We had a task to build a simple solution for DDOS protection on the learning phase of attack. Main goals were:
- To build it fast: We chose Ubuntu … as everything needed is compiled and build in.
- Minimum network intervention: We opted for L2/L3 bridge with iptables integration which we plugged between our autonomous system (AS) and internet.
- Auto learning offenders: Using honeypot service to distinguish non-legitimate connections. Log source IP address and drop packet with iptables. Using suricata ids to additionally analyze client requests.
- Auto block offenders: Using fail2ban to pars logs generated by iptables and suricata and temporary disable all connections from offending sources.
- Have some connection limit capabilities: Again we used iptables with connlimit and conntrack modules activated.
Configure steps:
- Install software:
apt-get install mc iptraf iftop ssh bridge-utils vlan add-apt-repository ppa:oisf/suricata-stable apt-get update apt-get install suricata apt-get install fail2ban
- Configure network interfaces
# The loopback network interface auto lo iface lo inet loopback auto enp26s0 iface enp26s0 inet static address 10.10.18.37 netmask 255.255.255.248 post-up route add -net 10.10.18.0 netmask 255.255.248.0 gw 10.10.18.34 metric 100 post-up route add -net 10.10.0.0 netmask 255.0.0.0 gw 10.10.10.33 metric 200 auto ens1f0 ens1f0.217 ens1f0.218 ens1f0.409 iface ens1f0.217 inet manual vlan-raw-device ens1f0 iface ens1f0.218 inet manual vlan-raw-device ens1f0 iface ens1f0.409 inet manual vlan-raw-device ens1f0 auto ens1f1 ens1f1.217 ens1f1.218 ens1f1.409 iface ens1f1.217 inet manual vlan-raw-device ens1f1 iface ens1f1.218 inet manual vlan-raw-device ens1f1 iface ens1f1.409 inet manual vlan-raw-device ens1f1 auto br217 iface br217 inet manual bridge_ports ens1f0.217 ens1f1.217 bridge_stp off bridge_fd 0 bridge_maxwait 0 auto br218 iface br218 inet manual bridge_ports ens1f0.218 ens1f1.218 bridge_stp off bridge_fd 0 bridge_maxwait 0 auto br409 iface br409 inet manual bridge_ports ens1f0.409 ens1f1.409 bridge_stp off bridge_fd 0 bridge_maxwait
Here we have 3 bridges in 3 different vlans connecting our AS to 3 upstream internet providers and one management interface.
- Design iptables structure:
# Chain for all incoming packets iptables -N IN # Chainf for Fail2ban checks iptables -N F2B # Chain for connection limit and connection tracking rules iptables -N IN-CONN-LIMIT # Chain for implicitly drop rules iptables -N IN-HARD-DROP # Chain that Logs and drops iptables -N LD # Chain for Cloudflare as source check iptables -N ONLY_FROM_CLOUDFLARE # Chain for outgoing pachages iptables -N IN OUT
then add rules to direct packets:
# Incoming iptables -A FORWARD -m physdev --physdev-in ens1f0.217 -j IN iptables -A FORWARD -m physdev --physdev-in ens1f0.218 -j IN iptables -A FORWARD -m physdev --physdev-in ens1f0.409 -j IN #Outgoing iptables -A FORWARD -m physdev --physdev-in ens1f1.217 -j OUT iptables -A FORWARD -m physdev --physdev-in ens1f1.218 -j OUT iptables -A FORWARD -m physdev --physdev-in ens1f1.409 -j OUT #Fail2Ban rules iptables -A F2B -p tcp -m multiport --dports 0:65535 -j f2b-ipt-drop #Connlimit iptables -A IN -j IN-CONN-LIMIT #Drop iptables -A IN -j IN-HARD-DROP
conn&track limit:
iptables -A IN-CONN-LIMIT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 6/sec --limit-burst 12 -j RETURN iptables -A IN-CONN-LIMIT -m connlimit --connlimit-upto 16 --connlimit-mask 32 --connlimit-saddr -j RETURN
drop invalid packets:
iptables -A IN-HARD-DROP -m state --state INVALID -j LD
honeypot NTP and SSH:
iptables -A IN-HARD-DROP -p udp -m udp --dport 123 -j LD iptables -A IN-HARD-DROP -p tcp -m tcp --dport 22 -j LD
and finally log and drop:
iptables -A LD -m limit --limit 2/min --limit-burst 1 -j LOG --log-prefix "IPtables_DROP:" iptables -A LD -j DROP
optionally filter for cloudflare networks
iptables -A ONLY_FROM_CLOUDFLARE -s 103.21.244.0/22 -j RETURN iptables -A ONLY_FROM_CLOUDFLARE -s 103.22.200.0/22 -j RETURN iptables -A ONLY_FROM_CLOUDFLARE -s 103.31.4.0/22 -j RETURN iptables -A ONLY_FROM_CLOUDFLARE -s 104.16.0.0/12 -j RETURN iptables -A ONLY_FROM_CLOUDFLARE -s 108.162.192.0/18 -j RETURN iptables -A ONLY_FROM_CLOUDFLARE -s 131.0.72.0/22 -j RETURN iptables -A ONLY_FROM_CLOUDFLARE -s 141.101.64.0/18 -j RETURN iptables -A ONLY_FROM_CLOUDFLARE -s 162.158.0.0/15 -j RETURN iptables -A ONLY_FROM_CLOUDFLARE -s 172.64.0.0/13 -j RETURN iptables -A ONLY_FROM_CLOUDFLARE -s 173.245.48.0/20 -j RETURN iptables -A ONLY_FROM_CLOUDFLARE -s 188.114.96.0/20 -j RETURN iptables -A ONLY_FROM_CLOUDFLARE -s 190.93.240.0/20 -j RETURN iptables -A ONLY_FROM_CLOUDFLARE -s 197.234.240.0/22 -j RETURN iptables -A ONLY_FROM_CLOUDFLARE -s 198.41.128.0/17 -j RETURN iptables -A ONLY_FROM_CLOUDFLARE -s 199.27.128.0/21 -j RETURN iptables -A ONLY_FROM_CLOUDFLARE -j LD # # Add protected destanation as following rule: #iptables -A IN -d 212.xxx.yyy.zzz/32 -j ONLY_FROM_CLOUDFLARE
- Configure fail2ban
[ipt-drop] enabled = true chain = F2B blocktype = DROP #protocol = all filter = ipt-drop logpath = /var/log/syslog maxretry = 2
protocol = tcp blocktype = DROP
[Definition] failregex = .*IPtables_DROP.*SRC=(?P<host>\S*)
Similar readings:
Fighting SPAM with postfix and fail2ban
One thought on “Adaptive DDOS IDS firewall”