FurretUber's questions -server

FurretUber

Asked: 2023-03-20 10:50:18 +0800 CST

nftables limit doesn't seem to work for some STUN requests

I'm setting up a server with coturn using only STUN (TURN is disabled). It seems that STUN UDP can be used for DDoS, so I'm trying to set nftables rules to make it harder, but the rules don't seem to always work. Sometimes, I can see something like this using tcpdump:

21:16:08.006842 IP 5.39.71.183.25565 > A.B.C.D.3478: UDP, length 20
21:16:08.007091 IP A.B.C.D.3478 > 5.39.71.183.25565: UDP, length 72
21:16:08.258386 IP 5.39.71.183.25565 > A.B.C.D.3478: UDP, length 20
21:16:08.258613 IP A.B.C.D.3478 > 5.39.71.183.25565: UDP, length 72
21:16:08.278988 IP 5.39.71.183.25565 > A.B.C.D.3478: UDP, length 20
21:16:08.279229 IP A.B.C.D.3478 > 5.39.71.183.25565: UDP, length 72
21:16:08.475423 IP 5.39.71.183.25565 > A.B.C.D.3478: UDP, length 20
21:16:08.475734 IP A.B.C.D.3478 > 5.39.71.183.25565: UDP, length 72
21:16:08.481217 IP 5.39.71.183.25565 > A.B.C.D.3478: UDP, length 20
21:16:08.481416 IP A.B.C.D.3478 > 5.39.71.183.25565: UDP, length 72
21:16:08.484939 IP 5.39.71.183.25565 > A.B.C.D.3478: UDP, length 20
21:16:08.485211 IP A.B.C.D.3478 > 5.39.71.183.25565: UDP, length 72
21:16:08.490332 IP 5.39.71.183.25565 > A.B.C.D.3478: UDP, length 20
21:16:08.490545 IP A.B.C.D.3478 > 5.39.71.183.25565: UDP, length 72
21:16:08.505617 IP 5.39.71.183.25565 > A.B.C.D.3478: UDP, length 20
21:16:08.505901 IP A.B.C.D.3478 > 5.39.71.183.25565: UDP, length 72
21:16:08.529745 IP 5.39.71.183.25565 > A.B.C.D.3478: UDP, length 20
21:16:08.530020 IP A.B.C.D.3478 > 5.39.71.183.25565: UDP, length 72
21:16:08.819766 IP 5.39.71.183.25565 > A.B.C.D.3478: UDP, length 20
21:16:08.820048 IP A.B.C.D.3478 > 5.39.71.183.25565: UDP, length 72

Which is above the 3/second limit specified on nft. The nft rules are:

#!/usr/sbin/nft -f
flush ruleset

table inet filter {
    chain input {
        type filter hook input priority 0; policy drop;

        ct state vmap { established : accept, related : accept, invalid : drop }

        iifname lo accept

        tcp dport 1935 ct state new log prefix "[RTMP]: " accept
        tcp dport 443 ct state new log prefix "[HTTPS]: " accept
        tcp dport 3478 ct state new log prefix "[STUN TCP]: " limit rate 5/second accept
        tcp dport 5349 ct state new log prefix "[STUN TLS]: " limit rate 5/second accept
        ########################################################################
        ####### These two rules are where it is not behaving as intended #######
        udp dport 3478 log prefix "[STUN UDP]: " limit rate 3/second accept
        udp dport 3478 log prefix "[STUN UDP THIS RULE]: " limit rate over 3/second drop
        ########################################################################
        ip saddr E.F.G.H ct state new log prefix "[Some server that is allowed]: " accept
        udp dport 5060 ct state new log prefix "[SIP UDP]: " accept
        tcp dport 5060 ct state new log prefix "[SIP TCP]: " accept
        tcp dport 5061 ct state new log prefix "[SIP TLS]: " accept
        udp dport { 5000-31000 } ct state new log prefix "[RTP]: " accept
        ip saddr 0.0.0.0 ip daddr 255.255.255.255 udp dport { 67, 68 } ct state new drop

    }
    chain forward {
        type filter hook forward priority 0;
    }
    chain output {
        type filter hook output priority 0;
    }
}

There are some additional rules because there are some other services running, but I faced this problem even when the other services using the other ports were stopped.

The strangest thing to me is that there is only one mention about these packets on dmesg:

[4151543.207466] [STUN UDP]: IN=eth0 OUT= MAC=00:00:00:00:00:00:d4:c1:9e:0b:4d:c0:08:00 SRC=5.39.71.183 DST=A.B.C.D LEN=48 TOS=0x00 PREC=0x00 TTL=241 ID=31022 PROTO=UDP SPT=25565 DPT=3478 LEN=28

It's very likely I'm not understanding something, either about nftables, STUN, both or something else. The questions:

Is the order of the rules wrong? Like, the STUN UDP rules should be before the ct state vmap line?
With the nftables rule setting the 3/second limit, with no consideration about the state of the packet, shouldn't it be processed on every packet received on port 3478?

Or maybe it's something else I have not identified that is making the nftables limit not be applied.

System information:

OS: Debian 11
coturn version: 4.5.2-3 from the Debian repository.
nftables version: v0.9.8 (E.D.S.) from the Debian repository.

FurretUber

Asked: 2018-01-18 20:56:47 +0800 CST

Apache2 with mod_mono does not answer with partial content when a range is requested

I have a Apache2 server with mod_mono in a Virtual Machine which has Ubuntu 16.04. I have noticed that the server is not answering to requests with the Range header correctly. Initially it was not possible to even seek a specific time on video files, but using mod_headers and adding Header set Accept-Ranges bytes to the VirtualHost file corrected this.

However it never answers with 206 Partial Content, even when a Range is requested. The problem this causes is that when the user chooses to continue a download, the download of the file starts again from the beginning. On mobile devices it means the content is impossible to watch because the answer 200 OK sends the entire video, which the devices simply don't have enough memory for.

The image below shows the problem. I was watching a video and paused it. When selected to play the video again, the entire video is downloaded again, which uses more bandwidth and device's memory. Seeking causes this too.

What configuration should I do to make the Partial Content response work?

The actual configuration:

httpd.conf:

ServerName exemplo

User web_server
Group web_server

ServerRoot /home/web_server/server

IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf

IncludeOptional conf-enabled/*.conf

IncludeOptional sites-enabled/*.conf

Listen 80

<IfModule ssl_module>
    Listen 443
</IfModule>

<IfModule mod_gnutls.c>
    Listen 443
</IfModule>

PidFile apache2log/httpd.pid

ErrorLog apache2log/error.log

HostnameLookups Off

LogLevel warn

<Directory "/">
  Require all denied
  Options -Indexes
  AllowOverride None
</Directory>

<FilesMatch "^\.ht">
    Require all denied
</FilesMatch>

LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent

CheckSpelling Off
CheckCaseOnly On

mono_conf.conf (it's on sites-enabled):

<VirtualHost *:80>

  ServerName local-server-1
  ServerAdmin web-admin@local-server-1
  DocumentRoot /home/web_server/server/mono

  MonoServerPath local-server-1 "/usr/bin/mod-mono-server"

  MonoSetEnv local-server-1 MONO_IOMAP=all;MONO_OLD_RX=1

  MonoApplications local-server-1 "/:/home/web_server/server/mono"
  <Location "/">
    MonoSetServerAlias local-server-1
  </Location>

  <Location /mono>
    SetHandler mono-ctrl
    Order deny,allow
    Deny from all
    Allow from 127.0.0.1
  </Location>

  <IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript
  </IfModule>

  <Directory "/home/web_server/server/mono">
    SetHandler mono
    Header set Accept-Ranges bytes
    Allow from all
    Require all granted
  </Directory>

</VirtualHost>

<VirtualHost *:443>
  SSLEngine On
  SSLCertificateFile    "/tmp/server.crt"
  SSLCertificateKeyFile "/tmp/server.key"

  ServerName local-server-1
  ServerAdmin web-admin@local-server-1
  DocumentRoot /home/web_server/server/mono

  MonoServerPath local-server-1 "/usr/bin/mod-mono-server"

  MonoSetEnv local-server-1 MONO_IOMAP=all;MONO_OLD_RX=1

  MonoApplications local-server-1 "/:/home/web_server/server/mono"
  <Location "/">
    MonoSetServerAlias local-server-1
  </Location>

  <Location /mono>
    SetHandler mono-ctrl
    Order deny,allow
    Deny from all
    Allow from 127.0.0.1
  </Location>

  <IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript
  </IfModule>

  <Directory "/home/web_server/server/mono">
    SetHandler mono
    Header set Accept-Ranges bytes
    Allow from all
    Require all granted
  </Directory>

</VirtualHost>

Browser request:

GET http://localhost/arquivos/video.webm
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0
Accept: video/webm,video/ogg,video/*;q=0.9,application/ogg;q=0.7,audio/*;q=0.6,*/*;q=0.5
Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3
Referer: http://localhost/Default.aspx
Range: bytes=18120704-
Cookie: ASP.NET_SessionId=46ED58B6CD7745987060CDF5
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

Server response:

Date: Thu, 18 Jan 2018 04:45:55 GMT
Server: Apache/2.4.18 (Ubuntu)
Last-Modified: Thu, 18 Jan 2018 02:16:55 GMT
X-AspNet-Version: 4.0.30319
Content-Length: 26728741
Cache-Control: private
Accept-Ranges: bytes
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: video/webm

nftables limit doesn't seem to work for some STUN requests

Apache2 with mod_mono does not answer with partial content when a range is requested

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?