Labrea

gabsik · 05-14-2006, 08:36 PM

I'm costantly under DOS bombing on netbios ports from windows pcs in my isps network .I tought running a software like labrea but some of his options still look obscure to me !I would like to hear from people using it for advices !
Thanks !

Capt_Caveman · 05-14-2006, 10:30 PM

If you run labrea, you could very well make the problem worse if it's a real DoS attack (from the info in your other thread it's not). LaBrea will help to slow the progress of a worm when moving through a network, but it puts more load on the Tarpit system itself because it has to maintain the open connections with the worm infected host.

Plus, if I remember correctly from your other thread, you have a Netgear SOHO router that is between the linux box and the internet. So the linux box is not likely even seeing the worm scan on ports 135/445. You'd need to forward the worm traffic into your LAN in order for the Tarpit to work (otherwise the router simply blocks the requests). IMHO forwarding malicious traffic into the LAN is probably an even worse idea in terms of security and the Netgear router would now have to maintain the NATed tarpitted connections.

gabsik · 05-15-2006, 12:04 AM

Logs are coming from both the router and portsentry on the gateway system :

Quote:

May 3 21:36:28 argo portsentry[2437]: attackalert: Host 87.7.30.249 has been blocked via dropped route using command: "/sbin/route add -host 87.7.30.249 gw 192.168.0.3"
May 3 21:47:24 argo portsentry[2437]: attackalert: Connect from host: 80.218.134.76/80.218.134.76 to TCP port: 139
May 3 21:47:24 argo portsentry[2437]: attackalert: Host 80.218.134.76 has been blocked via wrappers with string: "ALL: 80.218.134.76 : DENY"
May 3 21:47:24 argo portsentry[2437]: attackalert: Host 80.218.134.76 has been blocked via dropped route using command: "/sbin/route add -host 80.218.134.76 gw 192.168.0.3"
May 3 21:47:24 argo portsentry[2437]: attackalert: Connect from host: 80.218.134.76/80.218.134.76 to TCP port: 139
May 3 21:47:24 argo portsentry[2437]: attackalert: Host 80.218.134.76 has been blocked via wrappers with string: "ALL: 80.218.134.76 : DENY"
May 3 21:47:24 argo portsentry[2437]: attackalert: Host 80.218.134.76 has been blocked via dropped route using command: "/sbin/route add -host 80.218.134.76 gw 192.168.0.3"
May 3 21:47:25 argo portsentry[2441]: attackalert: Connect from host: 80.218.134.76/80.218.134.76 to UDP port: 137
May 3 21:47:25 argo portsentry[2441]: attackalert: Host 80.218.134.76 has been blocked via wrappers with string: "ALL: 80.218.134.76 : DENY"
May 3 21:47:25 argo portsentry[2441]: attackalert: Host 80.218.134.76 has been blocked via dropped route using command: "/sbin/route add -host 80.218.134.76 gw 192.168.0.3"
May 3 21:47:25 argo portsentry[2441]: attackalert: Connect from host: 80.218.134.76/80.218.134.76 to UDP port: 137
May 3 21:47:25 argo portsentry[2441]: attackalert: Host 80.218.134.76 has been blocked via wrappers with string: "ALL: 80.218.134.76 : DENY"
May 3 21:47:25 argo portsentry[2441]: attackalert: Host 80.218.134.76 has been blocked via dropped route using command: "/sbin/route add -host 80.218.134.76 gw 192.168.0.3"
May 3 21:47:27 argo portsentry[2441]: attackalert: Connect from host: 80.218.134.76/80.218.134.76 to UDP port: 137
May 3 21:47:27 argo portsentry[2441]: attackalert: Host: 80.218.134.76 is already blocked. Ignoring
May 3 21:47:27 argo portsentry[2441]: attackalert: Connect from host: 80.218.134.76/80.218.134.76 to UDP port: 137
May 3 21:47:27 argo portsentry[2441]: attackalert: Host: 80.218.134.76 is already blocked. Ignoring
May 3 21:48:28 argo portsentry[2437]: attackalert: Connect from host: 87.7.193.124/87.7.193.124 to TCP port: 139
May 3 21:48:28 argo portsentry[2437]: attackalert: Host 87.7.193.124 has been blocked via wrappers with string: "ALL: 87.7.193.124 : DENY"
May 3 21:48:28 argo portsentry[2437]: attackalert: Host 87.7.193.124 has been blocked via dropped route using command: "/sbin/route add -host 87.7.193.124 gw 192.168.0.3"
May 3 21:48:28 argo portsentry[2437]: attackalert: Connect from host: 87.7.193.124/87.7.193.124 to TCP port: 139

I know i can tarpit this systems even with a proper tcp window size set to 0 with iptables do you know how i can best do this ??

thorn168 · 05-18-2006, 06:10 PM

If Capt_Caveman says that using Tarpit to solve you problem is a "bad idea" then I would trust him because in your case its a "bad idea".

It is a "bad idea" why? Because if you trap ALL the DDoS requests with a tarpit...you are going to eat up your own bandwidth and hasten the success of the attack against you.

What you should do is create an IPtable rule that drops/denies all requests on the attacked port.

Or you could call your ISP and ask them if they are seeing an unusual amount of traffic from the offending IP addresses.

gabsik · 05-18-2006, 07:05 PM

For the moment i have this for my iptables:

Quote:

$IPT -t nat -A PREROUTING -p tcp -i eth0 -d 192.168.0.2 -s 87.0.0.0/255.0.0.0 -j ULOG --ulog-prefix "BLACK_LIST:"
$IPT -t nat -A PREROUTING -p tcp -i eth0 -d 192.168.0.2 -s 87.0.0.0/255.0.0.0 -j DROP
$IPT -t nat -A PREROUTING -p tcp -i eth0 -d 192.168.0.2 -s 82.0.0.0/255.0.0.0 -j ULOG --ulog-prefix "BLACK_LIST:"
$IPT -t nat -A PREROUTING -p tcp -i eth0 -d 192.168.0.2 -s 82.0.0.0/255.0.0.0 -j DROP
$IPT -t nat -A PREROUTING -p tcp -i eth0 -d 192.168.0.2 -s 212.0.0.0/255.0.0.0 -j ULOG --ulog-prefix "BLACK_LIST:"
$IPT -t nat -A PREROUTING -p tcp -i eth0 -d 192.168.0.2 -s 212.0.0.0/255.0.0.0 -j DROP
$IPT -t nat -A PREROUTING -p tcp -i eth0 -d 192.168.0.2 -s 89.0.0.0/255.0.0.0 -j ULOG --ulog-prefix "BLACK_LIST:"
$IPT -t nat -A PREROUTING -p tcp -i eth0 -d 192.168.0.2 -s 89.0.0.0/255.0.0.0 -j DROP
$IPT -t nat -A PREROUTING -p tcp -i eth0 -d 192.168.0.2 -s 62.0.0.0/255.0.0.0 -j ULOG --ulog-prefix "BLACK_LIST:"
$IPT -t nat -A PREROUTING -p tcp -i eth0 -d 192.168.0.2 -s 62.0.0.0/255.0.0.0 -j DROP
$IPT -t nat -A PREROUTING -p tcp -i eth0 -d 192.168.0.2 -s 151.0.0.0/255.0.0.0 -j ULOG --ulog-prefix "BLACK_LIST:"
$IPT -t nat -A PREROUTING -p tcp -i eth0 -d 192.168.0.2 -s 151.0.0.0/255.0.0.0 -j DROP

I'm stopping the entire class A of each address , i have logs full of 87.10 87.1 87.9 151.40 151.6 i nmaped "some of them" and many of them have the 1234 netbus port open but most 135,137,139,445 all -O Microsoft-XP Windows2000Nt ... they switch my router off and mynetwork goes down !!!

Capt_Caveman · 05-18-2006, 08:06 PM

What do you have the KILL_ROUTE variable set to in portsentry.conf ? What hosts do you have in your portsentry.ignore file?

You might want to add some type of threshold on the number of packets that will match the LOG rules you posted above. Worms can do some heavy-duty scanning, which would rapidly fill your logs with alot of noise and potentially bog it down.

Also, could you describe how your network is structured? Does it look like this:
Internet---Linux_Gateway----Router----Linux box

gabsik · 05-18-2006, 08:20 PM

Quote:

KILL_ROUTE="/sbin/route add $TARGET$ 192.168.0.4"

192.168.0.4 is the laptop it's not always on before there was microsoft.it but never tested out the effect ,how would it be?a simple redirection ... ?
For the logs yu are right i have my router sending to syslogd + portsentry logs + gateway ULOG + iptables' kernel logs it's sh... lots of logs ...

Quote:

[netgearDG834]---[Gatewayfirewall-linux]--switch---[www]-[mail]

Do you have some interesting scripts to use "against" tell me about the ack reply window size set to 0!Something to sort of slow down their scans ... or make their admins aware ... !
If there is a :
iptables -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK \
-m state --state NEW -j REJECT --reject-with tcp-reset
could they get "bombed" by tcp-reset messages ?If insted use tcp flags match like ALL NONE (?) could i slow them .... make them shout !!!!