Adaptive DDOS IDS firewall

We had a task to build a simple solution for DDOS protection on the learning phase of attack. Main goals were:

  1. To build it fast: We chose Ubuntu … as everything needed is compiled and build in.
  2. Minimum network intervention: We opted for L2/L3 bridge with iptables integration which we plugged between our autonomous system (AS) and internet.
  3. Auto learning offenders: Using honeypot service to distinguish non-legitimate connections. Log source IP address and drop packet with iptables. Using suricata ids to additionally analyze client requests.
  4. Auto block offenders: Using fail2ban to pars logs generated by iptables and suricata and temporary disable all connections from offending sources.
  5. Have some connection limit capabilities: Again we used iptables with connlimit and conntrack modules activated.

Configure steps:

  1. Install software:
  2. Configure network interfaces

    Here we have 3 bridges in 3 different vlans connecting our AS to 3 upstream internet providers and one management interface.
  3. Design iptables structure:

    then add rules to direct packets:

    conn&track limit:

    drop invalid packets:

    honeypot NTP and SSH:

    and finally log and drop:

    optionally filter for cloudflare networks
  4. Configure fail2ban


    Similar readings:
    Fighting SPAM with postfix and fail2ban

One thought on “Adaptive DDOS IDS firewall”

Leave a Reply

Your email address will not be published. Required fields are marked *