Iptables – Expert iptables help needed

firewalliptables

After a detailed analysis, I collected these details.

I am under a UDP Flood which is more of application dependent. I run a Game-Server and an attacker is flooding me with "getstatus" query which makes the GameServer respond by making the replies to the query which cause output to the attacker's IP as high as 30mb/s and server lag.

Here are the packet details,

Packet starts with 4 bytes 0xff and then getstatus.
Theoretically, the packet is like "\xff\xff\xff\xffgetstatus "

Now that I've tried a lot of iptables variations like state and rate-limiting along side but those didn't work. Rate Limit works good but only when the Server is not started. As soon as the server starts, no iptables rule seems to block it.

Anyone else got more solutions? someone asked me to contact the provider and get it done at the Network/Router but that looks very odd and I believe they might not do it since that would also affect other clients.

Responding to all those answers, I'd say:

Firstly, its a VPS so they can't do it for me. Secondly, I don't care if something is coming in but since its application generated so there has to be a OS level solution to block the outgoing packets. At least the outgoing ones must be stopped.

Secondly, its not Ddos since just 400kb/s input generates 30mb/s output from my GameServer. That never happens in a D-dos. Asking the provider/hardware level solution should be used in that case but this one is different. And Yes, Banning his IP stops the flood of outgoing packets but he has many more IP-Addresses as he spoofs his original so I just need something to block him automatically.

Even tried a lot of Firewalls but as you know they are just front-ends to iptables so if something doesn't work on iptables, what would the firewalls do?

These were the rules I tried,

iptables -A INPUT -p udp -m state --state NEW -m recent --set --name DDOS --rsource
iptables -A INPUT -p udp -m state --state NEW -m recent --update --seconds 1 --hitcount 5 --name DDOS --rsource -j DROP

It works for the attacks on un-used ports but when the server is listening and responding to the incoming queries by the attacker, it never works.

Okay Tom.H, your rules were working when I modified them somehow like this:

iptables -A INPUT -p udp -m length --length 1:1024 -m recent --set --name XXXX --rsource
iptables -A INPUT -p udp -m string --string "xxxxxxxxxx" --algo bm --to 65535 -m recent --update --seconds 1 --hitcount 15 --name XXXX --rsource -j DROP

They worked for about 3 days very good where the string "xxxxxxxxx" would be rate-limited, blocked if someone flooded and also didn't affect the clients. But just today, I tried updating the chain to try to remove a previously blocked IP so for that I had to flush the chain and restore this rule ( iptables -X and iptables -F ), some clients were already connected to servers including me. So restoring the rules now would also block some of the clients string completely while some are not affected. So does this mean I need to restart the server or why else would this happen because the last time the rules were working, there was no one connected?

Best Answer

You're very nearly there, but it's possible that you've been cargo-culting someone else's work, possibly on ssh rate-limiting, without really understanding it. Please note that I'm not criticising you: building on other people's work is an excellent idea in the free software community; but you should understand why they've done what they've done, so you don't fail to use it correctly.

I set up a test rig, using nc (netcat) to flood UDP traffic from a machine called bill to a machine called risby with the following lines:

risby% nc -l -u 12345
bill% seq 1 10000000 | nc -u risby 12345

This produced a very-rapidly increasing list of numbers from risby's netcat, much like the command-flooding you've been having.

But when I created two new rules for risby's iptables which filtered only UDP traffic to port 12345 without regard for state, it worked fine:

iptables -I INPUT 1 -p udp --dport 12345 -m recent --set --name ddos
iptables -I INPUT 2 -p udp --dport 12345 -m recent --rcheck  --seconds 1 --hitcount 5 --name ddos -j DROP

When I re-ran the netcats, the first few packets from bill got through on risby, and the numbers climbed rapidly to about 1800, but then it stalled completely and no further traffic was received from bill.

Note that it's quite important that these rules come early in your iptables INPUT chain, which is why I've inserted them at lines 1 and 2 respectively.

Edit:

Increase the rate, and require it to be sustained for longer; perhaps --seconds 10 --hitcount 50? Eventually you'll reach a threshold where few legitimate clients are affected, but the DDoS is still substantially throttled. Note that friendly-fire is always a possibility in this kind of layer-3 throttling; my own ssh server limits new connections to two per 60s window, which makes repeated scps quite slow. But it's a price I'm willing to pay, and to do better requires layer-4 throttling, which means the application has to be throttling-aware. iptables can't help you there.

I note that --hitcount can take no value higher than the ip_pkt_list_tot parameter of the xt_recent kernel module, and if the value's exceeded an error is thrown at rule-creation time:

[root@risby scratch]# iptables -A INPUT -p udp -m recent --rcheck  --seconds 1 --hitcount 50 --name ddos -j DROP 
iptables: Invalid argument. Run `dmesg' for more information.

But this value can be set at up to 255 at module insertion time. Following the suggestions in this blog entry, it's possible to reload the module, setting the parameter explicitly:

[root@risby scratch]# rmmod xt_recent
[root@risby scratch]# modprobe xt_recent ip_pkt_list_tot=100
[root@risby scratch]# iptables -A INPUT -p udp -m recent --rcheck  --seconds 1 --hitcount 50 --name ddos -j DROP 
[root@risby scratch]#

Note how the --hitcount 50 no longer causes errors. You may need to flush the INPUT chain (iptables -F INPUT) and any other chains that use the recent module before you can remove and reinsert the xt_recent module.

Related Solutions

iptables – Using ‘-p udp –state ESTABLISHED’ in iptables

So, iptables basically remembers the port number that was used for the outgoing packet (what else could it remember for a UDP packet?),

I am pretty sure for UDP the source and destination ports and addresses are stored.

If you want to inspect the state tables install conntrack and/or netstat-nat.

(What would happen, if I accidentally tried to start a service on that port within the timeframe - would that attempt be denied/blocked?)

Since you are using OUTPUT and INPUT your are talking about local services. The port is already used I don't believe your system will allow you to start up another service since something is already listening on that port. I guess you could stop the first service and start another if you really wanted to though, in that case the response would probably get to your service. What the service does with the packet depends on what the contents of the packet is, and what service it is.

Iptables rule to block incoming/outgoing traffic to a Xen container

This rule worked ion my installation:

iptables -I FORWARD 1 -d [client-ip] -p tcp -m tcp --dport 53 -j DROP
iptables -I FORWARD 1 -d [client-ip] -p udp -m udp --dport 53 -j DROP

Notice that netfilter reads rules top-to-bottom and if you have a rule permitting all traffic to this client above (iptables -A adds rule to the end of the table), this new rule won't be reached and won't have effect.

I didn't understand why you use "state" module if you a listing all valid states? It just uses CPU time and has no effect IMHO.

Next, I'm not sure, what is the goal of blocking traffic, going from port 25. If you client sends ab e-mail, he connects to remote server's port 25 but uses one of local ports (32k..64k by default) on his side. Couldn't you explain, what do you want to get as a result?

Best Answer

Related Solutions

iptables – Using ‘-p udp –state ESTABLISHED’ in iptables

Iptables rule to block incoming/outgoing traffic to a Xen container

Related Topic