LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Network Attack seems to ignore my iptables rules (https://www.linuxquestions.org/questions/linux-security-4/network-attack-seems-to-ignore-my-iptables-rules-550782/)

grpprod 05-02-2007 05:57 PM
Network Attack seems to ignore my iptables rules
 
Hi all,
one of my mail servers is currently under attack. I have set up a pretty decent iptables set (syn floods etc), but it seems that it cannot handle this particular one (although it looks like a SYN flood to me). In particular, as shown in the log, it manages to 'catch' it but for some reason it is unresponsive to its services (POP,IMAP,SMTP). I was wondering if someone could help me to deal with this situation. I hope I should be able to do something more than wait for it to finish.

Code:
May  3 01:46:00 srv kernel: Dropped by default:IN=eth0 OUT= MAC=00:0c:29:f4:ad:a0:00:0b:be:4d:e8:00:08:00 SRC=213.180.210.35 DST=1.2.3.4 LEN=44 TOS=0x00 PREC=0x00 TTL=28 ID=64164 PROTO=TCP SPT=55774 DPT=56124 WINDOW=4096 RES=0x00 SYN URGP=0
May  3 01:46:02 srv kernel: Dropped by default:IN=eth0 OUT= MAC=00:0c:29:f4:ad:a0:00:0b:be:4d:e8:00:08:00 SRC=213.180.210.35 DST=1.2.3.4 LEN=44 TOS=0x00 PREC=0x00 TTL=25 ID=31025 PROTO=TCP SPT=55772 DPT=55118 WINDOW=2048 RES=0x00 SYN URGP=0
May  3 01:46:02 srv kernel: Dropped by default:IN=eth0 OUT= MAC=00:0c:29:f4:ad:a0:00:0b:be:4d:e8:00:08:00 SRC=213.180.210.35 DST=1.2.3.4 LEN=44 TOS=0x00 PREC=0x00 TTL=23 ID=22646 PROTO=TCP SPT=55774 DPT=25786 WINDOW=4096 RES=0x00 SYN URGP=0
May  3 01:46:03 srv kernel: Dropped by default:IN=eth0 OUT= MAC=00:0c:29:f4:ad:a0:00:0b:be:4d:e8:00:08:00 SRC=213.180.210.35 DST=1.2.3.4 LEN=44 TOS=0x00 PREC=0x00 TTL=39 ID=33630 PROTO=TCP SPT=55771 DPT=4154 WINDOW=4096 RES=0x00 SYN URGP=0
May  3 01:46:05 srv kernel: Dropped by default:IN=eth0 OUT= MAC=00:0c:29:f4:ad:a0:00:0b:be:4d:e8:00:08:00 SRC=213.180.210.35 DST=1.2.3.4 LEN=44 TOS=0x00 PREC=0x00 TTL=23 ID=13090 PROTO=TCP SPT=55771 DPT=48393 WINDOW=3072 RES=0x00 SYN URGP=0
May  3 01:46:06 srv kernel: Dropped by default:IN=eth0 OUT= MAC=00:0c:29:f4:ad:a0:00:0b:be:4d:e8:00:08:00 SRC=213.180.210.35 DST=1.2.3.4 LEN=44 TOS=0x00 PREC=0x00 TTL=35 ID=60313 PROTO=TCP SPT=55774 DPT=17878 WINDOW=3072 RES=0x00 SYN URGP=0
May  3 01:46:08 srv kernel: Dropped by default:IN=eth0 OUT= MAC=00:0c:29:f4:ad:a0:00:0b:be:4d:e8:00:08:00 SRC=213.180.210.35 DST=1.2.3.4 LEN=44 TOS=0x00 PREC=0x00 TTL=36 ID=3242 PROTO=TCP SPT=55772 DPT=23571 WINDOW=1024 RES=0x00 SYN URGP=0
May  3 01:46:08 srv kernel: Dropped by default:IN=eth0 OUT= MAC=00:0c:29:f4:ad:a0:00:0b:be:4d:e8:00:08:00 SRC=213.180.210.35 DST=1.2.3.4 LEN=44 TOS=0x00 PREC=0x00 TTL=27 ID=23312 PROTO=TCP SPT=55774 DPT=35985 WINDOW=4096 RES=0x00 SYN URGP=0
May  3 01:46:10 srv kernel: Dropped by default:IN=eth0 OUT= MAC=00:0c:29:f4:ad:a0:00:0b:be:4d:e8:00:08:00 SRC=213.180.210.35 DST=1.2.3.4 LEN=44 TOS=0x00 PREC=0x00 TTL=26 ID=32949 PROTO=TCP SPT=55772 DPT=33707 WINDOW=3072 RES=0x00 SYN URGP=0
May  3 01:46:11 srv kernel: Dropped by default:IN=eth0 OUT= MAC=00:0c:29:f4:ad:a0:00:0b:be:4d:e8:00:08:00 SRC=213.180.210.35 DST=1.2.3.4 LEN=44 TOS=0x00 PREC=0x00 TTL=29 ID=48152 PROTO=TCP SPT=55770 DPT=1737 WINDOW=1024 RES=0x00 SYN URGP=0
May  3 01:46:11 srv kernel: Dropped by default:IN=eth0 OUT= MAC=00:0c:29:f4:ad:a0:00:0b:be:4d:e8:00:08:00 SRC=213.180.210.35 DST=1.2.3.4 LEN=44 TOS=0x00 PREC=0x00 TTL=34 ID=4883 PROTO=TCP SPT=55772 DPT=65379 WINDOW=2048 RES=0x00 SYN URGP=0
May  3 01:46:12 srv kernel: Dropped by default:IN=eth0 OUT= MAC=00:0c:29:f4:ad:a0:00:0b:be:4d:e8:00:08:00 SRC=213.180.210.35 DST=1.2.3.4 LEN=44 TOS=0x00 PREC=0x00 TTL=35 ID=29322 PROTO=TCP SPT=55774 DPT=59015 WINDOW=4096 RES=0x00 SYN URGP=0
May  3 01:46:13 srv kernel: Dropped by default:IN=eth0 OUT= MAC=00:0c:29:f4:ad:a0:00:0b:be:4d:e8:00:08:00 SRC=213.180.210.35 DST=1.2.3.4 LEN=44 TOS=0x00 PREC=0x00 TTL=32 ID=10730 PROTO=TCP SPT=55771 DPT=10950 WINDOW=4096 RES=0x00 SYN URGP=0
May  3 01:46:14 srv kernel: Dropped by default:IN=eth0 OUT= MAC=00:0c:29:f4:ad:a0:00:0b:be:4d:e8:00:08:00 SRC=213.180.210.35 DST=1.2.3.4 LEN=44 TOS=0x00 PREC=0x00 TTL=19 ID=33847 PROTO=TCP SPT=55773 DPT=7563 WINDOW=3072 RES=0x00 SYN URGP=0

osor 05-02-2007 06:11 PM
Have you done “sysctl net.ipv4.tcp_syncookies=1”?

jschiwal 05-02-2007 06:49 PM
I wonder if one of the web servers they host is compromised.
Code:
------------------------------------------------------
Points of contact for Yandex LLC Network Operations
------------------------------------------------------
Routing and peering issues:  noc@yandex.net
SPAM issues:                abuse@yandex.ru
Network security issues:    abuse@yandex.ru
Mail issues:                postmaster@yandex.ru
General information:        info@yandex.ru
------------------------------------------------------
Although there main business is as a search engine.

grpprod 05-02-2007 11:38 PM
Quote:
Originally Posted by osor
Have you done “sysctl net.ipv4.tcp_syncookies=1”?
Yes,

Code:
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
No luck. Any more suggestions?

Btw, this is something I don't get. Iptables seem to give me the opposite result from what I would expect. The machine is still able to serve clients when iptables is off, but it stops doing so when it is on (most probably due to connection limits being enforced). So what's the point of using it if -IN PRACTICE- the result is the exact opposite of the desired one?

win32sux 05-03-2007 06:20 AM
could we see the iptables rules you are using??

or at least the active config, like:
Code:
iptables -nvL

grpprod 05-04-2007 11:29 PM
Quote:
Originally Posted by win32sux
could we see the iptables rules you are using??

Okay, here are the rules I use to handle attacks:

Code:
                # Spoofed local IPs
                $IPTABLES -A INPUT -s 255.0.0.0/8 -j DROP
                $IPTABLES -A INPUT -s 0.0.0.0/8 -j DROP
                $IPTABLES -A INPUT -s 127.0.0.0/8 -j DROP
                $IPTABLES -A INPUT -s 192.168.0.0/16 -j DROP
                $IPTABLES -A INPUT -s 172.16.0.0/12 -j DROP
                $IPTABLES -A INPUT -s 10.0.0.0/8 -j DROP
 
                # SYN-floods
                $IPTABLES -N SYNFLOOD
                $IPTABLES -A INPUT -p tcp --syn -j SYNFLOOD
                $IPTABLES -A SYNFLOOD -j LOG --log-level debug
                $IPTABLES -A SYNFLOOD -p tcp -m limit --limit 1/s --limit-burst 4 -j RETURN
                $IPTABLES -A SYNFLOOD -j DROP

                # Allow only SYN packets
                $IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

                # NULL TCP, XMASTREE etc.
                $IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
                $IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
                $IPTABLES -A INPUT -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
                $IPTABLES -A INPUT -p tcp --tcp-flags SYN,ACK,FIN FIN -m state --state NEW -j REJECT --reject-with tcp-reset
                $IPTABLES -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 2/s -j ACCEPT

                # Corrupted packets
                $IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j REJECT --reject-with tcp-reset

                # Fragmented packets
                $IPTABLES -A INPUT -f -j DROP

                # Ping DoS
                $IPTABLES -A INPUT -p icmp --icmp-type echo-request -j DROP


All times are GMT -5. The time now is 06:04 PM.