LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   iptables rules against udp flood and ddos attack (http://www.linuxquestions.org/questions/linux-networking-3/iptables-rules-against-udp-flood-and-ddos-attack-789950/)

callbiz 02-18-2010 09:55 AM

iptables rules against udp flood and ddos attack
 
Hi every one i am new to Linux question and to linux

One of my server underattack of dos or ddos on udp flood i want to implemeent the iptables rules which provided by my provider of server

curent snario

Cisco asa 5505 >> Windows and linux servers
same subnet and same gateway for both

Default gateway xxx.xxx.213.129
Linux centos xxx.xxx.213.130
Windows server xxx.xxx.213.131

its all in datacenter

now outside and inside coming through cisco on all servers

i want to implement
cisco>>> Linux>>> windows

more details

Server is listening on UDP port 1805 for encrypted packets, but hackers sends a lot of data for this port assuming that there is SIP server.
Such hack attepmts blocks tunnel service and good clients cannot connect to it.
To prevent our customers from such DoS attacks please add at least the following rules to your firewall:

block SIP requests REGISTER, INVITE, SUBSCRIBE that come to UDP port 1805
block more than 50pps from one IP for UDP port 1805 (one IP is not able to send more than 50 packets per second for this port)

there are sample Linux netfilter rules for such issue:
SERVER_IP - IP address of voipswitch server

iptables -A FORWARD -m string --string "INVITE sip:" --algo bm --to 65 -p udp --dport 1805 -d SERVER_IP -j DROP
iptables -A FORWARD -m string --string "REGISTER sip:" --algo bm --to 65 -p udp --dport 1805 -d SERVER_IP -j DROP
iptables -A FORWARD -m string --string "SUBSCRIBE" --algo bm --to 65 -p udp --dport 1805 -d SERVER_IP -j DROP
iptables -A FORWARD -m string --string "MESSAGE" --algo bm --to 65 -p udp --dport 1805 -d SERVER_IP -j DROP
iptables -A FORWARD -m string --string "OPTIONS" --algo bm --to 65 -p udp --dport 1805 -d SERVER_IP -j DROP
iptables -A FORWARD -m hashlimit --hashlimit 50/sec --hashlimit-mode srcip,dstport --hashlimit-name tunnel_limit -d SERVER_IP -p UDP --dport 1805 -j ACCEPT
iptables -A FORWARD -d SERVER_IP -p UDP --dport 1805 -j DROP

now i have implement these rules when i send packets to xxx.xxx.213.130 Linux udp packets it do not forward to Windows machine

so help me regarding this metter

nimnull22 02-18-2010 01:34 PM

It wont help, because UDP flood will come anyway, and port will be overloaded.
You can really solve your problem if your ISP would block IP from which flood come on their equipment. But ISPs don't like to do it. It wll overload their routers as well.

callbiz 02-18-2010 01:42 PM

yes youa re right they are not helping
 
There is not a single ip there is alot of spoof ip so is there any other way to stop it?

nimnull22 02-18-2010 01:49 PM

Disconnect your network. Let ISP routers go down. Filters on your side wont help.

nimnull22 02-18-2010 02:02 PM

You can try to FORWARD through your linux firewall ONLY traffic from customers IP (if you know them), in that case you will unload port on next to firewall equipment. But if flood takes all your bandwidths - it wont help either.

callbiz 02-18-2010 02:11 PM

datacenter dont mind
 
its coming from 3 weeks and they dont mind coz they have bandwidth in gigbytes and flood is only 40 mb max :(

nimnull22 02-18-2010 02:20 PM

Typically.

If flood does not cover all your bandwidth, implement linux firewall (computer with 2 ethernet cards) and try to filter traffic - allow only from your customers IPs, anything from others IP - DROP.

callingcard 02-18-2010 04:32 PM

Quote:

Originally Posted by callbiz (Post 3868526)
its coming from 3 weeks and they dont mind coz they have bandwidth in gigbytes and flood is only 40 mb max :(


HEy man. i am also facing this problem since 21 january 2010 :hattip:

by the way, witold golab has updated the tunnel hack attempt. please check that.

i dont have linux firewall. but i will get it in next 2 weeks. so i can check it.

by the way, we can share something here to save our money !!!

dont pay for any hardware firewall. i have also tested 5505 and 5520 Cisco ASA.

Firewall only can block / unblock ports. It can not do more then this for us ( voipswitch providers ) And this is not the solution.

And that hacker may be Vbuzzer . com

We need to filter IP spoofing like 50 packets or 90 packets are not allowed per 1 IP in one second.

nimnull22 02-18-2010 04:41 PM

By "linux firewall" I meant ordinary computer with 2 ethernet card and Linux OS, Linux by default has iptables, that works sometime better and stable then expensive "special firewall".
So all you need is to give Iptables FORWARD rules to filter only yours IP and to DROP others.

callingcard 02-18-2010 04:50 PM

i have also tested Session Border Controller ( SBC ) of Genband.
That is also not usefull for us because of this VoipTunnelServer.

SBCs are not able to understand to VoipTunnelServer's Encrypted packets.

Session border controllers are Hardware firewalls specialy made for Voip Security. But this is not working with voipswitch because of this VoipTunnelserver.

callbiz 02-19-2010 06:36 AM

You are right
 
asa 5505 dont help but i am testing one new snario and will update you on it we can creat tunnel vpn and all dialers can login normaly as voip switch tunnel work and wittold i cannot find him too from 3 weeks and they all are help less . i already send request to my data center to update my linux server and add in it another network adopter i hope shortly they will add it and then i will configer invisible firewall on it for pps maybe it help if it do not bad but other way vpn tunnling is the possibalities to implement on all our dialers same dialer with out tunnel will do tunnling from cisco i am not sure but we are testing i hope there will be some good results

callbiz 02-19-2010 06:46 AM

most probably hacker from talkfree and i dont think so from vbuzzer coz them services also effected they have one more brand ringomax we have already taking all the details and compiling to file with fbi.

callingcard 02-19-2010 08:13 AM

Hello !

By the way Ringomax is not part of Vbuzzer.
I am a share holder of Ringomax :) We are 3 partners.

check your PM.


All times are GMT -5. The time now is 05:12 AM.