Using iptables for throttling SMTP traffic

Using iptables for throttling SMTP traffic

[Alex]

Hi,

I've set up a few basic rules to throttle SMTP traffic from an
individual host should they make more than 10 connections in ten
seconds:

iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m
recent --update --seconds 10 --hitcount 10 -j LOG
iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m
recent --update --seconds 10 --hitcount 10 -j DROP

Is this the correct way to do this? I notice the seconds value can't
be any greater than 20. What is the reason for this? I'd like to do
something like permit up to 100 messages/connections over any
60-second period. Is this possible?

My hope is to block hundreds of connections on my mail server from
bulk mail senders like constantcontact, as well as the flood of
connections from spam bots that are rejected by zen anyway.

How can I tell what rules are currently in place for a particular IP?
In other words, I see log entries for the initial block, but it
doesn't appear that an actual rule is added, correct?

Thanks,
Alex

Re: Using iptables for throttling SMTP traffic

[Brent Clark]

On 01/11/2010 21:07, Alex wrote:
>  My hope is to block hundreds of connections on my mail server from
>  bulk mail senders like constantcontact, as well as the flood of
>  connections from spam bots that are rejected by zen anyway.
>
>  How can I tell what rules are currently in place for a particular
>  IP? In other words, I see log entries for the initial block, but it
>  doesn't appear that an actual rule is added, correct?


Hiya

Why dont you do this at the application level. There many way to do this.

Have you looked at greylisting?

You make no mention of what MTA you are using. But you can set up a MTA 
Gateway (Basically a MTA in front of your real MTA).

HTH
Brent Clark

Re: Using iptables for throttling SMTP traffic

[Alex]

Hi,

>>  My hope is to block hundreds of connections on my mail server from
>>  bulk mail senders like constantcontact, as well as the flood of
>>  connections from spam bots that are rejected by zen anyway.
>>
>>  How can I tell what rules are currently in place for a particular
>>  IP? In other words, I see log entries for the initial block, but it
>>  doesn't appear that an actual rule is added, correct?
>
> Why dont you do this at the application level. There many way to do this.

I have an older version of postfix that I can't upgrade right now, and
I don't think it supports this. I do realize this is the more
effective way to do it. I'd like to just get something working for the
time being.

Thanks,
Alex

Re: Using iptables for throttling SMTP traffic

[Pascal Hambourg]

Hello,

Alex a écrit :
> 
> I've set up a few basic rules to throttle SMTP traffic from an
> individual host should they make more than 10 connections in ten
> seconds:
> 
> iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m recent --set
> iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m
> recent --update --seconds 10 --hitcount 10 -j LOG
> iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m
> recent --update --seconds 10 --hitcount 10 -j DROP
> 
> Is this the correct way to do this? I notice the seconds value can't
> be any greater than 20. What is the reason for this?

--seconds or --hitcount ? The --hitcount value cannot be greater that
the ip_pkt_list_tot parameter of the ipt_recent/xt_recent kernel module
(otherwise it would never match), and the parameter default value is 20.
See the iptables man page for details.

Re: Using iptables for throttling SMTP traffic

[Jan Engelhardt]

On Tuesday 2010-11-02 10:55, Pascal Hambourg wrote:

>Hello,
>
>Alex a écrit :
>> 
>> I've set up a few basic rules to throttle SMTP traffic from an
>> individual host should they make more than 10 connections in ten
>> seconds:
>> 
>> iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m recent --set
>> iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m
>> recent --update --seconds 10 --hitcount 10 -j LOG
>> iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m
>> recent --update --seconds 10 --hitcount 10 -j DROP
>> 
>> Is this the correct way to do this? I notice the seconds value can't
>> be any greater than 20. What is the reason for this?
>
>--seconds or --hitcount ? The --hitcount value cannot be greater that
>the ip_pkt_list_tot parameter of the ipt_recent/xt_recent kernel module
>(otherwise it would never match), and the parameter default value is 20.
>See the iptables man page for details.

And on newer kernels (>= 2.6.34), this is also communicated through a 
line in dmesg.

Denial-of-Service attack on UDP-port 5060 (SIP/VoIP)

[Secure-SIP-Server]

Hi,

I'm suffering on a Denial-of-Service attack on my SIP(VoIP) UDP port 5060, 
getting more then 70 REGISTER requests per second since yesterday. All 
comming from the Japanese IP 59.146.75.111:5088.

First I wrote into my iptable:
....
/sbin/iptables -P INPUT DROP
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
....
/sbin/iptables -A INPUT -p udp --dport 5060 -s 59.146.75.111 -j REJECT
....

but it didn't work.
1st Question:
Why??

Then I wrote:
....
/sbin/iptables -P INPUT DROP
/sbin/iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 5060 -s 59.146.75.111 -j REJECT
/sbin/iptables -A INPUT -m state --state RELATED -j ACCEPT
....

Nothing changed, still receiving this REGISTER requests on my server.
Then I did:
....
/sbin/iptables -P INPUT DROP
/sbin/iptables -A INPUT -p udp --dport 5060 -s 59.146.75.111 -j REJECT
/sbin/iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -m state --state RELATED -j ACCEPT
....

This worked! All requests from that IP are rejected, all others reach my 
server as ever.

/sbin/iptables -L --line-numbers -v -n
shows me an rapidly increasing number of packages and bytes rejected by the 
first statement.

Now my 2nd question:
How can this requests (UDP) be from a ESTABLISHED connection??? They passed 
the firewall in the first two examples and therefore they must be 
ESTABLISHED!?!

3rd question:
Is there a way to tell iptables to lock only a specific IP:PORT for a while 
if this IP transmits more then 50 requests per second? If so, how?

Thanks and regards

Detlef Pilzecker
Weitlahnerstrafle 8
D - 83209 Prien am Chiemsee 

Re: Denial-of-Service attack on UDP-port 5060 (SIP/VoIP)

[Pascal Hambourg]

Hello,

Secure-SIP-Server a écrit :
> 
> I'm suffering on a Denial-of-Service attack on my SIP(VoIP) UDP port 5060, 
> getting more then 70 REGISTER requests per second since yesterday. All 
> comming from the Japanese IP 59.146.75.111:5088.
[...]
> Now my 2nd question:
> How can this requests (UDP) be from a ESTABLISHED connection??? They passed 
> the firewall in the first two examples and therefore they must be 
> ESTABLISHED!?!

UDP being connectionless by nature, the notion of "UDP connection" is
rather loose. Therefore a continuous flow of packets with the same ports
and addresses can be considered as one sigle connection even if they are
actually unrelated requests.

> 3rd question:
> Is there a way to tell iptables to lock only a specific IP:PORT for a while 
> if this IP transmits more then 50 requests per second? If so, how?

Check the "recent" match. Be sure you read carefully the man page about
its default limits.

Re: Denial-of-Service attack on UDP-port 5060 (SIP/VoIP)

[Secure-SIP-Server]

@ Pascal Hambourg

> > I'm suffering on a Denial-of-Service attack on my SIP(VoIP) UDP port
> > 5060,
> > getting more then 70 REGISTER requests per second since yesterday. All
> > comming from the Japanese IP 59.146.75.111:5088.
> [...]
> > How can this requests (UDP) be from a ESTABLISHED connection??? They
> > passed
> > the firewall in the first two examples and therefore they must be
> > ESTABLISHED!?!
>
> UDP being connectionless by nature, the notion of "UDP connection" is
> rather loose. Therefore a continuous flow of packets with the same ports
> and addresses can be considered as one sigle connection even if they are
> actually unrelated requests.

Yes, looks like. I discovered that this only happens if I add the FW-rule
later then the first connection of the attacker to my SIP-server happened.
When I install the rule to DROP this requests behind
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
I must reboot the server before it works. If I don't want to reboot I must
put the DROP rule before this rule.

> > Is there a way to tell iptables to lock only a specific IP:PORT for a
> > while
> > if this IP transmits more then 50 requests per second? If so, how?
>
> Check the "recent" match. Be sure you read carefully the man page about
> its default limits.

Thanks for this!!! But ...
The author of "recent" writes:
"If the '--update' rule is before this check for ! NEW,INVALID packets then
ESTABLISHED connection or those in the process of becoming ESTABLISHED could
be disrupted by a malicious person who can modify his/her source address."
So in his opinion my
iptables -A INPUT -p udp --dport 5060 -m recent --update --seconds
1 --hitcount 20 -j DROP
must come behind
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
and this leads me to the problem from above. This ACCEPT rule lets pass all
packages, because the first 19 packets in the first second are accepted and
therefore the FW considers the continuous flow of packets with the same port
and address as a single connection - and let them pass here.

Is there a way to tell the FW that this continuous flow of packets is not to
be considered a ESTABLISHED connection?


----------
@marcos

> i had the same  trouble in the past , and beyond  the  rules for your FW
> on
> itself there  is " other consideration"  to get on mind  , all people that
> are trying to steal  Voip   deploy you "brute force attack"  first trying
> with  few packets,  then  if they were not blocked , the real attacks
> begins
> later .  because don't have any sense keep attack to a blocked server,
> thay
> are  bad no dummies . so  the speed with  you blocks  these tries are so
> critical and will defines to your  intruder how  effective is the defense
> that you have.
>
> So will be so helpfull install some script that inspect your logs to
> detect
> the intrusion attack , i have very well result with   FAIL2BABN, [...]

Thank you for this idea and your other considerations!!!


Regards

Detlef Pilzecker
Weitlahnerstrafle 8
D - 83209 Prien am Chiemsee

Re: Using iptables for throttling SMTP traffic

[Secure-SIP-Server]

Hi Alex!

> I've set up a few basic rules to throttle SMTP traffic from an
> individual host should they make more than 10 connections in ten
> seconds:
>
> iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m 
> recent --set
> iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m
> recent --update --seconds 10 --hitcount 10 -j LOG
> iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m
> recent --update --seconds 10 --hitcount 10 -j DROP
>
> Is this the correct way to do this? I notice the seconds value can't
> be any greater than 20. What is the reason for this? I'd like to do
> something like permit up to 100 messages/connections over any
> 60-second period. Is this possible?

It is possible, but if your kernel supports it I don't know.

You can do:
# rmmod ipt_recent
# modprobe ipt_recent ip_pkt_list_tot=100

If you get the info that ipt_recent can't be removed because it's in use you 
must remove all 'recent' rules in your firewall table first. Then try it 
again.

But be careful !!!!!!!
I had set the values to hight. First everything worked fine. No error 
message when I did
# iptables -A INPUT -p udp --dport 5060 -m recent --name 
DENIAL_OF_SERVICE --update --rttl --seconds     1 --hitcount   10 -j DROP
# iptables -A INPUT -p udp --dport 5060 -m recent --name 
DENIAL_OF_SERVICE --update --rttl --seconds 100 --hitcount 200 -j DROP
# iptables -A INPUT -p udp --dport 5060 -m recent --name 
DENIAL_OF_SERVICE --set -j ACCEPT
and
# /sbin/iptables -L --line-numbers -v -n
also showed that this was installed.
Then I rebooted the server and ... nothing. I wasn't able to get in contact 
with my server again!!!!!!!!!
I had to access the Hard-disk booting from other system to fix it back to 
the default values. Then it worked again, but only with the default max 
of --hitcount 20   :-(

Regards

Detlef Pilzecker
Weitlahnerstrafle 8
D - 83209 Prien am Chiemsee 

Re: Using iptables for throttling SMTP traffic

[Jan Engelhardt]

On Tuesday 2010-11-30 14:14, Secure-SIP-Server wrote:
> It is possible, but if your kernel supports it I don't know.
>
> You can do:
> # rmmod ipt_recent
> # modprobe ipt_recent ip_pkt_list_tot=100

It's called xt_recent.

Re: Using iptables for throttling SMTP traffic

[lst_hoe02]

Zitat von Secure-SIP-Server <info@secure-sip-server.net>:

> Hi Alex!
>
>> I've set up a few basic rules to throttle SMTP traffic from an
>> individual host should they make more than 10 connections in ten
>> seconds:
>>
>> iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m  
>> recent --set
>> iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m
>> recent --update --seconds 10 --hitcount 10 -j LOG
>> iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m
>> recent --update --seconds 10 --hitcount 10 -j DROP
>>
>> Is this the correct way to do this? I notice the seconds value can't
>> be any greater than 20. What is the reason for this? I'd like to do
>> something like permit up to 100 messages/connections over any
>> 60-second period. Is this possible?

You can't at TCP/IP level. Modern Mailserver are able to push a lot of  
messages in *one* TCP/IP session (ESMTP). You can handle the max.  
number of new connections/time (recent) and the max. number of  
parallel connections at a given time (connlimit), but not the number  
of messages with iptables or any other TCP/IP based filter.

Regards

Andreas