Join Log in
Score:0
Mario Navarro Claras avatar Ubuntu

DDoS Attack - Iptables bad configuration

tj flag
Mario Navarro Claras

I have Ubuntu 20.04.4 LTS. I am under a DDoS attack and don't know how to limit the connections made by multiple IP's (avobe 500).

I saw some post, like this or this, but don't know how to follow the steps correctly to solve this situation.

My current rules are:

## Accept some ports
iptables -A INPUT -p tcp --dport 28261 -j ACCEPT
iptables -A INPUT -p tcp --dport 3724 -j ACCEPT
### Prevent port scan ###
iptables -N port-scan 
iptables -A port-scan -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 3 -j RETURN 
iptables -A port-scan -j DROP
### SSH brute-force protection ###
/sbin/iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set
/sbin/iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP
### 1: Drop invalid packets ###
/sbin/iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP
## 2: Drop TCP packets that are new and are not SYN ###
/sbin/iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
/sbin/iptables -A INPUT -p tcp ! --syn -m state --state NEW -j REJECT
### 8: Limit connections per source IP ###
/sbin/iptables -A INPUT -p tcp -m connlimit --connlimit-above 10 -j REJECT --reject-with tcp-reset
### 9: Limit RST packets ###
/sbin/iptables -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP
### 10: Limit new TCP connections per second per source IP ###
/sbin/iptables -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 10/s --limit-burst 5 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP

What is wrong with this configuration? Which rules are useless and which ones does I need?

Thanks in advance!

337
1 + 4
guiverc avatar
cn flag
guiverc
If you're still using 20.04.4, then apply all security upgrades as a fully upgraded/patched 20.04 or *focal* system has reported itself as 20.04.5 for some time. Refer https://fridge.ubuntu.com/2022/09/01/ubuntu-20-04-5-lts-released/ but please note that date is the ISO release date with installed systems upgrading in the weeks before that date. Applying all fixes regularly and timely helps keep your system secure.
2
Reply
Doug Smythies avatar
gn flag
Doug Smythies
I was involved in both of your references and spent a lot of time trying to help the OP. DDoS attacks are extremely difficult to fend off. You might need help from your ISP.
0
Reply
Doug Smythies avatar
gn flag
Doug Smythies
Your accept some ports rules should be after some of your connection limiting rules. Expand your SSH protection to block an entire sub-net, say mask to 24 bits. Change all REJECTs to DROPs. Show us more about the traffic you are getting. Use the iptables packets counters to observe the paths taken in order to learn where to focus attention (Do `sudo iptables -xvnL`.)
0
Reply
Mario Navarro Claras avatar
tj flag
Mario Navarro Claras
The attack I'm facing right now is called "SYN Flood", so the rules that I have I think are not enough to fix the problem. @DougSmythies thanks for your replies, but maybe what I need is a better known of the iptables rules order, or an example of a fully configured iptables system with DDoS protection
0
Reply
Score:0
Doug Smythies avatar Ubuntu
gn flag
Doug Smythies

There may not be generic iptables rules to deal with all distributed "SYN Flood" attacks. I have always had to create some rules to deal with the specific attack, sometimes resulting collateral damage (i.e. blocking legitimate packets, I don't care). The following examples span an 11 year period.

Legend:

# The location of the iptables program
#
IPTABLES=/sbin/iptables

#Setting the EXTERNAL and INTERNAL interfaces and addresses for the network
#
EXTIF="enp1s0"
INTIF="br0"
EXTIP="173.XXX.YYY.ZZZ" (hidden)
EXTOTHERIP="173.XXX.YYY.ZZQ" (hidden)
INTNET="192.168.111.0/24"
INTIP="192.168.111.1/32"
UNIVERSE="0.0.0.0/0"

Example 1: A SYN Flood attack against port 80 where the source port was also port 80. No real web surfing client would have a source port of 80, so block it:

# Related to SYN flood attacks on port 80.
# Drop packets that have source port = destination port = 80, as they seem to come forever
# via (I think) the ESTABLISHED,RELATED path and are never caught by the bad guy detector.
#
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -p tcp --sport 80 --dport 80 -j DROP

Examples 2 and 3: SYN Flood attacks where the TCP window size is always the same:

# SYN Flood (trickle, actually) attack of 2011.02:
# Always had same TCP window size of 61690 (0xF0FA), which was unique to this attack.
# TOS (type of service) offset = 6 ; TCP service = 6 ; Window size offset = 32
#
#$IPTABLES -A INPUT -i $EXTIF -m u32 --u32 "6&0xFF=0x6 && 32&0xFFFF=0xF0FA" -j LOG --log-prefix "BADZ:" --log-level info
#$IPTABLES -A INPUT -i $EXTIF -m u32 --u32 "6&0xFF=0x6 && 32&0xFFFF=0xF0FA" -j DROP
#
# SYN Flood (trickle, actually) attack of 2016.05 - ??:
# Always had same TCP window size of 32120 (0x7D78), which was not unique to this attack, but very rare
# TOS (type of service) offset = 6 ; TCP service = 6 ; Window size offset = 32
#
$IPTABLES -A INPUT -i $EXTIF -m u32 --u32 "6&0xFF=0x6 && 32&0xFFFF=0x7D78" -j LOG --log-prefix "BADZ:" --log-level info
$IPTABLES -A INPUT -i $EXTIF -m u32 --u32 "6&0xFF=0x6 && 32&0xFFFF=0x7D78" -j DROP

Example 4: SYN Flood attack using illegal source port number:

# Ver 0.39: Current SYN flood attack uses illegal ports. Filter based on port 0 to get rid of them.
# Ver 0.40: Comment out. Event has ended.
#
#$IPTABLES -A INPUT -i $EXTIF -m recent --update --hitcount 2 --seconds 5400 --name BADGUY_SYN -j LOG --log-prefix "SYN BAD:" --log-level info
#$IPTABLES -A INPUT -i $EXTIF -m recent --update --hitcount 2 --seconds 5400 --name BADGUY_SYN -j DROP
#$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --sport 0 --dport 80 -m recent --set --name BADGUY_SYN -j DROP

Example 5: SYN Flood attack that was no so "Distributed", mainly coming from one IP address sub-net. Just block the entire sub-net. I have a great many of these, in addition to using ipset to block all of Russia, China, and some other countries:

$IPTABLES -A INPUT -i $EXTIF -s 184.105.0.0/16 -d $UNIVERSE -j DROP
+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.