Shorewall users - Aug 2009 - Combatting DDoS attack

Hi,

I''ve been working the past 8 hrs combatting DDoS attacks on websites
and dedicated servers I host for clients.

They''re hitting one specific IP address, but coming from thousands of
external IP addresses.

I use:

shorewall-4.0.10-3.noarch

How can I tackle this? I''ve blocked many subnets in the blacklist file
but it''s made very little difference.

If someone can advise please do.

Thanks.

Michael.



     
__________________________________________________________________________________
Find local businesses and services in your area with Yahoo!7 Local.
Get started: http://local.yahoo.com.au

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what''s new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

I''m aware of, but have never tried a technique called tarpitting that  
is supposed to be very useful in your situation.

On Aug 29, 2009, at 1:18, Michael Mansour <micoots@yahoo.com> wrote:
> Hi,
>
> I''ve been working the past 8 hrs combatting DDoS attacks on
websites
> and dedicated servers I host for clients.
>
> They''re hitting one specific IP address, but coming from thousands
> of external IP addresses.
>
> I use:
>
> shorewall-4.0.10-3.noarch
>
> How can I tackle this? I''ve blocked many subnets in the blacklist
> file but it''s made very little difference.
>
> If someone can advise please do.
>
> Thanks.
>
> Michael.
>
>
>
>       
>
__________________________________________________________________________________
 
> Find local businesses and services in your area with Yahoo!7 Local.
> Get started: http://local.yahoo.com.au
>
> --- 
> --- 
> --- 
> ---------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008  
> 30-Day
> trial. Simplify your report design, integration and deployment - and  
> focus on
> what you do best, core application coding. Discover what''s new
with
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what''s new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

--- On Sat, 8/29/09, Christ Schlacta <aarcane@gmail.com> wrote:
> I''m aware of, but have never tried a
> technique called tarpitting that  
> is supposed to be very useful in your situation.
I think that the TARPIT target has made it into the latest kernels/iptables but
I haven''t checked.
I don''t know if shorewall itself supports it.

Vieri



      

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what''s new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

Vieri Di Paola wrote:
> --- On Sat, 8/29/09, Christ Schlacta <aarcane@gmail.com> wrote:
> 
>> I''m aware of, but have never tried a
>> technique called tarpitting that  
>> is supposed to be very useful in your situation.
> 
> I think that the TARPIT target has made it into the latest kernels/iptables
but I haven''t checked.
> I don''t know if shorewall itself supports it.
It does not.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what''s new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

On Sat, 2009-08-29 at 01:18 -0700, Michael Mansour
wrote:
> Hi,
> 
> I''ve been working the past 8 hrs combatting DDoS attacks on
websites and dedicated servers I host for clients.
> 
> They''re hitting one specific IP address, but coming from thousands
of external IP addresses.
> 
> I use:
> 
> shorewall-4.0.10-3.noarch
> 
> How can I tackle this? I''ve blocked many subnets in the blacklist
file but it''s made very little difference.
> 
> If someone can advise please do.
> 
> Thanks.
> 
Have a looked at "null routing"
http://en.wikipedia.org/wiki/Null_route

Jerry




------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what''s new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

Christ Schlacta wrote:
> I''m aware of, but have never tried a technique called tarpitting
that
> is supposed to be very useful in your situation.
tarpitting a DDOS attack against a legitimate website takes the site
offline.

The TARPIT target is available in xtables-addons and it is easy to
construct an action to invoke it:

Assuming shorewall-perl....

/etc/shorewall/actions:

Tarpit

/etc/shorewall/action.Tarpit

<empty file>

/etc/shorewall/Tarpit:

use Shorewall::Chains;

add_rule $chainref, "-p tcp -j TARPIT";

/etc/shorewall/rules

Tarpit	net	...	tcp	80	-	...

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what''s new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

Le 29 août 2009 à 10:18, Michael Mansour <micoots@yahoo.com> a  
écrit :
> Hi,
>
> I've been working the past 8 hrs combatting DDoS attacks on websites  
> and dedicated servers I host for clients.
>
> They're hitting one specific IP address, but coming from thousands  
> of external IP addresses.
>
> I use:
>
> shorewall-4.0.10-3.noarch
>
> How can I tackle this? I've blocked many subnets in the blacklist  
> file but it's made very little difference.
>
> If someone can advise please do.
>
Hi

Is your Internet pipe flooded or your webserver's ressources are  
exhausted?

In thé first case there is 'nothing' useful to do at your level imho.

In the second one you can try to limit the rate of new connections  
from a single ip/range directed to your webserver.

Laurent
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

I found the article I was reading before about a tarpitting solution 
that doesn''t simply take the website offline.

http://www.secureworks.com/research/threats/ddos/

Tom Eastep wrote:
> Christ Schlacta wrote:
>> I''m aware of, but have never tried a technique called
tarpitting that
>> is supposed to be very useful in your situation.
> 
> tarpitting a DDOS attack against a legitimate website takes the site
> offline.
> 
> The TARPIT target is available in xtables-addons and it is easy to
> construct an action to invoke it:
> 
> Assuming shorewall-perl....
> 
> /etc/shorewall/actions:
> 
> Tarpit
> 
> /etc/shorewall/action.Tarpit
> 
> <empty file>
> 
> /etc/shorewall/Tarpit:
> 
> use Shorewall::Chains;
> 
> add_rule $chainref, "-p tcp -j TARPIT";
> 
> /etc/shorewall/rules
> 
> Tarpit	net	...	tcp	80	-	...
> 
> -Tom
> 
> 
> ------------------------------------------------------------------------
> 
>
------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus
on
> what you do best, core application coding. Discover what''s new
with
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what''s new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

On 29/08/09 04:18, Michael Mansour wrote:
> How can I tackle this? 
Your ISP is the right place where the attack should be blocked, also
contact your local authorities.

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what''s new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

I have taken the Tarpit instructions below and made Tarpit the default action. 
To do this I changed the DROP_DEFAULT in shorewall.conf to Tarpit.

The Tarpit action doesn''t handle UDP, ICMP, etc asis.  I added another
rule to handle them ie:

cat /etc/shorewall/Tarpit

use Shorewall::Chains;
add_rule $chainref, "-p tcp -j TARPIT";
# DROP for all other protocols
add_rule $chainref, "-j DROP";

Seems to be working, has anyone else tried this?

This would make every host in the blacklist get tarpitted?  Or do I need to set
BLACKLIST_DISPOSITION=Tarpit in shorewall.conf?

Thanks,

ds



Original tarpit instructions:

tarpitting a DDOS attack against a legitimate website takes the site
offline.

The TARPIT target is available in xtables-addons and it is easy to
construct an action to invoke it:

Assuming shorewall-perl....

/etc/shorewall/actions:

Tarpit

/etc/shorewall/action.Tarpit

<empty file>

/etc/shorewall/Tarpit:

use Shorewall::Chains;

add_rule $chainref, "-p tcp -j TARPIT";

/etc/shorewall/rules

Tarpit  net     ...     tcp     80      -       ...


------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference

Dave Sparks wrote:
> I have taken the Tarpit instructions below and made Tarpit the
> default action.  To do this I changed the DROP_DEFAULT in
> shorewall.conf to Tarpit.
> 
> The Tarpit action doesn''t handle UDP, ICMP, etc asis.  I added
> another rule to handle them ie:
> 
> cat /etc/shorewall/Tarpit
> 
> use Shorewall::Chains; add_rule $chainref, "-p tcp -j TARPIT"; #
DROP
> for all other protocols add_rule $chainref, "-j DROP";
> 
> Seems to be working, has anyone else tried this?
Hopefully not. Using this as a default action will tarpit any Auth
client who is trying to authenticate one of your users who just
connected. It also totally breaks logging of DROP policies.
> 
> This would make every host in the blacklist get tarpitted?
No -- this will cause the Tarpit action to be invoked just before a DROP
policy is enforced on a connection request.
> Or do I
> need to set BLACKLIST_DISPOSITION=Tarpit in shorewall.conf?
You don''t get to specify your own action in the BLACKLIST_DISPOSITION
option.

The only legitimate use of your Tarpit action would be in
/etc/shorewall/rules.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference