I''m trying to deal with the following problem:
* My BIND 9.9.1-P1 DNS server is being hammered with a
reflection/amplification DDoS attack where a small
(67 bytes) query is causing a large (2577 bytes)
answer to be sent to the query''s forged source address.
* I''ve applied the rate-limit patch from here:
http://www.redbarn.org/dns/ratelimits
and it works well until the query load get to be about
11,000/second and then general packet loss starts to occur.
* After identifying the egregious source addresses with dnstop(1),
the Shorewall blacklist feature helps very much. While I only
need to block ten or fewer addresses at a time, this solution
does not scale because the spoofed addresses are always changing.
I ran across the following article:>
http://forum.slicehost.com/index.php?p=/discussion/2970/dns-multiplication-ddos-underway/p1
and in my particular case, it would be ideal if I could insert the following
rule into my Shorewall configuration:
iptables -t raw -I PREROUTING -p udp --destination-port 53 -m string \
--algo kmp --from <offset> --hex-string "|<some hex
data>|" -j DROP
I''m using Debian stable and so the version of Shorewall is 4.4.11
and have read the following documentation:
http://www.shorewall.net/Actions.html#Extension
http://www.shorewall.net/shorewall_extension_scripts.htm
http://www.shorewall.net/ManualChains.html
So my question is:
It seems possible to add custom iptables rules in Shorewall but
I would like to add a rule before connection tracking takes place,
i.e., the rule should go in the PREROUTING chain of the "raw"
table.
Can this be done within the Shorewall framework?
If so, then could someone indulge me with the high-level steps that
are needed to achieve this?
Thanks,
Andris
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 06/23/2012 12:03 AM, Andris Kalnozols wrote:> I''m trying to deal with the following problem: > > * My BIND 9.9.1-P1 DNS server is being hammered with a > reflection/amplification DDoS attack where a small > (67 bytes) query is causing a large (2577 bytes) > answer to be sent to the query''s forged source address. > > * I''ve applied the rate-limit patch from here: > > http://www.redbarn.org/dns/ratelimits > > and it works well until the query load get to be about > 11,000/second and then general packet loss starts to occur. > > * After identifying the egregious source addresses with dnstop(1), > the Shorewall blacklist feature helps very much. While I only > need to block ten or fewer addresses at a time, this solution > does not scale because the spoofed addresses are always changing. > > I ran across the following article: >> http://forum.slicehost.com/index.php?p=/discussion/2970/dns-multiplication-ddos-underway/p1 > > and in my particular case, it would be ideal if I could insert the following > rule into my Shorewall configuration: > > iptables -t raw -I PREROUTING -p udp --destination-port 53 -m string \ > --algo kmp --from <offset> --hex-string "|<some hex data>|" -j DROP > > I''m using Debian stable and so the version of Shorewall is 4.4.11 > and have read the following documentation: > > http://www.shorewall.net/Actions.html#Extension > http://www.shorewall.net/shorewall_extension_scripts.htm > http://www.shorewall.net/ManualChains.html > > So my question is: > > It seems possible to add custom iptables rules in Shorewall but > I would like to add a rule before connection tracking takes place, > i.e., the rule should go in the PREROUTING chain of the "raw" table. > Can this be done within the Shorewall framework? > > If so, then could someone indulge me with the high-level steps that > are needed to achieve this?Simply put the above iptables command in /etc/shorewall/start. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 6/23/2012 6:55 AM, Tom Eastep wrote:> On 06/23/2012 12:03 AM, Andris Kalnozols wrote: >> >> I''m using Debian stable and so the version of Shorewall is 4.4.11 >> and have read the following documentation: >> >> http://www.shorewall.net/Actions.html#Extension >> http://www.shorewall.net/shorewall_extension_scripts.htm >> http://www.shorewall.net/ManualChains.htmlIt appears my reading comprehension skills can stand some improvement...>> So my question is: >> >> It seems possible to add custom iptables rules in Shorewall but >> I would like to add a rule before connection tracking takes place, >> i.e., the rule should go in the PREROUTING chain of the "raw" table. >> Can this be done within the Shorewall framework? >> >> If so, then could someone indulge me with the high-level steps that >> are needed to achieve this? > > Simply put the above iptables command in /etc/shorewall/start.Couldn''t be easier. Thanks, Tom, for your help and excellent firewall application. No regrets convincing my colleagues to use it. ------ Andris ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/