Iptables, Synflood and abuse alert

win32sux · 04-21-2009, 12:31 PM

Quote:

Originally Posted by Winstar

[root@22475_1_17681_97086 ~]# iptables -nvL INPUT
Chain INPUT (policy ACCEPT 26M packets, 15G bytes)
pkts bytes target prot opt in out source destination
852K 41M DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:3072
854K 41M DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:1024

This makes it sound like the rules are actually working.

I mean, each of those rules has sent well over 800,000 packets to DROP.

Winstar · 04-22-2009, 08:06 AM

Yes, it seems so.
However is a couple of days that attacks toward my server seem to have stopped, so i have not been suspended. I dunno if iptables saved me or i have only been lucky.

Winstar · 04-30-2009, 03:29 PM

I have received another abuse complaint.... Now i am sure those rules does not work. I continue to send packets to remote ports 1024 and 3072 to answer to syn flood. This situation is incredible: look at this

Code:

[root@22475_1_17681_97086 ~]# iptables -nvL INPUT
Chain INPUT (policy ACCEPT 73M packets, 47G bytes)
 pkts bytes target     prot opt in     out     source               destination
1910K   91M DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spt:3072
1914K   91M DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spt:1024
[root@22475_1_17681_97086 ~]# iptables -nvL OUTPUT
Chain OUTPUT (policy ACCEPT 611M packets, 162G bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:3072
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:1024

It seems the chain INPUT is doing the job, the chain output is doing anything. Statistically should have happened some packets to go towards ports 3072 or 1024 don't you think so?
What's the problem???

win32sux · 04-30-2009, 03:58 PM

Quote:

Originally Posted by Winstar

I have received another abuse complaint.... Now i am sure those rules does not work. I continue to send packets to remote ports 1024 and 3072 to answer to syn flood. This situation is incredible: look at this

Code:

[root@22475_1_17681_97086 ~]# iptables -nvL INPUT
Chain INPUT (policy ACCEPT 73M packets, 47G bytes)
 pkts bytes target     prot opt in     out     source               destination
1910K   91M DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spt:3072
1914K   91M DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spt:1024
[root@22475_1_17681_97086 ~]# iptables -nvL OUTPUT
Chain OUTPUT (policy ACCEPT 611M packets, 162G bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:3072
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:1024

It seems the chain INPUT is doing the job, the chain output is doing anything. Statistically should have happened some packets to go towards ports 3072 or 1024 don't you think so?
What's the problem???

Can you show us some moderately verbose tcpdump descriptions of the outbound packets? I'm not sure about the statistics involved, but it would seem like there should be at least a few non-attack packets getting filtered by those rules. Although, the fact there aren't any isn't in and of itself an indication that something is broken. In any case, checking this should be easy. Generate some outbound TCP packets with those destination ports and see if they are filtered. If they aren't, then something is definitely not right.

Winstar · 04-30-2009, 05:32 PM

Can you suggest a simple way for doing that?
thanks

win32sux · 04-30-2009, 07:01 PM

Quote:

Originally Posted by Winstar

Can you suggest a simple way for doing that?
thanks

You mean to generate packets with those destination ports? You could do a:

Code:

ssh -p 3072 linuxquestions.org