.68.95.25 LEN=40 TOS=0x00 PREC=0x00 TTL=248
> > ID=0 PROTO=TCP SPT=53176 DPT=80 WINDOW=0 RES=0x00 RST URGP=0
> >
> > Jun  5 00:19:34 lnx1 kernel: [4322112.926000] fp=INPUT:99 a=DROP
> > IN=eth0 OUT= MAC=00:08:54:2f:8a:ac:00:0b:46:e2:04:00:08:00
> > SRC=200.68.126.88 DST=200.68.95.27 LEN=48 TOS=0x00 PREC=0x00 TTL=119
> > ID=44694 DF PROTO=TCP SPT=1196 DPT=445 WINDOW=8760 RES=0x00 SYN URGP=0
> >
> > Jun  5 00:19:35 lnx1 kernel: [4322113.710000] fp=INPUT:99 a=DROP
> > IN=eth0 OUT= MAC=00:08:54:2f:8a:ac:00:0b:46:e2:04:00:08:00
> > SRC=200.68.126.88 DST=200.68.95.28 LEN=48 TOS=0x00 PREC=0x00 TTL=119
> > ID=44762 DF PROTO=TCP SPT=1134 DPT=445 WINDOW=8760 RES=0x00 SYN URGP=0
> >
> > Jun  5 00:19:36 lnx1 kernel: [4322114.558000] fp=INPUT:99 a=DROP
> > IN=eth0 OUT= MAC=00:08:54:2f:8a:ac:00:0b:46:e2:04:00:08:00
> > SRC=200.68.126.88 DST=200.68.95.27 LEN=48 TOS=0x00 PREC=0x00 TTL=119
> > ID=44873 DF PROTO=TCP SPT=1196 DPT=445 WINDOW=8760 RES=0x00 SYN URGP=0
> >
> > Jun  5 00:19:39 lnx1 kernel: [4322117.587000] fp=bad_packets:1 a=DROP
> > IN=eth0 OUT= MAC=00:08:54:2f:8a:ac:00:0b:46:e2:04:00:08:00
> > SRC=201.254.155.13 DST=200.68.95.25 LEN=40 TOS=0x00 PREC=0x00 TTL=244
> > ID=0 PROTO=TCP SPT=28837 DPT=80 WINDOW=0 RES=0x00 RST URGP=0
> >
> > My website its working a bit slow now ^^ and my ISP says: "you can
> > block that by your self" .
>
> And rightfully so; this is your own problem. No pun intended :)
>
> Looking at your presended dumps, you see DPT=445:
>    grep 445 /etc/services
>    microsoft-ds    445/tcp
>    microsoft-ds    445/udp
>
> Those are requests to MS directory services, coming in on your internet
> interface (so it looks), and correctly being blocked.
> Your only problem may be the number of those, which you may do something
> about using iptables limit targets.
>
> The DTP=80 are requests to either your webserver (do you have one
> running?), or to a assumed running webserver.
> You may wanna have a look at which services are running behind, or at,
> the firewall, whether or not those are secured by themselves.
>
> > ¿What distro is most prepared for this?
>
> The one you know the best ;) No, seriously, I don't know. Thay can all
> be used. It's not a that much a matter of which distro, but go through
> the kernel setup, read in /usr/src/linux/Documentation about what you
> can do with in /proc or with sysctl, and read about iptables.
> For a distro, I'd suggest Slackware, partly because I know ot well,
> partly because it doesn't have all those wrapper mechanisms other
> distros have, so it's simple to find out how things works, plus per
> default it's setup quite safe.
> However, no distros I know of, can do anything about your specific kind
> of traffic. It's up to you to define measures against such.
>
> > 2006/6/3, Mogens Valentin <mogensv@vip.cybercity.dk>:
> >
> >> Alberto Ferrer wrote:
> >> > ¿any know a way to stop via Linux with iptables or related a SYN
> >> attack ?
> >> > ¿where i can read something related to this?
> >>
> >>    # Enable syn-cookies (prevent syn-flood attacks):
> >>      echo "1" >/proc/sys/net/ipv4/tcp_syncookies
> >>
> >>    # Reduce number of possible SYN Floods:
> >>      echo "1024" >/proc/sys/net/ipv4/tcp_max_syn_backlog
> >>
> >> Helps somewhat. Can also be set via sysctl.
> >> You may wan't to look into iptables docs for the 'limit' module:
> >>
> >>    -m limit --limit X/sec
>
> Again, take a look a the limits target in iptables.
>
> --
> Kind regards,
> Mogens Valentin
>
>


-- 
bet0x

Re: How stop DoS and SYN attack..

[Brent Clark]

Alberto Ferrer wrote:
>> > Jun  5 00:19:39 lnx1 kernel: [4322117.587000] fp=bad_packets:1 a=DROP
>> > IN=eth0 OUT= MAC=00:08:54:2f:8a:ac:00:0b:46:e2:04:00:08:00
>> > SRC=201.254.155.13 DST=200.68.95.25 LEN=40 TOS=0x00 PREC=0x00 TTL=244
>> > ID=0 PROTO=TCP SPT=28837 DPT=80 WINDOW=0 RES=0x00 RST URGP=0

Hi

Unless im mistaken, but why are you dropping on the RST status.

Just something im wondering.

Kind Regards
Brent Clark

Re: How stop DoS and SYN attack..

[Brent Clark]

Alberto Ferrer wrote:
> 2006/6/5, Brent Clark <bclark@eccotours.co.za>:
>> Alberto Ferrer wrote:
>> >> > Jun  5 00:19:39 lnx1 kernel: [4322117.587000] fp=bad_packets:1 
>> a=DROP
>> >> > IN=eth0 OUT= MAC=00:08:54:2f:8a:ac:00:0b:46:e2:04:00:08:00
>> >> > SRC=201.254.155.13 DST=200.68.95.25 LEN=40 TOS=0x00 PREC=0x00 
>> TTL=244
>> >> > ID=0 PROTO=TCP SPT=28837 DPT=80 WINDOW=0 RES=0x00 RST URGP=0
>>
>> Hi
>>
>> Unless im mistaken, but why are you dropping on the RST status.
>>
>> Just something im wondering.
>>
> 
> whats that, what means, my english its a little bad .
>> Kind Regards
>> Brent Clark

Hi

Im not really qualified to assist (continue asking the guys from Netfilter Mailing List).

The reason for my email is because it looks like you DROPPING on the RST (Look at the end of the string "RES=0x00 RST URGP=0") flag (out of interest do you know TCP/IP and its flags etc).

Its maybe advisable to post your rulset and maybe someone will proof read it for you.

HTH and best of luck.

Kind Regards
Brent Clark

Re: How stop DoS and SYN attack..

[Brent Clark]

Alberto Ferrer wrote:
> 2006/6/5, Brent Clark <bclark@eccotours.co.za>:
>> Alberto Ferrer wrote:
>> >> > Jun  5 00:19:39 lnx1 kernel: [4322117.587000] fp=bad_packets:1 
>> a=DROP
>> >> > IN=eth0 OUT= MAC=00:08:54:2f:8a:ac:00:0b:46:e2:04:00:08:00
>> >> > SRC=201.254.155.13 DST=200.68.95.25 LEN=40 TOS=0x00 PREC=0x00 
>> TTL=244
>> >> > ID=0 PROTO=TCP SPT=28837 DPT=80 WINDOW=0 RES=0x00 RST URGP=0
>>
>> Hi
>>
>> Unless im mistaken, but why are you dropping on the RST status.
>>
>> Just something im wondering.
>>
> 
> whats that, what means, my english its a little bad .
>> Kind Regards
>> Brent Clark

Hi

Im not really qualified to assist (continue asking the guys from Netfilter Mailing List).

The reason for my email is because it looks like you DROPPING on the RST (Look at the end of the string "RES=0x00 RST URGP=0") flag (out of interest do you know TCP/IP and its flags etc).

Its maybe advisable to post your rulset and maybe someone will proof read it for you.

HTH and best of luck.

Kind Regards
Brent Clark

Re: How stop DoS and SYN attack..

[Alberto Ferrer]

Here is my firewall script.

http://bet0x.pastebin.com/758923

thanks for answer :D

2006/6/6, Brent Clark <bclark@eccotours.biz>:
> Alberto Ferrer wrote:
> > 2006/6/5, Brent Clark <bclark@eccotours.co.za>:
> >> Alberto Ferrer wrote:
> >> >> > Jun  5 00:19:39 lnx1 kernel: [4322117.587000] fp=bad_packets:1
> >> a=DROP
> >> >> > IN=eth0 OUT= MAC=00:08:54:2f:8a:ac:00:0b:46:e2:04:00:08:00
> >> >> > SRC=201.254.155.13 DST=200.68.95.25 LEN=40 TOS=0x00 PREC=0x00
> >> TTL=244
> >> >> > ID=0 PROTO=TCP SPT=28837 DPT=80 WINDOW=0 RES=0x00 RST URGP=0
> >>
> >> Hi
> >>
> >> Unless im mistaken, but why are you dropping on the RST status.
> >>
> >> Just something im wondering.
> >>
> >
> > whats that, what means, my english its a little bad .
> >> Kind Regards
> >> Brent Clark
>
> Hi
>
> Im not really qualified to assist (continue asking the guys from Netfilter Mailing List).
>
> The reason for my email is because it looks like you DROPPING on the RST (Look at the end of the string "RES=0x00 RST URGP=0") flag (out of interest do you know TCP/IP and its flags etc).
>
> Its maybe advisable to post your rulset and maybe someone will proof read it for you.
>
> HTH and best of luck.
>
> Kind Regards
> Brent Clark
>
>


-- 
bet0x

Re: How stop DoS and SYN attack..

[Jeho Park]

Sietse van Zanen wrote:

>There's not really very much you can do about DDOS attacks with netfilter alone. You can block the traffic ofcourse, or try to fiddle with --limit, or tcp_syn_cookies.
>  
>
i think as a attacker try to send more and more sync packets, router 
will lose cpu time and system resource .. even if  tcp_syn_cookies 
function is active or not. the reason i think like this is that i heard 
tcp_syn_cookies
can't stop router being slow..

in this DDOS attaction problem, i suggest  as NIC driver module detects 
packet flooding, DOS attack and block or
ignore the packet which is sent from the attacker. we can protect out 
network backlog safely and there will be no network soft irq .. 

a few week later, i will try to test my idea.
i will use detection engine i made 3 year ago ( 
http://sourceforge.net/projects/geto )
as a result, i can't sure my idea is right. so i try to test that.

>But usually the problem is that the amount of traffic just fills your entire Internet connecection, which renders it useless. The only thing you can do in such a situation is ask yout ISP to block the attack upstream.
>And often, ISPs are very unhappy about customers being DDOS-ed.
>
>-Sietse 
>
>-----Original Message-----
>From: netfilter-bounces@lists.netfilter.org [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Alberto Ferrer
>Sent: Saturday, June 03, 2006 10:33 PM
>To: netfilter@lists.netfilter.org
>Subject: How stop DoS and SYN attack..
>
>¿any know a way to stop via Linux with iptables or related a SYN attack ?
>¿where i can read something related to this?
>
>Thanks in advance.
>
>P.S: sorry for my bad english :D
>--
>Alberto Ferrer
>
>
>
>
>  
>

Re: How stop DoS and SYN attack..

[Alberto Ferrer]

¿So its impossible stop a DDoS ? (SYN Flood in my case.)


2006/6/6, Jeho Park <jhpark-nf-user@kernelproject.org>:
> Sietse van Zanen wrote:
>
> >There's not really very much you can do about DDOS attacks with netfilter alone. You can block the traffic ofcourse, or try to fiddle with --limit, or tcp_syn_cookies.
> >
> >
> i think as a attacker try to send more and more sync packets, router
> will lose cpu time and system resource .. even if  tcp_syn_cookies
> function is active or not. the reason i think like this is that i heard
> tcp_syn_cookies
> can't stop router being slow..
>
> in this DDOS attaction problem, i suggest  as NIC driver module detects
> packet flooding, DOS attack and block or
> ignore the packet which is sent from the attacker. we can protect out
> network backlog safely and there will be no network soft irq ..
>
> a few week later, i will try to test my idea.
> i will use detection engine i made 3 year ago (
> http://sourceforge.net/projects/geto )
> as a result, i can't sure my idea is right. so i try to test that.
>
> >But usually the problem is that the amount of traffic just fills your entire Internet connecection, which renders it useless. The only thing you can do in such a situation is ask yout ISP to block the attack upstream.
> >And often, ISPs are very unhappy about customers being DDOS-ed.
> >
> >-Sietse
> >
> >-----Original Message-----
> >From: netfilter-bounces@lists.netfilter.org [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Alberto Ferrer
> >Sent: Saturday, June 03, 2006 10:33 PM
> >To: netfilter@lists.netfilter.org
> >Subject: How stop DoS and SYN attack..
> >
> >¿any know a way to stop via Linux with iptables or related a SYN attack ?
> >¿where i can read something related to this?
> >
> >Thanks in advance.
> >
> >P.S: sorry for my bad english :D
> >--
> >Alberto Ferrer
> >
> >
> >
> >
> >
> >
>
>


-- 
bet0x

Re: How stop DoS and SYN attack..

[Jeho Park]

Alberto Ferrer wrote:

> ¿So its impossible stop a DDoS ? (SYN Flood in my case.)
>
if you limit DDos to the TCP SYN flood, you may be right
but there are so many DDos patterns not based TCP..
so if you make enable tcp_sync_cookies flag of your kernel, you can 
protect TCP sync attack,
but as time goes on, your system and network will be stoped. so that 
solution can't solve the problem basically
( please refer to the "sietse van zanen"'s post and 
http://www2.laas.fr/METROSEC/attacks-taxonomy-SAR2005.pdf )

in the DDOS problem, i think QoS or  my idea dropping any flooding 
packet in NIC driver layer may give a more  general solution than  
IP-based netfilter.  there are so many paper to solve this DDos, but as 
i know there is none exact solution to resolve this DDos exactly.  

>
> 2006/6/6, Jeho Park <jhpark-nf-user@kernelproject.org>:
>
>> Sietse van Zanen wrote:
>>
>> >There's not really very much you can do about DDOS attacks with 
>> netfilter alone. You can block the traffic ofcourse, or try to fiddle 
>> with --limit, or tcp_syn_cookies.
>> >
>> >
>> i think as a attacker try to send more and more sync packets, router
>> will lose cpu time and system resource .. even if  tcp_syn_cookies
>> function is active or not. the reason i think like this is that i heard
>> tcp_syn_cookies
>> can't stop router being slow..
>>
>> in this DDOS attaction problem, i suggest  as NIC driver module detects
>> packet flooding, DOS attack and block or
>> ignore the packet which is sent from the attacker. we can protect out
>> network backlog safely and there will be no network soft irq ..
>>
>> a few week later, i will try to test my idea.
>> i will use detection engine i made 3 year ago (
>> http://sourceforge.net/projects/geto )
>> as a result, i can't sure my idea is right. so i try to test that.
>>
>> >But usually the problem is that the amount of traffic just fills 
>> your entire Internet connecection, which renders it useless. The only 
>> thing you can do in such a situation is ask yout ISP to block the 
>> attack upstream.
>> >And often, ISPs are very unhappy about customers being DDOS-ed.
>> >
>> >-Sietse
>> >
>> >-----Original Message-----
>> >From: netfilter-bounces@lists.netfilter.org 
>> [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Alberto 
>> Ferrer
>> >Sent: Saturday, June 03, 2006 10:33 PM
>> >To: netfilter@lists.netfilter.org
>> >Subject: How stop DoS and SYN attack..
>> >
>> >¿any know a way to stop via Linux with iptables or related a SYN 
>> attack ?
>> >¿where i can read something related to this?
>> >
>> >Thanks in advance.
>> >
>> >P.S: sorry for my bad english :D
>> >--
>> >Alberto Ferrer
>> >
>> >
>> >
>> >
>> >
>> >
>>
>>
>
>

Re: How stop DoS and SYN attack..

[R. DuFresne]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 4032 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



DDOS, whence the attacker flood you with more packets then your pipe<s> 
can handle leaves you at pretty much the mercy of the attacker.  No 
different the plumbing if a one inch pipe is fed by a 5 inch pipe, the one 
inch pipe is filled to more  then is can push forth.  Upstream providers 
might beable to provide some assitance in limiting the flood, but if the 
aggregate bandwidth of the attacking pipe<s> are again larger then the 
upstream SOL is the case.


Thanks,

Ron DuFresne

On Wed, 7 Jun 2006, Jeho Park wrote:

> Alberto Ferrer wrote:
>
>> ¿So its impossible stop a DDoS ? (SYN Flood in my case.)
>> 
> if you limit DDos to the TCP SYN flood, you may be right
> but there are so many DDos patterns not based TCP..
> so if you make enable tcp_sync_cookies flag of your kernel, you can protect 
> TCP sync attack,
> but as time goes on, your system and network will be stoped. so that solution 
> can't solve the problem basically
> ( please refer to the "sietse van zanen"'s post and 
> http://www2.laas.fr/METROSEC/attacks-taxonomy-SAR2005.pdf )
>
> in the DDOS problem, i think QoS or  my idea dropping any flooding packet in 
> NIC driver layer may give a more  general solution than  IP-based netfilter. 
> there are so many paper to solve this DDos, but as i know there is none exact 
> solution to resolve this DDos exactly. 
>> 
>> 2006/6/6, Jeho Park <jhpark-nf-user@kernelproject.org>:
>> 
>>> Sietse van Zanen wrote:
>>> 
>>> >There's not really very much you can do about DDOS attacks with netfilter 
>>> alone. You can block the traffic ofcourse, or try to fiddle with --limit, 
>>> or tcp_syn_cookies.
>>> >
>>> >
>>> i think as a attacker try to send more and more sync packets, router
>>> will lose cpu time and system resource .. even if  tcp_syn_cookies
>>> function is active or not. the reason i think like this is that i heard
>>> tcp_syn_cookies
>>> can't stop router being slow..
>>> 
>>> in this DDOS attaction problem, i suggest  as NIC driver module detects
>>> packet flooding, DOS attack and block or
>>> ignore the packet which is sent from the attacker. we can protect out
>>> network backlog safely and there will be no network soft irq ..
>>> 
>>> a few week later, i will try to test my idea.
>>> i will use detection engine i made 3 year ago (
>>> http://sourceforge.net/projects/geto )
>>> as a result, i can't sure my idea is right. so i try to test that.
>>> 
>>> >But usually the problem is that the amount of traffic just fills your 
>>> entire Internet connecection, which renders it useless. The only thing you 
>>> can do in such a situation is ask yout ISP to block the attack upstream.
>>> >And often, ISPs are very unhappy about customers being DDOS-ed.
>>> >
>>> >-Sietse
>>> >
>>> >-----Original Message-----
>>> >From: netfilter-bounces@lists.netfilter.org 
>>> [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Alberto Ferrer
>>> >Sent: Saturday, June 03, 2006 10:33 PM
>>> >To: netfilter@lists.netfilter.org
>>> >Subject: How stop DoS and SYN attack..
>>> >
>>> >¿any know a way to stop via Linux with iptables or related a SYN attack ?
>>> >¿where i can read something related to this?
>>> >
>>> >Thanks in advance.
>>> >
>>> >P.S: sorry for my bad english :D
>>> >--
>>> >Alberto Ferrer
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> 
>>> 
>> 
>> 
>
>
>

- -- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
         admin & senior security consultant:  sysinfo.com
                         http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629

...We waste time looking for the perfect lover
instead of creating the perfect love.

                 -Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEhcKlst+vzJSwZikRAi5LAJ9opjo/1eY+E7f2qMMcq2HngOvHbgCfSxh+
FOAn6Zu6gKPUXe44jaKYEOo=
=j8h6
-----END PGP SIGNATURE-----