DDOS protection using iptables (recent module)

This article related to iptable recent module. which can be used to defend against the DDOS attack. This setup tested in bridged mode.
Recent working with DDOS mitigation for one of the customer had give some interesting capabilities "recent module" of iptables.
One of the website came under attack with extensive sync and "GET" request from distributed zombies. we could identify around 4000 - 5000 unique hosts.
to define the attack pattern we have captured some traffic it had only sync and GET request nothing else to define the pattern. therefore I've conceptualized if the one host create more than 20 session during 100 seconds drop the packet.
iptables -I FORWARD -p tcp --dport 80 -i bridge0 -m state --state NEW -m recent --set
iptables -I FORWARD -p tcp --dport 80 -i bridge0 -m state --state NEW -m recent --update --seconds 100 --hitcount 20 -j DROP

Initially i applied these rules but no traffic reduction. When i checked the source code
static unsigned int ip_list_tot = 100;
static unsigned int ip_pkt_list_tot = 20;

(http://www.il.is.s.u-tokyo.ac.jp/lxr-xp/source/net/netfilter/xt_recent.c)
Therefore only 100 unique source ips can be in the list. this was not capable to handle more then 4000 hosts.
Therefore i've removed module and changed the default value.
iptables -F
rmmod xt_recent
modprobe ipt_recent ip_list_tot=5000 ip_pkt_list_tot=100

reapplied the rules that filtered the massive traffic. when i'm writing this post still the attack is going on :( . But still the web sever able to handle the load :)

-- notes --
following script as cron with the combination of XT_RECENT can help a bit. But be aware this may block the normal user .

#!/bin/bash
mv /home/gobi/new_ips.txt /home/gobi/old_ips.txt
awk '{ if ($7 > 100) print $1 }' /proc/net/xt_recent/DEFAULT | sort > /home/gobi/new_ips.txt
sort /home/gobi/new_ips.txt /home/gobi/old_ips.txt | uniq -u | awk -F '=' '{print $2}' > /home/gobi/ips
sh /home/gobi/add_iptables.sh

---add_iptables.sh
#!/bin/bash
for WORD in `cat /home/gobi/ips`
do
iptables -I FORWARD -p tcp --dport 80 -s $WORD -i bridge1 -j DROP
done

Comments

Anonymous said…
Thanks for sharing your work. I was working on xt_recent solution to an unintentional denial of service that some large entities were imposing on some web servers I maintain.

I wanted to rate limit abusers, that were using various automation tech, while not punishing human users that would submit packets much more slowly.

Your work showed that I was on the right track, and gave me additional ideas.
June 20, 2017 at 12:55 AM
Post a Comment

Popular posts from this blog

l2tpv3 configuration reference

Image
Reference Comparing , Designing and Deploying VPNs chap - 02 : L2TPv3 is the enhanced version of L2TPv2 protocol. Mikrotik uses L2TPv2 i suppose but it offer another similar tunneling mechanism as EOIP. L2TPv3 in cisco provides Pseudo-wire services to the customer. L2TPv3 only require the IP connectivity between peers but it can transport Ethernet, 802.1Q , HDLC, PPP framerelay etc. Advantage over MPLS is the customer having the full control of their routing domain. L2TP depolyment methods having 3 topologies LAC - LNS , LNS - LNS , LAC - LAC Following Diagram explain simple LAC - LAC L2TPv3 setup. It uses two types of messages: control connection messages - used for signaling between LCEs session data messages - Used to transport layer 2 protocols and connections Data channel Message Header having Session ID & cookie to correctly associate with the tunnel Deploying dynamic Pseudowires session 1) configure CEF - Its default in IOSs now. 2) configure a loopback in
Read more

PPTP Server as Cisco for Mikrotik Client

Image
Following configuration explains the Cisco as PPTP server and connecting two sites: Following Configuration needed to enable the VPDN and default server: vpdn enable ! vpdn-group Mtik ! Default PPTP VPDN group accept-dialin protocol pptp virtual-template 1 interface Virtual-Template1 ip unnumbered Loopback0 peer default ip address pool IPPOOL1 ppp encrypt mppe auto required ppp authentication ms-chap-v2 ms-chap pap ip local pool IPPOOL1 192.168.150.10 192.168.150.224 Few more additional things we need to keep the same ip address for the user: aaa new-model ! ! aaa authentication ppp default local aaa authorization network default local ! aaa attribute list Gobi attribute type addr 192.168.150.13 service ppp protocol ip mandatory attribute type route "10.0.0.0 255.255.255.0 192.168.150.13" attribute type interface-config "description Gobi-test" Finally apply the attribute list to the user: username gobi password 0 test username gobi aaa attri
Read more

proxy arp

Image
In the above diagram , both hosts don't have default routes. But both are in the same /16 subnet. When host1 tries to ping host2 will it be able to ping ? Yes this behaviour due to the Proxy Arp feature. Note: Cisco by default enabled the proxy arp feature you have to disable it manually . Check the following Debug messages "debug arp" from the router. When the Arp request for 192.168.20.101 received on the router Fa0/1 it replies with its own mac address of fa0/1. (c200.03fc.0001)and vice versa *Mar 1 00:11:43.071: IP ARP: rcvd req src 192.168.12.154 00aa.00f4.6800, dst 192.168.20.101 FastEthernet0/1 *Mar 1 00:11:43.075: IP ARP: sent rep src 192.168.20.101 c200.03fc.0001,dst 192.168.12.154 00aa.00f4.6800 FastEthernet0/1 *Mar 1 00:13:13.067: IP ARP: rcvd req src 192.168.20.101 00aa.0041.1d00, dst 192.168.12.154 FastEthernet0/0 *Mar 1 00:13:13.067: IP ARP: sent rep src 192.168.12.154 c200.03fc.0000, dst 192.168.20.101 00aa.0041.1d00 FastEther
Read more