LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 02-18-2010, 09:55 AM   #1
callbiz
LQ Newbie
 
Registered: Feb 2010
Posts: 5

Rep: Reputation: 0
iptables rules against udp flood and ddos attack


Hi every one i am new to Linux question and to linux

One of my server underattack of dos or ddos on udp flood i want to implemeent the iptables rules which provided by my provider of server

curent snario

Cisco asa 5505 >> Windows and linux servers
same subnet and same gateway for both

Default gateway xxx.xxx.213.129
Linux centos xxx.xxx.213.130
Windows server xxx.xxx.213.131

its all in datacenter

now outside and inside coming through cisco on all servers

i want to implement
cisco>>> Linux>>> windows

more details

Server is listening on UDP port 1805 for encrypted packets, but hackers sends a lot of data for this port assuming that there is SIP server.
Such hack attepmts blocks tunnel service and good clients cannot connect to it.
To prevent our customers from such DoS attacks please add at least the following rules to your firewall:

block SIP requests REGISTER, INVITE, SUBSCRIBE that come to UDP port 1805
block more than 50pps from one IP for UDP port 1805 (one IP is not able to send more than 50 packets per second for this port)

there are sample Linux netfilter rules for such issue:
SERVER_IP - IP address of voipswitch server

iptables -A FORWARD -m string --string "INVITE sip:" --algo bm --to 65 -p udp --dport 1805 -d SERVER_IP -j DROP
iptables -A FORWARD -m string --string "REGISTER sip:" --algo bm --to 65 -p udp --dport 1805 -d SERVER_IP -j DROP
iptables -A FORWARD -m string --string "SUBSCRIBE" --algo bm --to 65 -p udp --dport 1805 -d SERVER_IP -j DROP
iptables -A FORWARD -m string --string "MESSAGE" --algo bm --to 65 -p udp --dport 1805 -d SERVER_IP -j DROP
iptables -A FORWARD -m string --string "OPTIONS" --algo bm --to 65 -p udp --dport 1805 -d SERVER_IP -j DROP
iptables -A FORWARD -m hashlimit --hashlimit 50/sec --hashlimit-mode srcip,dstport --hashlimit-name tunnel_limit -d SERVER_IP -p UDP --dport 1805 -j ACCEPT
iptables -A FORWARD -d SERVER_IP -p UDP --dport 1805 -j DROP

now i have implement these rules when i send packets to xxx.xxx.213.130 Linux udp packets it do not forward to Windows machine

so help me regarding this metter
 
Old 02-18-2010, 01:34 PM   #2
nimnull22
Senior Member
 
Registered: Jul 2009
Distribution: OpenSuse 11.1, Fedora 14, Ubuntu 12.04/12.10, FreeBSD 9.0
Posts: 1,571

Rep: Reputation: 92
It wont help, because UDP flood will come anyway, and port will be overloaded.
You can really solve your problem if your ISP would block IP from which flood come on their equipment. But ISPs don't like to do it. It wll overload their routers as well.
 
Old 02-18-2010, 01:42 PM   #3
callbiz
LQ Newbie
 
Registered: Feb 2010
Posts: 5

Original Poster
Rep: Reputation: 0
yes youa re right they are not helping

There is not a single ip there is alot of spoof ip so is there any other way to stop it?
 
Old 02-18-2010, 01:49 PM   #4
nimnull22
Senior Member
 
Registered: Jul 2009
Distribution: OpenSuse 11.1, Fedora 14, Ubuntu 12.04/12.10, FreeBSD 9.0
Posts: 1,571

Rep: Reputation: 92
Disconnect your network. Let ISP routers go down. Filters on your side wont help.
 
Old 02-18-2010, 02:02 PM   #5
nimnull22
Senior Member
 
Registered: Jul 2009
Distribution: OpenSuse 11.1, Fedora 14, Ubuntu 12.04/12.10, FreeBSD 9.0
Posts: 1,571

Rep: Reputation: 92
You can try to FORWARD through your linux firewall ONLY traffic from customers IP (if you know them), in that case you will unload port on next to firewall equipment. But if flood takes all your bandwidths - it wont help either.
 
Old 02-18-2010, 02:11 PM   #6
callbiz
LQ Newbie
 
Registered: Feb 2010
Posts: 5

Original Poster
Rep: Reputation: 0
datacenter dont mind

its coming from 3 weeks and they dont mind coz they have bandwidth in gigbytes and flood is only 40 mb max
 
Old 02-18-2010, 02:20 PM   #7
nimnull22
Senior Member
 
Registered: Jul 2009
Distribution: OpenSuse 11.1, Fedora 14, Ubuntu 12.04/12.10, FreeBSD 9.0
Posts: 1,571

Rep: Reputation: 92
Typically.

If flood does not cover all your bandwidth, implement linux firewall (computer with 2 ethernet cards) and try to filter traffic - allow only from your customers IPs, anything from others IP - DROP.

Last edited by nimnull22; 02-18-2010 at 02:24 PM.
 
Old 02-18-2010, 04:32 PM   #8
callingcard
LQ Newbie
 
Registered: Feb 2010
Posts: 19

Rep: Reputation: 0
Quote:
Originally Posted by callbiz View Post
its coming from 3 weeks and they dont mind coz they have bandwidth in gigbytes and flood is only 40 mb max

HEy man. i am also facing this problem since 21 january 2010

by the way, witold golab has updated the tunnel hack attempt. please check that.

i dont have linux firewall. but i will get it in next 2 weeks. so i can check it.

by the way, we can share something here to save our money !!!

dont pay for any hardware firewall. i have also tested 5505 and 5520 Cisco ASA.

Firewall only can block / unblock ports. It can not do more then this for us ( voipswitch providers ) And this is not the solution.

And that hacker may be Vbuzzer . com

We need to filter IP spoofing like 50 packets or 90 packets are not allowed per 1 IP in one second.

Last edited by callingcard; 02-18-2010 at 04:43 PM.
 
Old 02-18-2010, 04:41 PM   #9
nimnull22
Senior Member
 
Registered: Jul 2009
Distribution: OpenSuse 11.1, Fedora 14, Ubuntu 12.04/12.10, FreeBSD 9.0
Posts: 1,571

Rep: Reputation: 92
By "linux firewall" I meant ordinary computer with 2 ethernet card and Linux OS, Linux by default has iptables, that works sometime better and stable then expensive "special firewall".
So all you need is to give Iptables FORWARD rules to filter only yours IP and to DROP others.
 
Old 02-18-2010, 04:50 PM   #10
callingcard
LQ Newbie
 
Registered: Feb 2010
Posts: 19

Rep: Reputation: 0
i have also tested Session Border Controller ( SBC ) of Genband.
That is also not usefull for us because of this VoipTunnelServer.

SBCs are not able to understand to VoipTunnelServer's Encrypted packets.

Session border controllers are Hardware firewalls specialy made for Voip Security. But this is not working with voipswitch because of this VoipTunnelserver.
 
Old 02-19-2010, 06:36 AM   #11
callbiz
LQ Newbie
 
Registered: Feb 2010
Posts: 5

Original Poster
Rep: Reputation: 0
You are right

asa 5505 dont help but i am testing one new snario and will update you on it we can creat tunnel vpn and all dialers can login normaly as voip switch tunnel work and wittold i cannot find him too from 3 weeks and they all are help less . i already send request to my data center to update my linux server and add in it another network adopter i hope shortly they will add it and then i will configer invisible firewall on it for pps maybe it help if it do not bad but other way vpn tunnling is the possibalities to implement on all our dialers same dialer with out tunnel will do tunnling from cisco i am not sure but we are testing i hope there will be some good results
 
Old 02-19-2010, 06:46 AM   #12
callbiz
LQ Newbie
 
Registered: Feb 2010
Posts: 5

Original Poster
Rep: Reputation: 0
most probably hacker from talkfree and i dont think so from vbuzzer coz them services also effected they have one more brand ringomax we have already taking all the details and compiling to file with fbi.
 
Old 02-19-2010, 08:13 AM   #13
callingcard
LQ Newbie
 
Registered: Feb 2010
Posts: 19

Rep: Reputation: 0
Hello !

By the way Ringomax is not part of Vbuzzer.
I am a share holder of Ringomax We are 3 partners.

check your PM.
 
  


Reply

Tags
firewall


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
SYN_RECV, IPTABLES, Drop DDOS Flood IPs does not work! eurusd Linux - Server 2 09-02-2009 11:40 PM
DDOS attack help me dheeraj4uuu Linux - Security 9 05-31-2009 03:07 PM
Filter UDP flood using iptables LandRover Linux - Security 1 10-18-2007 05:18 PM
Network Attack seems to ignore my iptables rules grpprod Linux - Security 5 05-04-2007 11:29 PM
All UDP ports of my firewall are closed even without iptables rules, any clue? mfeoli Linux - Networking 2 01-05-2006 10:07 AM


All times are GMT -5. The time now is 09:38 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration