Adaptive DDOS IDS firewall

We had a task to build a simple solution for DDOS protection on the learning phase of attack. Main goals were:

1. To build it fast: We chose Ubuntu … as everything needed is compiled and build in.
2. Minimum network intervention: We opted for L2/L3 bridge with iptables integration which we plugged between our autonomous system (AS) and internet.
3. Auto learning offenders: Using honeypot service to distinguish non-legitimate connections. Log source IP address and drop packet with iptables. Using suricata ids to additionally analyze client requests.
4. Auto block offenders: Using fail2ban to pars logs generated by iptables and suricata and temporary disable all connections from offending sources.
5. Have some connection limit capabilities: Again we used iptables with connlimit and conntrack modules activated.

Configure steps:

1. Install software:
   
   Ubuntu

   Shell

   apt-get install mc iptraf iftop ssh bridge-utils vlan add-apt-repository ppa:oisf/suricata-stable apt-get update apt-get install suricata apt-get install fail2ban

   1 2 3 4 5

   apt-get install mc iptraf iftop ssh bridge-utils vlan add-apt-repository ppa:oisf/suricata-stable apt-get update apt-get install suricata apt-get install fail2ban

2. Configure network interfaces
   
   /etc/network/interfaces

   Shell

   # The loopback network interface auto lo iface lo inet loopback auto enp26s0 iface enp26s0 inet static address 10.10.18.37 netmask 255.255.255.248 post-up route add -net 10.10.18.0 netmask 255.255.248.0 gw 10.10.18.34 metric 100 post-up route add -net 10.10.0.0 netmask 255.0.0.0 gw 10.10.10.33 metric 200 auto ens1f0 ens1f0.217 ens1f0.218 ens1f0.409 iface ens1f0.217 inet manual vlan-raw-device ens1f0 iface ens1f0.218 inet manual vlan-raw-device ens1f0 iface ens1f0.409 inet manual vlan-raw-device ens1f0 auto ens1f1 ens1f1.217 ens1f1.218 ens1f1.409 iface ens1f1.217 inet manual vlan-raw-device ens1f1 iface ens1f1.218 inet manual vlan-raw-device ens1f1 iface ens1f1.409 inet manual vlan-raw-device ens1f1 auto br217 iface br217 inet manual bridge_ports ens1f0.217 ens1f1.217 bridge_stp off bridge_fd 0 bridge_maxwait 0 auto br218 iface br218 inet manual bridge_ports ens1f0.218 ens1f1.218 bridge_stp off bridge_fd 0 bridge_maxwait 0 auto br409 iface br409 inet manual bridge_ports ens1f0.409 ens1f1.409 bridge_stp off bridge_fd 0 bridge_maxwait

   1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48

   # The loopback network interface auto lo iface lo inet loopback   auto enp26s0 iface enp26s0 inet static     address     10.10.18.37     netmask     255.255.255.248     post-up route add -net 10.10.18.0 netmask 255.255.248.0 gw 10.10.18.34 metric 100     post-up route add -net 10.10.0.0 netmask 255.0.0.0 gw 10.10.10.33    metric 200     auto ens1f0 ens1f0.217 ens1f0.218 ens1f0.409 iface ens1f0.217 inet manual     vlan-raw-device ens1f0 iface ens1f0.218 inet manual     vlan-raw-device ens1f0 iface ens1f0.409 inet manual     vlan-raw-device ens1f0   auto ens1f1 ens1f1.217 ens1f1.218 ens1f1.409 iface ens1f1.217 inet manual     vlan-raw-device ens1f1 iface ens1f1.218 inet manual     vlan-raw-device ens1f1 iface ens1f1.409 inet manual     vlan-raw-device ens1f1   auto br217 iface br217 inet manual    bridge_ports ens1f0.217 ens1f1.217    bridge_stp off    bridge_fd 0    bridge_maxwait 0   auto br218 iface br218 inet manual    bridge_ports ens1f0.218 ens1f1.218    bridge_stp off    bridge_fd 0    bridge_maxwait 0   auto br409 iface br409 inet manual    bridge_ports ens1f0.409 ens1f1.409    bridge_stp off    bridge_fd 0    bridge_maxwait

   
   Here we have 3 bridges in 3 different vlans connecting our AS to 3 upstream internet providers and one management interface.
3. Design iptables structure:
   
   iptables structure

   Shell

   # Chain for all incoming packets iptables -N IN # Chainf for Fail2ban checks iptables -N F2B # Chain for connection limit and connection tracking rules iptables -N IN-CONN-LIMIT # Chain for implicitly drop rules iptables -N IN-HARD-DROP # Chain that Logs and drops iptables -N LD # Chain for Cloudflare as source check iptables -N ONLY_FROM_CLOUDFLARE # Chain for outgoing pachages iptables -N IN OUT

   1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20

   # Chain for all incoming packets iptables -N IN   # Chainf for Fail2ban checks iptables -N F2B   # Chain for connection limit and connection tracking rules iptables -N IN-CONN-LIMIT   # Chain for implicitly drop rules iptables -N IN-HARD-DROP   # Chain that Logs and drops iptables -N LD   # Chain for Cloudflare as source check iptables -N ONLY_FROM_CLOUDFLARE   # Chain for outgoing pachages iptables -N IN OUT

   
   then add rules to direct packets:
   
   Shell

   # Incoming iptables -A FORWARD -m physdev --physdev-in ens1f0.217 -j IN iptables -A FORWARD -m physdev --physdev-in ens1f0.218 -j IN iptables -A FORWARD -m physdev --physdev-in ens1f0.409 -j IN #Outgoing iptables -A FORWARD -m physdev --physdev-in ens1f1.217 -j OUT iptables -A FORWARD -m physdev --physdev-in ens1f1.218 -j OUT iptables -A FORWARD -m physdev --physdev-in ens1f1.409 -j OUT #Fail2Ban rules iptables -A F2B -p tcp -m multiport --dports 0:65535 -j f2b-ipt-drop #Connlimit iptables -A IN -j IN-CONN-LIMIT #Drop iptables -A IN -j IN-HARD-DROP

   1 2 3 4 5 6 7 8 9 10 11 12 13 14

   # Incoming iptables -A FORWARD -m physdev --physdev-in ens1f0.217 -j IN iptables -A FORWARD -m physdev --physdev-in ens1f0.218 -j IN iptables -A FORWARD -m physdev --physdev-in ens1f0.409 -j IN #Outgoing iptables -A FORWARD -m physdev --physdev-in ens1f1.217 -j OUT iptables -A FORWARD -m physdev --physdev-in ens1f1.218 -j OUT iptables -A FORWARD -m physdev --physdev-in ens1f1.409 -j OUT #Fail2Ban rules iptables -A F2B -p tcp -m multiport --dports 0:65535 -j f2b-ipt-drop #Connlimit iptables -A IN -j IN-CONN-LIMIT #Drop iptables -A IN -j IN-HARD-DROP

   
   conn&track limit:
   
   iptables -A IN-CONN-LIMIT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 6/sec --limit-burst 12 -j RETURN iptables -A IN-CONN-LIMIT -m connlimit --connlimit-upto 16 --connlimit-mask 32 --connlimit-saddr -j RETURN

   1 2	iptables -A IN-CONN-LIMIT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 6/sec --limit-burst 12 -j RETURN iptables -A IN-CONN-LIMIT -m connlimit --connlimit-upto 16 --connlimit-mask 32 --connlimit-saddr -j RETURN

   
   drop invalid packets:
   
   iptables -A IN-HARD-DROP -m state --state INVALID -j LD

   1	iptables -A IN-HARD-DROP -m state --state INVALID -j LD

   
   honeypot NTP and SSH:
   
   Shell

   iptables -A IN-HARD-DROP -p udp -m udp --dport 123 -j LD iptables -A IN-HARD-DROP -p tcp -m tcp --dport 22 -j LD

   1 2	iptables -A IN-HARD-DROP -p udp -m udp --dport 123 -j LD iptables -A IN-HARD-DROP -p tcp -m tcp --dport 22 -j LD

   
   and finally log and drop:
   
   Shell

   iptables -A LD -m limit --limit 2/min --limit-burst 1 -j LOG --log-prefix "IPtables_DROP:" iptables -A LD -j DROP

   1 2	iptables -A LD -m limit --limit 2/min --limit-burst 1 -j LOG --log-prefix "IPtables_DROP:" iptables -A LD -j DROP

   
   optionally filter for cloudflare networks
   
   iptables -A ONLY_FROM_CLOUDFLARE -s 103.21.244.0/22 -j RETURN iptables -A ONLY_FROM_CLOUDFLARE -s 103.22.200.0/22 -j RETURN iptables -A ONLY_FROM_CLOUDFLARE -s 103.31.4.0/22 -j RETURN iptables -A ONLY_FROM_CLOUDFLARE -s 104.16.0.0/12 -j RETURN iptables -A ONLY_FROM_CLOUDFLARE -s 108.162.192.0/18 -j RETURN iptables -A ONLY_FROM_CLOUDFLARE -s 131.0.72.0/22 -j RETURN iptables -A ONLY_FROM_CLOUDFLARE -s 141.101.64.0/18 -j RETURN iptables -A ONLY_FROM_CLOUDFLARE -s 162.158.0.0/15 -j RETURN iptables -A ONLY_FROM_CLOUDFLARE -s 172.64.0.0/13 -j RETURN iptables -A ONLY_FROM_CLOUDFLARE -s 173.245.48.0/20 -j RETURN iptables -A ONLY_FROM_CLOUDFLARE -s 188.114.96.0/20 -j RETURN iptables -A ONLY_FROM_CLOUDFLARE -s 190.93.240.0/20 -j RETURN iptables -A ONLY_FROM_CLOUDFLARE -s 197.234.240.0/22 -j RETURN iptables -A ONLY_FROM_CLOUDFLARE -s 198.41.128.0/17 -j RETURN iptables -A ONLY_FROM_CLOUDFLARE -s 199.27.128.0/21 -j RETURN iptables -A ONLY_FROM_CLOUDFLARE -j LD # # Add protected destanation as following rule: #iptables -A IN -d 212.xxx.yyy.zzz/32 -j ONLY_FROM_CLOUDFLARE

   1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19

   iptables -A ONLY_FROM_CLOUDFLARE -s 103.21.244.0/22 -j RETURN iptables -A ONLY_FROM_CLOUDFLARE -s 103.22.200.0/22 -j RETURN iptables -A ONLY_FROM_CLOUDFLARE -s 103.31.4.0/22 -j RETURN iptables -A ONLY_FROM_CLOUDFLARE -s 104.16.0.0/12 -j RETURN iptables -A ONLY_FROM_CLOUDFLARE -s 108.162.192.0/18 -j RETURN iptables -A ONLY_FROM_CLOUDFLARE -s 131.0.72.0/22 -j RETURN iptables -A ONLY_FROM_CLOUDFLARE -s 141.101.64.0/18 -j RETURN iptables -A ONLY_FROM_CLOUDFLARE -s 162.158.0.0/15 -j RETURN iptables -A ONLY_FROM_CLOUDFLARE -s 172.64.0.0/13 -j RETURN iptables -A ONLY_FROM_CLOUDFLARE -s 173.245.48.0/20 -j RETURN iptables -A ONLY_FROM_CLOUDFLARE -s 188.114.96.0/20 -j RETURN iptables -A ONLY_FROM_CLOUDFLARE -s 190.93.240.0/20 -j RETURN iptables -A ONLY_FROM_CLOUDFLARE -s 197.234.240.0/22 -j RETURN iptables -A ONLY_FROM_CLOUDFLARE -s 198.41.128.0/17 -j RETURN iptables -A ONLY_FROM_CLOUDFLARE -s 199.27.128.0/21 -j RETURN iptables -A ONLY_FROM_CLOUDFLARE -j LD # # Add protected destanation as following rule: #iptables -A IN -d 212.xxx.yyy.zzz/32 -j ONLY_FROM_CLOUDFLARE

4. Configure fail2ban
   
   /etc/fail2ban/jail.local

   Shell

   [ipt-drop] enabled = true chain = F2B blocktype = DROP #protocol = all filter = ipt-drop logpath = /var/log/syslog maxretry = 2

   1 2 3 4 5 6 7 8

   [ipt-drop] enabled  = true chain    = F2B blocktype = DROP #protocol = all filter   = ipt-drop logpath  = /var/log/syslog maxretry = 2

   
    
   
   /etc/fail2ban/action.d/iptables-common.conf

   protocol = tcp blocktype = DROP

   1 2	protocol = tcp blocktype = DROP

   
   
   /etc/fail2ban/filter.d/ipt-drop.conf

   Shell

   [Definition] failregex = .*IPtables_DROP.*SRC=(?P<host>\S*)

   1 2	[Definition] failregex = .*IPtables_DROP.*SRC=(?P<host>\S*)

   
   Similar readings:
   Fighting SPAM with postfix and fail2ban