4
Anti DDoS with iptables and ipt_recent In these days I’ve been attacked with a syn flood plus a GET flood requests. There was ~1600 different IP that compose the botnet that was attacking, so I write some lines of iptables in order to keep the attack under control. Below you can find the entire micro script I’ve made, and after that an explanation line per line about what they do. Clear all existent rules on the firewall. iptables -F iptables -X Create the three new chains that we are going to use in order to filter the attack iptables -N ATTACKED iptables -N ATTK_CHECK iptables -N SYN_FLOOD For any new incoming packet we check if the packet is a syn or not, if not, we simply drop it. iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP We drop fragmented packets. iptables -A INPUT -f -j DROP Drop XMAS packets. iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP Drop NULL packets.

Anti DDoS With Iptables and Ipt

Embed Size (px)

Citation preview

Page 1: Anti DDoS With Iptables and Ipt

Anti DDoS with iptables and ipt_recent

In these days I’ve been attacked with a syn flood plus a GET flood requests.There was ~1600 different IP that compose the botnet that was attacking, so I write some lines of iptables in order to keep the attack under control.

Below you can find the entire micro script I’ve made, and after that an explanation line per line about what they do.

Clear all existent rules on the firewall.

iptables -Fiptables -X

Create the three new chains that we are going to use in order to filter the attack

iptables -N ATTACKEDiptables -N ATTK_CHECKiptables -N SYN_FLOOD

For any new incoming packet we check if the packet is a syn or not, if not, we simply drop it.

iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

We drop fragmented packets.

iptables -A INPUT -f -j DROP

Drop XMAS packets.

iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

Drop NULL packets.

iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

Any incoming tcp packets will be forwarded in the SYN_FLOOD chain.

iptables -A INPUT -p tcp --syn -j SYN_FLOOD

We use module hashlimit to create a “database” of the single istance ip in order to drop any packet from any ip that exceed 100 packet per second, and keep it in the database for 3600 seconds.

Page 2: Anti DDoS With Iptables and Ipt

iptables -A SYN_FLOOD -p tcp --syn -m hashlimit --hashlimit 100/sec --hashlimit-burst 3 --hashlimit-htable-expire 3600 --hashlimit-mode srcip --hashlimit-name synflood -j ACCEPT

Any other packets that are not matched as syn flood will be forwarded in ATTK_CHECK chain.

iptables -A SYN_FLOOD -j ATTK_CHECK

Accept legitimate traffic.

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

With recent module, we can create a database in /proc/net/xt_recent/ called BANNED, which contains all the ips matched in the rules below. We keep it for 1800 seconds, if in this window time we don’t receive any other match from that specific ip, we remove it.

iptables -A INPUT -p tcp -m tcp --dport 80 -m recent --update --seconds 1800 --name BANNED --rsource -j DROP

All new packet with destination port 80 are forwarded to ATTK_CHECK chain.

iptables -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ATTK_CHECK

We setup the logging options for the chain ATTACKED and lets drop any packet in that chain putting the source ip in the database /proc/net/xt_recent/BANNED.

iptables -A ATTACKED -m limit --limit 5/min -j LOG --log-prefix "IPTABLES (Rule ATTACKED): " --log-level 7iptables -A ATTACKED -m recent --set --name BANNED --rsource -j DROP

Defining a new database in /proc/net/xt_recent called ATTK for the incoming packet that are not already matched as an attack.

iptables -A ATTK_CHECK -m recent --set --name ATTK

If an IP match 20 times in 180 seconds we mark it as attacker, we put in database ATTK and we forward it to chain ATTACKED.

iptables -A ATTK_CHECK -m recent --update --seconds 180 --hitcount 20 --name ATTK --rsource -j ATTACKED

If an IP match 6 times in 60 seconds we mark it as attacker, again we put it in database ATTK and we forward it to chain ATTACKED.

iptables -A ATTK_CHECK -m recent --update --seconds 60 --hitcount 6 --name ATTK --rsource -j ATTACKED

Page 3: Anti DDoS With Iptables and Ipt

We permit the rest of the traffic that could be almost completely legitimate.

iptables -A ATTK_CHECK -j ACCEPT

Shell scripts#!/bin/bashiptables -Fiptables -Xiptables -N ATTACKEDiptables -N ATTK_CHECKiptables -N SYN_FLOODiptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROPiptables -A INPUT -f -j DROPiptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROPiptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROPiptables -A INPUT -p tcp --syn -j SYN_FLOODiptables -A SYN_FLOOD -p tcp --syn -m hashlimit --hashlimit 100/sec --hashlimit-burst 3 --hashlimit-htable-expire 3600 --hashlimit-mode srcip --hashlimit-name synflood -j ACCEPTiptables -A SYN_FLOOD -j ATTK_CHECKiptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPTiptables -A INPUT -p tcp -m tcp --dport 80 -m recent --update --seconds 1800 --name BANNED --rsource -j DROPiptables -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ATTK_CHECKiptables -A ATTACKED -m limit --limit 5/min -j LOG --log-prefix "IPTABLES (Rule ATTACKED): " --log-level 7iptables -A ATTACKED -m recent --set --name BANNED --rsource -j DROPiptables -A ATTK_CHECK -m recent --set --name ATTKiptables -A ATTK_CHECK -m recent --update --seconds 180 --hitcount 20 --name ATTK --rsource -j ATTACKEDiptables -A ATTK_CHECK -m recent --update --seconds 60 --hitcount 6 --name ATTK --rsource -j ATTACKEDiptables -A ATTK_CHECK -j ACCEPT


IPTABLES manual practico, tutorial de iptables con ejemplos

IPTABLES manual practico, tutorial de iptables con ejemplos

Documents
TA DDos Binary Bot IptabLes v6 US

TA DDos Binary Bot IptabLes v6 US

Documents
DDoS protection - Using Netfilter/iptablespeople.netfilter.org/hawk/presentations/devconf2014/iptables-ddos... · 3/36 DDoS protection using Netfilter/iptables What will you learn?

DDoS protection - Using Netfilter/iptablespeople.netfilter.org/hawk/presentations/devconf2014/iptables-ddos... · 3/36 DDoS protection using Netfilter/iptables What will you learn?

Documents
Iptables Intro Vi

Iptables Intro Vi

Documents
Iptables Tutorial 1.1

Iptables Tutorial 1.1

Documents
Iptables presentation

Iptables presentation

Technology
DDoS protection - Using Netfilter/iptables · 2014-07-09 · 1/36 DDoS protection using Netfilter/iptables Jesper Dangaard Brouer Senior Kernel Engineer, Red Hat RMLL Montpellier,

DDoS protection - Using Netfilter/iptables · 2014-07-09 · 1/36 DDoS protection using Netfilter/iptables Jesper Dangaard Brouer Senior Kernel Engineer, Red Hat RMLL Montpellier,

Documents
Iptables in linux

Iptables in linux

Engineering
Manual resumen iptables

Manual resumen iptables

Technology
IPtables Objectives –to learn the basics of iptables Contents –Start and stop IPtables –Checking IPtables status –Input and Output chain –Pre and Post

IPtables Objectives –to learn the basics of iptables Contents –Start and stop IPtables –Checking IPtables status –Input and Output chain –Pre and Post

Documents
Manual completo iptables

Manual completo iptables

Documents
Iptables Linux

Iptables Linux

Documents
Introduction iptables

Introduction iptables

Documents
DDoS Protection Script for Iptables

DDoS Protection Script for Iptables

Documents
Iptables Firewall

Iptables Firewall

Documents
NetFilter – IPtables

NetFilter – IPtables

Documents
Comandos Iptables

Comandos Iptables

Documents
Firewall Iptables - Urubatan Neto

Firewall Iptables - Urubatan Neto

Technology
NFtables and IPtables - DiVA portalhis.diva-portal.org/smash/get/diva2:1136221/FULLTEXT02.pdf · NFtables and IPtables Jonas Svensson Eidsheim NFtables och IPtables ... The measurement

NFtables and IPtables - DiVA portalhis.diva-portal.org/smash/get/diva2:1136221/FULLTEXT02.pdf · NFtables and IPtables Jonas Svensson Eidsheim NFtables och IPtables ... The measurement

Documents
Guide To Effective DDoS Protection With IPtables

Guide To Effective DDoS Protection With IPtables

Technology
Doc iptables-firewall

Doc iptables-firewall

Technology
[eBook] IpTables Tutorial

[eBook] IpTables Tutorial

Documents
DDoS protection - Using Netfilter/iptables - people

DDoS protection - Using Netfilter/iptables - people

Documents
Firewall Iptables Linux

Firewall Iptables Linux

Documents
Linux Iptables Zsebkonyv

Linux Iptables Zsebkonyv

Documents
IN THE NETHERLANDS, EUROPE, AND BEYOND(SNORT, SURICATA, BRO, IPTABLES, EBPF, BGP FLOWSPEC, …) DDOSDB STORE, ENRICH, AND DISTRIBUTE DDOS ATTACK RELATED INFO DDOS PROTECTION …

IN THE NETHERLANDS, EUROPE, AND BEYOND(SNORT, SURICATA, BRO, IPTABLES, EBPF, BGP FLOWSPEC, …) DDOSDB STORE, ENRICH, AND DISTRIBUTE DDOS ATTACK RELATED INFO DDOS PROTECTION …

Documents
Iptables Firewalls

Iptables Firewalls

Documents
Getting Started Iptables

Getting Started Iptables

Documents
Iptables DDoS protection Using Netfilter/iptables

Iptables DDoS protection Using Netfilter/iptables

Documents
Stupid iptables tricks

Stupid iptables tricks

Technology