Home / server / Questions / 370145
Accepted
Asad Moeen
Asked: 2012-03-16 08:46:02 +0800 CST

Expert iptables help needed?

  • 772

After a detailed analysis, I collected these details.

I am under a UDP Flood which is more of application dependent. I run a Game-Server and an attacker is flooding me with "getstatus" query which makes the GameServer respond by making the replies to the query which cause output to the attacker's IP as high as 30mb/s and server lag.

Here are the packet details,

Packet starts with 4 bytes 0xff and then getstatus.
Theoretically, the packet is like "\xff\xff\xff\xffgetstatus "

Now that I've tried a lot of iptables variations like state and rate-limiting along side but those didn't work. Rate Limit works good but only when the Server is not started. As soon as the server starts, no iptables rule seems to block it.

Anyone else got more solutions? someone asked me to contact the provider and get it done at the Network/Router but that looks very odd and I believe they might not do it since that would also affect other clients.

Responding to all those answers, I'd say:

Firstly, its a VPS so they can't do it for me. Secondly, I don't care if something is coming in but since its application generated so there has to be a OS level solution to block the outgoing packets. At least the outgoing ones must be stopped.

Secondly, its not Ddos since just 400kb/s input generates 30mb/s output from my GameServer. That never happens in a D-dos. Asking the provider/hardware level solution should be used in that case but this one is different. And Yes, Banning his IP stops the flood of outgoing packets but he has many more IP-Addresses as he spoofs his original so I just need something to block him automatically.

Even tried a lot of Firewalls but as you know they are just front-ends to iptables so if something doesn't work on iptables, what would the firewalls do?

These were the rules I tried,

iptables -A INPUT -p udp -m state --state NEW -m recent --set --name DDOS --rsource
iptables -A INPUT -p udp -m state --state NEW -m recent --update --seconds 1 --hitcount 5 --name DDOS --rsource -j DROP

It works for the attacks on un-used ports but when the server is listening and responding to the incoming queries by the attacker, it never works.

Okay Tom.H, your rules were working when I modified them somehow like this:

iptables -A INPUT -p udp -m length --length 1:1024 -m recent --set --name XXXX --rsource
iptables -A INPUT -p udp -m string --string "xxxxxxxxxx" --algo bm --to 65535 -m recent --update --seconds 1 --hitcount 15 --name XXXX --rsource -j DROP

They worked for about 3 days very good where the string "xxxxxxxxx" would be rate-limited, blocked if someone flooded and also didn't affect the clients. But just today, I tried updating the chain to try to remove a previously blocked IP so for that I had to flush the chain and restore this rule ( iptables -X and iptables -F ), some clients were already connected to servers including me. So restoring the rules now would also block some of the clients string completely while some are not affected. So does this mean I need to restart the server or why else would this happen because the last time the rules were working, there was no one connected?

firewall iptables

4 Answers

  1. Best Answer

    You're very nearly there, but it's possible that you've been cargo-culting someone else's work, possibly on ssh rate-limiting, without really understanding it. Please note that I'm not criticising you: building on other people's work is an excellent idea in the free software community; but you should understand why they've done what they've done, so you don't fail to use it correctly.

    I set up a test rig, using nc (netcat) to flood UDP traffic from a machine called bill to a machine called risby with the following lines:

    risby% nc -l -u 12345
bill% seq 1 10000000 | nc -u risby 12345

    This produced a very-rapidly increasing list of numbers from risby's netcat, much like the command-flooding you've been having.

    But when I created two new rules for risby's iptables which filtered only UDP traffic to port 12345 without regard for state, it worked fine:

    iptables -I INPUT 1 -p udp --dport 12345 -m recent --set --name ddos
iptables -I INPUT 2 -p udp --dport 12345 -m recent --rcheck  --seconds 1 --hitcount 5 --name ddos -j DROP

    When I re-ran the netcats, the first few packets from bill got through on risby, and the numbers climbed rapidly to about 1800, but then it stalled completely and no further traffic was received from bill.

    Note that it's quite important that these rules come early in your iptables INPUT chain, which is why I've inserted them at lines 1 and 2 respectively.

    Edit:

    Increase the rate, and require it to be sustained for longer; perhaps --seconds 10 --hitcount 50? Eventually you'll reach a threshold where few legitimate clients are affected, but the DDoS is still substantially throttled. Note that friendly-fire is always a possibility in this kind of layer-3 throttling; my own ssh server limits new connections to two per 60s window, which makes repeated scps quite slow. But it's a price I'm willing to pay, and to do better requires layer-4 throttling, which means the application has to be throttling-aware. iptables can't help you there.

    I note that --hitcount can take no value higher than the ip_pkt_list_tot parameter of the xt_recent kernel module, and if the value's exceeded an error is thrown at rule-creation time:

    [root@risby scratch]# iptables -A INPUT -p udp -m recent --rcheck  --seconds 1 --hitcount 50 --name ddos -j DROP 
iptables: Invalid argument. Run `dmesg' for more information.

    But this value can be set at up to 255 at module insertion time. Following the suggestions in this blog entry, it's possible to reload the module, setting the parameter explicitly:

    [root@risby scratch]# rmmod xt_recent
[root@risby scratch]# modprobe xt_recent ip_pkt_list_tot=100
[root@risby scratch]# iptables -A INPUT -p udp -m recent --rcheck  --seconds 1 --hitcount 50 --name ddos -j DROP 
[root@risby scratch]#

    Note how the --hitcount 50 no longer causes errors. You may need to flush the INPUT chain (iptables -F INPUT) and any other chains that use the recent module before you can remove and reinsert the xt_recent module.

    • 10

  2. use tcpdump to take a packet dump of the traffic. 

    tcpdump -s0 -w somefile.tcp proto udp and port NN and host www.xxx.yyy.zzz

    inspect the packets in wireshark for the byte string you want to match;

    create an iptables rule with a string match to look for the application protocol string, to allow for a certain number of those packets per second and then drop the rest of those packets

    iptables -I INPUT -p udp --dport NN -m string  --algo bm \
 --hex-string "|ff ff ff ff 67 65 74 73 74 61 74 75 73|" \
 -m limit --limit 1/second -j ACCEPT

iptables -I INPUT -p udp --dport NN -m string  --algo bm \
 --hex-string "|ff ff ff ff 67 65 74 73 74 61 74 75 73|" -j DROP

    its lucky this is udp, because its less resource intensive to do the matching on the netfilter module...

    caveats are that you are going to block all getstatus requests, unless you can find some other filter for just this source, and that you will have to do a little bit of wikipedia work to work out the correct hex representation of your match string

    • 4

  3. Contact your provier and ask them to block the traffic at the router.
    This will not affect other clients as they will take the destination of the packets (=your server) into account.

    Every iptables or other local approach will not be a solution, since the packets need to be dealt with anyway so they will affect your server.

    • 1

  4. Have you considered banning his IP (if he's not spoofing it)? What you are experiencing is known as Denial of Service. I suggest you try out OSSEC. It might help blocking the IP's the attacker is using.

    • 1