stop DoS attack

View previous topic View next topic Go down

stop DoS attack

Post by [CCS]ItzGame on Sun Dec 29, 2013 6:18 pm

Used are the following iptables modules and their required:

Code:
/sbin/modprobe ipt_recent ip_list_tot=1000
 
 ipt="/usr/local/sbin/iptables"
 ips="/usr/local/sbin/ipset"
 
 for TABLE in filter nat mangle; do
 $ipt -F -t $TABLE
 $ipt -X -t $TABLE
 $ipt -Z -t $TABLE
 done
 
 $ips -F
 $ips -X
 
 if [ "$1" == "stop" ]
 then
 echo
 echo "Stopping firewall..."
 echo
 exit
 fi
 
 # White IP list
 $ips -N WL iphash
 $ips -A WL 127.0.0.1
 $ips -A WL 192.168.0.1
 
 # White nets list
 $ips -N WLN nethash
 $ips -A WLN 192.168.0.0/24


So much for "cleared" the tables of iptables and ipset. Also compiled a list of trusted hosts and networks.

Total adaptive filter

Code:
### ADAPTIVE TOTAL DROP ###
 $ipt -A INPUT -m recent --name banned-hosts --update --seconds 36000 -j DROP
 
 $ipt -N BANNED
 $ipt -A BANNED -m limit --limit 1/s --limit-burst 1 -j LOG
 $ipt -A BANNED -m recent --name banned-hosts --set -j RETURN
 
 $ipt -N ADAPT
 $ipt -A ADAPT -m limit --limit 1/s --limit-burst 1 -j LOG
 $ipt -A ADAPT -m recent --hitcount 2 --name watch-hosts --update --seconds 180 -j BANNED
 $ipt -A ADAPT -m recent --name watch-hosts --set -j RETURN


It is seen that all packets passing through:

Code:
$ipt -A INPUT -m recent --name banned-hosts --update --seconds 36000 -j DROP


packet Filter

Code:
### MALFORMED PACKETS ###
 
 # Smurf attack
 $ipt -A INPUT -p icmp -d 0.0.0.255/0.0.0.255 -j DROP
 
 # Invalid tcp packets
 $ipt -A INPUT -p tcp --tcp-option 128 -j DROP
 $ipt -A INPUT -p tcp --tcp-option 64 -j DROP
 
 # Malformed xmas packets
 $ipt -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
 
 # Malformed null packets
 $ipt -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
 
 # New tcp connections must be SYN packets!
 $ipt -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
 
 # others
 $ipt -A INPUT -m state --state INVALID -j DROP
 
 # Local IP filter
 $ipt -t mangle -A PREROUTING -i eth+ -s 172.16.0.0/16 -j DROP
 $ipt -t mangle -A PREROUTING -i eth+ -d 172.16.0.0/16 -j DROP
 $ipt -t mangle -A PREROUTING -i eth+ -d 192.168.0.0/16 -j DROP
 $ipt -t mangle -A PREROUTING -i eth+ -s 192.168.0.0/16 -j DROP
 $ipt -t mangle -A PREROUTING -i eth+ -s 10.0.0.0/8 -j DROP
 $ipt -t mangle -A PREROUTING -i eth+ -d 10.0.0.0/8 -j DROP
 $ipt -t mangle -A PREROUTING -i ! lo -s 127.0.0.0/8 -j DROP
 
 # Block timestamp
 $ipt -A INPUT -p icmp --icmp-type timestamp-request -j DROP
 $ipt -A OUTPUT -p icmp --icmp-type timestamp-reply -j DROP
 
 # Always allow VPN users
 $ipt -A INPUT -i ppp+ -j ACCEPT
 $ipt -A OUTPUT -o ppp+ -j ACCEPT
 
 # Always allow localhost
 $ipt -A INPUT -i lo -j ACCEPT


General protection


Code:
# Port scan detection
 $ipt -N PSD
 $ipt -A INPUT -m recent --name PSD --update --seconds 60 -j DROP
 $ipt -A INPUT -m psd --psd-weight-threshold 10 --psd-delay-threshold 200 -j PSD
 $ipt -A PSD -m set --set WL src -j RETURN
 $ipt -A PSD -m recent --name PSD --set -j ADAPT
 $ipt -A PSD -j DROP


Use the Appendix to iptables - module psd. Specifically , the unit should not exactly the above sequence. The reason is that the psd match-a directly determined the package as attacking , not him apart on the ground . Shown below parts follow this sequence. Here's a detailed explanation:

line # 1. Create chain PSD
line # 2 . Each packet is checked for whether the source is in the list of forbidden access to this service and if it is rejected and starting new 60 sec. During the rejection;
line # 3 . Check whether the packet belongs to the scanning sequence - if so, the packet is sent to the downstream PSD. If not, the packet goes on without consequences.
line # 4 . Check whether the package is identified as belonging to the host scanning the list of trusted hosts . If so - out of the chain and the packet goes on without consequences. If not, the packet continues to the next rule in the chain and PSD.
line # 5 . The source of the packet and the time at which it has arrived are recorded in table recent PSD. Then the packet is sent to ADAPT circuit , which implements the above-described adaptive machine protection .row # 6 . Packet is discarded as it is identified as attacking . Shown below parts follow a similar logic.

Code:
# Syn-flood protection
 $ipt -N syn-flood
 $ipt -A INPUT -p tcp --syn -j syn-flood
 $ipt -A syn-flood -m set --set WL src -j RETURN
 $ipt -A syn-flood -m recent --name syn-flood --update --seconds 60 -j DROP
 $ipt -A syn-flood -m hashlimit --hashlimit 1/s --hashlimit-burst 50 --hashlimit-mode srcip --hashlimit-name syn-flood -j RETURN
 $ipt -A syn-flood -m recent --name syn-flood --set -j ADAPT
 $ipt -A syn-flood -j DROP
 
 # Furtive port scanner
 $ipt -N port-scan
 $ipt -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j port-scan
 $ipt -A port-scan -m recent --name port-scan --update --seconds 60 -j DROP
 $ipt -A port-scan -m hashlimit --hashlimit 1/s --hashlimit-burst 2 --hashlimit-mode srcip --hashlimit-name port-scan -j RETURN
 $ipt -A port-scan -m recent --name port-scan --set -j ADAPT
 $ipt -A port-scan -j DROP
 
 # Ping of death
 $ipt -N PoD
 $ipt -A INPUT -p icmp --icmp-type echo-request -j PoD
 $ipt -A PoD -m set --set WL src -j RETURN
 $ipt -A PoD -m set --set WLN src -m limit --limit 50/s --limit-burst 60 -j RETURN
 $ipt -A PoD -m recent --name PoD --update --seconds 60 -j DROP
 $ipt -A PoD -m length --length 128: -m hashlimit --hashlimit 1/s --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name PoD -j RETURN
 $ipt -A PoD -m hashlimit --hashlimit 5/s --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name PoD -j RETURN
 $ipt -A PoD -m recent --name PoD --set -j ADAPT
 $ipt -A PoD -j DROP


Protection services

Code:
# Mail protection
 $ipt -N MAIL
 $ipt -A INPUT -p tcp --dport 25 --syn -j MAIL
 $ipt -A INPUT -p tcp --dport 143 --syn -j MAIL
 $ipt -A MAIL -m set --set WL src -j RETURN
 $ipt -A MAIL -p tcp -m connlimit --connlimit-above 2 --connlimit-mask 32 -j REJECT
 $ipt -A MAIL -m recent --hitcount 2 --name mail --update --seconds 60 -j DROP
 $ipt -A MAIL -m recent --name mail --update --seconds 60 -j RETURN
 $ipt -A MAIL -m recent --name mail --set -j ADAPT
 
 # SSH bruteforce attack protection
 $ipt -N SSH
 $ipt -A INPUT -p tcp --dport 22 --syn -j SSH
 $ipt -A SSH -m set --set WL src -j RETURN
 $ipt -A SSH -p tcp -m recent --hitcount 2 --name SSH --update --seconds 60 -j DROP
 $ipt -A SSH -p tcp -m recent --name SSH --update --seconds 60 -j RETURN
 $ipt -A SSH -m recent --name SSH --set -j ADAPT
 
 # FTP bruteforce attack protection
 $ipt -N FTP
 $ipt -A INPUT -p tcp --dport 21 --syn -j FTP
 $ipt -A FTP -m set --set WL src -j RETURN
 $ipt -A FTP -m set --set WLN src -j RETURN
 $ipt -A FTP -p tcp -m recent --hitcount 2 --name FTP --update --seconds 60 -j DROP
 $ipt -A FTP -p tcp -m recent --name FTP --update --seconds 60 -j RETURN
 $ipt -A FTP -m recent --name FTP --set -j ADAPT


conclusion

Code:
# BG IPs list
 $ips -N BG_NETS nethash
 for i in `cat /usr/local/router/data/bgnets`; do
 $ips -A BG_NETS $i
 done


Then blocks access control SSH and FTP look like this:

Code:
# SSH bruteforce attack protection
 $ipt -N SSH
 $ipt -A INPUT -p tcp --dport 22 --syn -j SSH
 $ipt -A SSH -m set --set WL src -j RETURN
 $ipt -A SSH -m set ! --set BG_NETS src -j REJECT
 $ipt -A SSH -p tcp -m recent --name SSH --update --seconds 60 -j DROP
 $ipt -A SSH -m recent --name SSH --set -j ADAPT
 
 # FTP bruteforce attack protection
 $ipt -N FTP
 $ipt -A INPUT -p tcp --dport 21 --syn -j FTP
 $ipt -A FTP -m set --set WL src -j RETURN
 $ipt -A FTP -m set --set WLN src -j RETURN
 $ipt -A FTP -m set ! --set BG_NETS src -j REJECT
 $ipt -A FTP -p tcp -m recent --name FTP --update --seconds 60 -j DROP
 $ipt -A FTP -m recent --name FTP --set -j ADAPT

avatar
[CCS]ItzGame
Administrator
Administrator

Messages : 1238
Inscription Date : 2013-08-15

http://ccservers.foro.bz

Back to top Go down

Re: stop DoS attack

Post by Leks on Sun Dec 29, 2013 8:18 pm

wtf is that o_o

_______________________________________________________________________________________________________________________________________________
avatar
Leks
swaglord
swaglord

Messages : 240
Inscription Date : 2013-12-17
Localization : Under yo bed, scrub

Back to top Go down

Re: stop DoS attack

Post by [CCS]ItzGame on Sun Dec 29, 2013 9:41 pm

[CCS]LeKs wrote:wtf is that o_o
lol, they are programation codes.  gigglexp 
avatar
[CCS]ItzGame
Administrator
Administrator

Messages : 1238
Inscription Date : 2013-08-15

http://ccservers.foro.bz

Back to top Go down

Re: stop DoS attack

Post by Leks on Mon Dec 30, 2013 1:40 pm

where do I use them? :p

_______________________________________________________________________________________________________________________________________________
avatar
Leks
swaglord
swaglord

Messages : 240
Inscription Date : 2013-12-17
Localization : Under yo bed, scrub

Back to top Go down

Re: stop DoS attack

Post by [CCS]ItzGame on Mon Dec 30, 2013 6:02 pm

[CCS]LeKs wrote:where do I use them? :p
U dont need use them, this is for database of websites.
avatar
[CCS]ItzGame
Administrator
Administrator

Messages : 1238
Inscription Date : 2013-08-15

http://ccservers.foro.bz

Back to top Go down

Re: stop DoS attack

Post by [CCS]tyrannooo on Fri Oct 31, 2014 6:08 pm

OMG itzgame is programming god

_______________________________________________________________________________________________________________________________________________
Leks just vandalized this signature.
avatar
[CCS]tyrannooo
Administrator
Administrator

Messages : 55
Inscription Date : 2013-12-14
Localization : netherlands

Back to top Go down

Re: stop DoS attack

Post by Sponsored content


Sponsored content


Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum