Adaptive DDOS IDS firewall

We had a task to build a simple solution for DDOS protection on the learning phase of attack. Main goals were:

  1. To build it fast: We chose Ubuntu … as everything needed is compiled and build in.
  2. Minimum network intervention: We opted for L2/L3 bridge with iptables integration which we plugged between our autonomous system (AS) and internet.
  3. Auto learning offenders: Using honeypot service to distinguish non-legitimate connections. Log source IP address and drop packet with iptables. Using suricata ids to additionally analyze client requests.
  4. Auto block offenders: Using fail2ban to pars logs generated by iptables and suricata and temporary disable all connections from offending sources.
  5. Have some connection limit capabilities: Again we used iptables with connlimit and conntrack modules activated.

Configure steps:

  1. Install software:
    apt-get install mc iptraf iftop ssh bridge-utils vlan
    add-apt-repository ppa:oisf/suricata-stable
    apt-get update
    apt-get install suricata
    apt-get install fail2ban
    
  2. Configure network interfaces
    # The loopback network interface
    auto lo
    iface lo inet loopback
    
    auto enp26s0
    iface enp26s0 inet static
        address     10.10.18.37
        netmask     255.255.255.248
        post-up route add -net 10.10.18.0 netmask 255.255.248.0 gw 10.10.18.34 metric 100
        post-up route add -net 10.10.0.0 netmask 255.0.0.0 gw 10.10.10.33    metric 200
    
    
    auto ens1f0 ens1f0.217 ens1f0.218 ens1f0.409
    iface ens1f0.217 inet manual
        vlan-raw-device ens1f0
    iface ens1f0.218 inet manual
        vlan-raw-device ens1f0
    iface ens1f0.409 inet manual
        vlan-raw-device ens1f0
    
    auto ens1f1 ens1f1.217 ens1f1.218 ens1f1.409
    iface ens1f1.217 inet manual
        vlan-raw-device ens1f1
    iface ens1f1.218 inet manual
        vlan-raw-device ens1f1
    iface ens1f1.409 inet manual
        vlan-raw-device ens1f1
    
    auto br217
    iface br217 inet manual
       bridge_ports ens1f0.217 ens1f1.217
       bridge_stp off
       bridge_fd 0
       bridge_maxwait 0
    
    auto br218
    iface br218 inet manual
       bridge_ports ens1f0.218 ens1f1.218
       bridge_stp off
       bridge_fd 0
       bridge_maxwait 0
    
    auto br409
    iface br409 inet manual
       bridge_ports ens1f0.409 ens1f1.409
       bridge_stp off
       bridge_fd 0
       bridge_maxwait
    

    Here we have 3 bridges in 3 different vlans connecting our AS to 3 upstream internet providers and one management interface.

  3. Design iptables structure:
    # Chain for all incoming packets
    iptables -N IN
    
    # Chainf for Fail2ban checks
    iptables -N F2B
    
    # Chain for connection limit and connection tracking rules
    iptables -N IN-CONN-LIMIT
    
    # Chain for implicitly drop rules 
    iptables -N IN-HARD-DROP
    
    # Chain that Logs and drops
    iptables -N LD
    
    # Chain for Cloudflare as source check
    iptables -N ONLY_FROM_CLOUDFLARE
    
    # Chain for outgoing pachages
    iptables -N IN OUT

    then add rules to direct packets:

    # Incoming
    iptables -A FORWARD -m physdev --physdev-in ens1f0.217 -j IN
    iptables -A FORWARD -m physdev --physdev-in ens1f0.218 -j IN
    iptables -A FORWARD -m physdev --physdev-in ens1f0.409 -j IN
    #Outgoing
    iptables -A FORWARD -m physdev --physdev-in ens1f1.217 -j OUT
    iptables -A FORWARD -m physdev --physdev-in ens1f1.218 -j OUT
    iptables -A FORWARD -m physdev --physdev-in ens1f1.409 -j OUT
    #Fail2Ban rules
    iptables -A F2B -p tcp -m multiport --dports 0:65535 -j f2b-ipt-drop
    #Connlimit
    iptables -A IN -j IN-CONN-LIMIT
    #Drop
    iptables -A IN -j IN-HARD-DROP

    conn&track limit:

    iptables -A IN-CONN-LIMIT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 6/sec --limit-burst 12 -j RETURN
    iptables -A IN-CONN-LIMIT -m connlimit --connlimit-upto 16 --connlimit-mask 32 --connlimit-saddr -j RETURN
    

    drop invalid packets:

    iptables -A IN-HARD-DROP -m state --state INVALID -j LD

    honeypot NTP and SSH:

    iptables -A IN-HARD-DROP -p udp -m udp --dport 123 -j LD
    iptables -A IN-HARD-DROP -p tcp -m tcp --dport 22 -j LD

    and finally log and drop:

    iptables -A LD -m limit --limit 2/min --limit-burst 1 -j LOG --log-prefix "IPtables_DROP:"
    iptables -A LD -j DROP
    

    optionally filter for cloudflare networks

    iptables -A ONLY_FROM_CLOUDFLARE -s 103.21.244.0/22 -j RETURN
    iptables -A ONLY_FROM_CLOUDFLARE -s 103.22.200.0/22 -j RETURN
    iptables -A ONLY_FROM_CLOUDFLARE -s 103.31.4.0/22 -j RETURN
    iptables -A ONLY_FROM_CLOUDFLARE -s 104.16.0.0/12 -j RETURN
    iptables -A ONLY_FROM_CLOUDFLARE -s 108.162.192.0/18 -j RETURN
    iptables -A ONLY_FROM_CLOUDFLARE -s 131.0.72.0/22 -j RETURN
    iptables -A ONLY_FROM_CLOUDFLARE -s 141.101.64.0/18 -j RETURN
    iptables -A ONLY_FROM_CLOUDFLARE -s 162.158.0.0/15 -j RETURN
    iptables -A ONLY_FROM_CLOUDFLARE -s 172.64.0.0/13 -j RETURN
    iptables -A ONLY_FROM_CLOUDFLARE -s 173.245.48.0/20 -j RETURN
    iptables -A ONLY_FROM_CLOUDFLARE -s 188.114.96.0/20 -j RETURN
    iptables -A ONLY_FROM_CLOUDFLARE -s 190.93.240.0/20 -j RETURN
    iptables -A ONLY_FROM_CLOUDFLARE -s 197.234.240.0/22 -j RETURN
    iptables -A ONLY_FROM_CLOUDFLARE -s 198.41.128.0/17 -j RETURN
    iptables -A ONLY_FROM_CLOUDFLARE -s 199.27.128.0/21 -j RETURN
    iptables -A ONLY_FROM_CLOUDFLARE -j LD
    #
    # Add protected destanation as following rule:
    #iptables -A IN -d 212.xxx.yyy.zzz/32 -j ONLY_FROM_CLOUDFLARE
  4. Configure fail2ban
    [ipt-drop]
    enabled  = true
    chain    = F2B
    blocktype = DROP
    #protocol = all
    filter   = ipt-drop
    logpath  = /var/log/syslog
    maxretry = 2

     

    protocol = tcp
    blocktype = DROP
    
    [Definition]
    failregex = .*IPtables_DROP.*SRC=(?P<host>\S*)
    

    Similar readings:
    Fighting SPAM with postfix and fail2ban

One thought on “Adaptive DDOS IDS firewall”

Leave a Reply

Your email address will not be published. Required fields are marked *