ddos protection
play

DDoS protection Using Netfilter/iptables Jesper Dangaard Brouer - PowerPoint PPT Presentation

Aug 01, 2023 •424 likes •822 views

DDoS protection Using Netfilter/iptables Jesper Dangaard Brouer Senior Kernel Engineer, Red Hat RMLL Montpellier, July 2014 1/36 Email: brouer@redhat.com / netoptimizer@brouer.com / hawk@kernel.org DDoS protection using Netfilter/iptables

  1. DDoS protection Using Netfilter/iptables Jesper Dangaard Brouer Senior Kernel Engineer, Red Hat RMLL Montpellier, July 2014 1/36 Email: brouer@redhat.com / netoptimizer@brouer.com / hawk@kernel.org DDoS protection using Netfilter/iptables

  2. Who am I Who am I ● Name: Jesper Dangaard Brouer – Linux Kernel Developer at Red Hat – Edu: Computer Science for Uni. Copenhagen ● Focus on Network, Dist. sys and OS – Linux user since 1996, professional since 1998 ● Sysadm, Kernel Developer, Embedded – OpenSource projects, author of – ADSL-optimizer, CPAN IPTables::libiptc, IPTV-Analyzer ● Patches accepted into – Linux kernel, iproute2, iptables, libpcap and Wireshark – Organizer of Netfilter Workshop 2013 2/36 DDoS protection using Netfilter/iptables

  3. What will you learn? What will you learn? ● Linux Kernel is vulnerable to simple SYN attacks ● End-host mitigation's already implemented in kernel – show it is not enough ● Kernel: serious "listen" socket scalability problem – solution is stalled ... how to work-around this ● Firewall-based solution: synproxy (iptables/netfilter) ● How fast is stateful firewalling – Where is our pain points – Learn Netfilter tricks: boost performance a factor 20 3/36 DDoS protection using Netfilter/iptables

  4. First: Basic NIC tuning 101 First: Basic NIC tuning 101 ● All tests in presentation ● Basic tuning (blog: netoptimizer.blogspot.com) – First kill “irqbalance” – NIC hardware queue, are CPU aligned – Disable Ethernet flow-control ● Intel ixgbe hw/driver issue – single blocked hw queue blocks others – Fix in kernel v3.5.0 commit 3ebe8fdeb0 (ixgbe: Set Drop_EN bit when multiple Rx queues are present w/o flow control) 4/36 DDoS protection using Netfilter/iptables

  5. Focus: Flooding DoS attack Focus: Flooding DoS attack ● D enial o f S ervice (DoS) attacks ● Focus: TCP flooding attacks – Attacking the 3- W ay H and S hake (3WHS) – End-host resource attack ● SYN flood ● SYN-ACK floods ● ACK floods (3 rd packet in 3WHS) – Attacker often spoofs src IP ● Described in RFC 4987: TCP SYN Flooding Attacks and Common Mitigations 5/36 DDoS protection using Netfilter/iptables

  6. Linux current end-host mitigations Linux current end-host mitigations Jargon RFC 4987 (TCP SYN Flooding Attacks and Common Mitigations) ● ● Linux uses hybrid solution – SYN “cache” ● Mini request socket ● Minimize state, delay full state alloc – SYN “backlog” of outstanding request sockets – Above limit, use SYN “cookies” 6/36 DDoS protection using Netfilter/iptables

  7. Details: SYN "cache" savings Details: SYN "cache" savings ● Small initial TCB (Transmission Control Block) ● struct request_sock (size 56 bytes) – mini sock to represent a connection request ● But alloc size is 112 bytes – SLAB behind have sizeof(struct tcp_request_sock) – Structs embedded in each-other ● 56 bytes == struct request_sock ● 80 bytes == struct inet_request_sock ● 112 bytes == struct tcp_request_sock ● Full TCB (struct inet_sock) is 832 bytes (note, sizes will increase/change in more recent kernels) 7/36 DDoS protection using Netfilter/iptables

  8. Details: Increasing SYN backlog Details: Increasing SYN backlog ● Not recommended to increase for DoS – Only increase, if legitimate traffic cause log: ● “TCP: Possible SYN flooding ...” ● Increasing SYN backlog is not obvious – Adjust all these: ● /proc/sys/net/ipv4/tcp_max_syn_backlog ● /proc/sys/net/core/somaxconn ● Syscall listen(int sockfd, int backlog ); 8/36 DDoS protection using Netfilter/iptables

  9. SYN cookies SYN cookies ● Simplified description – SYN packet ● don't create any local state – SYN-ACK packet ● Encode state in SEQ# (and TCP options) – ACK packet ● Contains SEQ#+1 (and TCP timestamp) ● Recover state – SHA hash is computed with local secret ● Validate (3WHS) ACK packet state 9/36 DDoS protection using Netfilter/iptables

  10. Details: SYN-cookies Details: SYN-cookies ● SYN cookies SHA calculation is expensive ● SNMP counters (Since kernel v3.1) – TCPReqQFullDoCookies : number of times a SYNCOOKIE was replied to client – TCPReqQFullDrop : number of times a SYN request was dropped because syncookies were not enabled. ● Always on option – /proc/sys/net/ipv4/tcp_syncookies = 2 10/36 DDoS protection using Netfilter/iptables

  11. So, what is the problem? So, what is the problem? ● Good End-Host counter-measurements ● Problem: LISTEN state scalability problem – Vulnerable for all floods ● SYN, SYN-ACK and ACK floods ● Numbers: Xeon CPU X5550 10G ixgbe – NO LISTEN socket: ● 2.904.128 pkts/sec -- SYN attack – LISTEN socket: ● 252.032 pkts/sec -- SYN attack ● 336.576 pkts/sec -- SYN+ACK attack ● 331.072 pkts/sec -- ACK attack 11/36 DDoS protection using Netfilter/iptables

  12. Problem: SYN-cookie vs LISTEN lock Problem: SYN-cookie vs LISTEN lock ● Main problem: – SYN cookies live under LISTEN lock ● I proposed SYN brownies fix (May 2012) – http://thread.gmane.org/gmane.linux.network/232238 – Got rejected, because not general solution ● e.g. don't handle SYN-ACK and 3WHS – NFWS2013 got clearance as a first step solution ● Need to “forward-port” patches (Bug 1057364 - RFE: Parallel SYN cookies handling) ● 12/36 DDoS protection using Netfilter/iptables

  13. Firewall and Proxy solutions Firewall and Proxy solutions ● Network-Based Countermeasures – Wesley M. Eddy, describes SYN-proxy ● In Cisco: The Internet Protocol Journal - Volume 9, Number 4, 2006, link: http://goo.gl/AC1AAZ – Netfilter: iptables target SYNPROXY ● Avail in kernel 3.13 and RHEL7 – By Patrick McHardy, Martin Topholm and Me ● Also works on localhost ● General solution – Solves SYN and ACK floods ● Indirect trick also solves SYN+ACK 13/36 DDoS protection using Netfilter/iptables

  14. SYN proxy concept SYN proxy concept 14/36 DDoS protection using Netfilter/iptables

  15. Conntrack performance(1) Conntrack performance(1) ● SYNPROXY needs conntrack – Will that be a performance issue? ● Base performance: – 2.904.128 pkts/sec -- NO LISTEN sock + no iptables rules – 252.032 pkts/sec -- LISTEN sock + no iptables rules Loading conntrack: (SYN flood, causing new conntrack) ● – 435.520 pkts/sec -- NO LISTEN sock + conntrack – 172.992 pkts/sec -- LISTEN sock + conntrack Looks bad... ● – but I have some tricks for you ;-) – Plus fixed in kernel v3.15 15/36 DDoS protection using Netfilter/iptables

  16. Conntrack performance(2) Conntrack performance(2) ● Conntrack (lock-less) lookups are really fast – Problem is insert and delete conntracks – Use to protect against SYN+ACK and ACK attacks ● Default netfilter is in TCP “loose” mode – Allow ACK pkts to create new connection – Disable via cmd: sysctl -w net/netfilter/nf_conntrack_tcp_loose=0 ● Take advantage of state “INVALID” – Drop invalid pkts before reaching LISTEN socket iptables -m state --state INVALID -j DROP – 16/36 DDoS protection using Netfilter/iptables

  17. Conntrack perf(3) ACK-attacks Conntrack perf(3) ACK-attacks ● ACK attacks , conntrack performance ● Default “loose=1” and pass INVALID pkts – 179.027 pkts/sec ● Loose=0 and and pass INVALID pkts – 235.904 pkts/sec (listen lock scaling) ● Loose=0 and and DROP INVALID pkts – 5.533.056 pkts/sec 17/36 DDoS protection using Netfilter/iptables

  18. Conntrack perf(4) SYN-ACK attack Conntrack perf(4) SYN-ACK attack ● SYN-ACK attacks , conntrack performance – SYN-ACKs don't auto create connections – Thus, changing “loose” setting is not important ● Default pass INVALID pkts (and “loose=1”) – 230.348 pkts/sec ● Default DROP INVALID pkts (and “loose=1”) – 5.382.265 pkts/sec ● Default DROP INVALID pkts (and “loose=0”) – 5.408.307 pkts/sec 18/36 DDoS protection using Netfilter/iptables

  19. Synproxy performance Synproxy performance ● Only conntrack SYN attack problem left – Due to conntrack insert/delete lock scaling ● ( fixed in kernel v3.15) ● Base performance: – 244.129 pkts/sec -- LISTEN sock + no iptables rules Loading conntrack: (SYN flood, causing new conntrack) ● – 172.992 pkts/sec -- LISTEN sock + conntrack Using SYNPROXY ● – 2.869.824 pkts/sec -- LISTEN sock + synproxy + conntrack ● Parallel SYN cookies ● Delay creating conntrack until 3WHS-ACK 19/36 DDoS protection using Netfilter/iptables

  20. iptables: synproxy setup(1) iptables: synproxy setup(1) Using SYNPROXY target is complicated ● SYNPROXY works on untracked conntracks In “raw” table, “notrack” SYN packets: iptables -t raw -I PREROUTING -i $DEV -p tcp -m tcp -- syn \ --dport $PORT -j CT --notrack 20/36 DDoS protection using Netfilter/iptables

  21. iptables: synproxy setup(2) iptables: synproxy setup(2) ● More strict conntrack handling – Need to get unknown ACKs (from 3WHS) to be marked as INVALID state ● (else a conntrack is just created) Done by sysctl setting: /sbin/sysctl -w net/netfilter/nf_conntrack_tcp_loose=0 21/36 DDoS protection using Netfilter/iptables

  22. iptables: synproxy setup(3) iptables: synproxy setup(3) ● Catching state: – UNTRACKED == SYN packets – INVALID == ACK from 3WHS Using SYNPROXY target: iptables -A INPUT -i $DEV -p tcp -m tcp --dport $PORT \ -m state --state INVALID,UNTRACKED \ -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460 22/36 DDoS protection using Netfilter/iptables

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

DDOS: DDos and DDonts DrupalCon 2016 Agenda What is DDoS Detecting DDoS Attacks

DDOS: DDos and DDonts DrupalCon 2016 Agenda What is DDoS Detecting DDoS Attacks

DDOS: DDos and DDonts DrupalCon 2016 Agenda What is DDoS Detecting DDoS Attacks DDoS Prevention Improving Performance Questions Glossary DDoS - Attempt to make a server or network resource unavailable to Internet

549 views • 30 slides
No Cloud Allowed Denying Service to DDOS Protection Services Presented by: Allison Nixon

No Cloud Allowed Denying Service to DDOS Protection Services Presented by: Allison Nixon

No Cloud Allowed Denying Service to DDOS Protection Services Presented by: Allison Nixon Allison.Nixon@integralis.com Pentesting, Incident Response PaulDotCom host Cloud Based DDOS Protection How it works Fundamental flaws

875 views • 25 slides
.tr DDoS A)ack December 2015 A4la zgit .tr ccTLD Manager Dec, 2015 .tr DDoS A)ack A Summary

.tr DDoS A)ack December 2015 A4la zgit .tr ccTLD Manager Dec, 2015 .tr DDoS A)ack A Summary

.tr DDoS A)ack December 2015 A4la zgit .tr ccTLD Manager Dec, 2015 .tr DDoS A)ack A Summary of a 3 weeks long experience 2016-03-07 Dec 2015 DDoS A)ack on .TR 2 Before DDoS q Infrequent Small scale DoS and DDos A)acks Few Qmes

150 views • 13 slides
Against DDoS Attacks Wilson Rogrio Lopes LACNIC 28 / LACNOG 2017 09/2017 CDNs for DDoS

Against DDoS Attacks Wilson Rogrio Lopes LACNIC 28 / LACNOG 2017 09/2017 CDNs for DDoS

Best Practices for Using CDNs Against DDoS Attacks Wilson Rogrio Lopes LACNIC 28 / LACNOG 2017 09/2017 CDNs for DDoS Protection As your principle, CDNs distribute traffic around the world to the closest pop for client, using anycast

915 views • 11 slides
.tr DDoS Attack December 2015 Attila zgit .tr ccTLD Manager Dec, 2015 .tr DDoS Attack A

.tr DDoS Attack December 2015 Attila zgit .tr ccTLD Manager Dec, 2015 .tr DDoS Attack A

.tr DDoS Attack December 2015 Attila zgit .tr ccTLD Manager Dec, 2015 .tr DDoS Attack A Summary of a 3 weeks long experience 2016-03-07 Dec 2015 DDoS Attack on .TR 2 Before DDoS q Infrequent Small scale DoS and DDos Attacks Few

606 views • 14 slides
DDoS Mitigation collection TL;DR: DDOS STRATEGISTS DO DRUGS Agenda 2 Intro Methodology

DDoS Mitigation collection TL;DR: DDOS STRATEGISTS DO DRUGS Agenda 2 Intro Methodology

1 DDoS Mitigation collection TL;DR: DDOS STRATEGISTS DO DRUGS Agenda 2 Intro Methodology of work DDoS tactics in-the-wild and how to improve Ready, set, FACEPALM! Q&A ~$ whoami 3 Moshe Zioni, Head of Research,

656 views • 47 slides
Addressing Shortcomings of Existing DDoS Protection Software Using Software-Defined Networking

Addressing Shortcomings of Existing DDoS Protection Software Using Software-Defined Networking

Addressing Shortcomings of Existing DDoS Protection Software Using Software-Defined Networking SSP 2018, Hildesheim Lukas Ifflnder , Stefan Geissler, Jrgen Walter, Lukas Beierlieb, Samuel Kounev 08.11.2018

677 views • 46 slides
Transport choice for Co-operative DDoS Mitigation 1 DDoS Transport Choice Message: DDoS victim

Transport choice for Co-operative DDoS Mitigation 1 DDoS Transport Choice Message: DDoS victim

Transport choice for Co-operative DDoS Mitigation 1 DDoS Transport Choice Message: DDoS victim to DDoS mitigation service SOS "I am getting DoSd" 2 DDoS Transport Choice SOS : Requirements Emergency signal.

247 views • 5 slides
Ca Catch ch M Me If Ca e If Can: A Cl A Clou oud-En -Enabled ed DDoS DDoS De Defen ense

Ca Catch ch M Me If Ca e If Can: A Cl A Clou oud-En -Enabled ed DDoS DDoS De Defen ense

Ca Catch ch M Me If Ca e If Can: A Cl A Clou oud-En -Enabled ed DDoS DDoS De Defen ense e Quan Jia, Huangxin Wang, Dan Fleck, Fei Li, Angelos Stavrou, Walter Powell Presented by Surya Mani Content u Motivation u Related Work u

262 views • 23 slides
Universal DDoS Mitigation Bypass DDoS Mitigation Lab About Us Industry body formed to foster

Universal DDoS Mitigation Bypass DDoS Mitigation Lab About Us Industry body formed to foster

Universal DDoS Mitigation Bypass DDoS Mitigation Lab About Us Industry body formed to foster synergy among stakeholders to promote advancement in DDoS defense knowledge. Independent academic R&D division of Nexusguard building next

764 views • 44 slides
Catch me if you can A cloud based DdoS defense Mikal Fourrier DDoS attacks Goal: prevent

Catch me if you can A cloud based DdoS defense Mikal Fourrier DDoS attacks Goal: prevent

Catch me if you can A cloud based DdoS defense Mikal Fourrier DDoS attacks Goal: prevent the access to a computer system to it's legitimate users. DDoS: DoS attack on the network using a lot of different source IP Why:

327 views • 16 slides
DDoS Last Class Fault tolerance Concurrency Naming This Class Networking How

DDoS Last Class Fault tolerance Concurrency Naming This Class Networking How

DDoS Last Class Fault tolerance Concurrency Naming This Class Networking How DDoS works UDP Data Client Server Response TCP DDoS Distributed denial-of-service attack Attacker targets a victim from a number of

356 views • 22 slides
A Guide About DDoS Attacks Understanding and anticipating DDoS Guillaume Valadon

A Guide About DDoS Attacks Understanding and anticipating DDoS Guillaume Valadon

A Guide About DDoS Attacks Understanding and anticipating DDoS Guillaume Valadon guillaume.valadon@ssi.gouv.fr RIPE 70 - May, 11 2015 ANSSI - http://www.ssi.gouv.fr/guide-ddos & https://goo.gl/UL8M1 1/12 ANSSI Created on July 7th 2009,

142 views • 12 slides
CS 110 Summer 2018 Ryan Eberhardt DDoS Attacks

CS 110 Summer 2018 Ryan Eberhardt DDoS Attacks

CS 110 Summer 2018 Ryan Eberhardt DDoS Attacks https://www.reveelium.com/en/ddos-attacks-the-cyber-boogeyman-part-i/ DDoS Attacks 1,700 Gbps!! 2015 :-/

748 views • 20 slides
Discriminating reflective DDoS attack tools at the reflector Fons Mijnen Max Grim

Discriminating reflective DDoS attack tools at the reflector Fons Mijnen Max Grim

Discriminating reflective DDoS attack tools at the reflector Fons Mijnen Max Grim fons.mijnen@os3.nl max.grim@os3.nl 2 DDoS attacks DDoS attacks are a problem internet users have faced for many years, and is still relevant today. 3 DDoS

531 views • 52 slides
Filtering Based Techniques DDOS Attacks: Target CPU / Bandwidth for DDOS Mitigation

Filtering Based Techniques DDOS Attacks: Target CPU / Bandwidth for DDOS Mitigation

Introduction: Filtering Based Techniques DDOS Attacks: Target CPU / Bandwidth for DDOS Mitigation Attacker signals slaves to launch an attack on a specific target address (victim). Slaves then respond by Comp290: Network

275 views • 9 slides
Analysis of Control, Data separation in ForCES protocol for protection against DoS attacks

Analysis of Control, Data separation in ForCES protocol for protection against DoS attacks

Analysis of Control, Data separation in ForCES protocol for protection against DoS attacks Hormuzd Khosravi Shashidhar Lakkavalli Lily Yang 60 th IETF Meeting, San Diego 1 Problem Statement Requirements RFC 3654 Protection against

629 views • 7 slides
Host Identity Indirection Infrastructure Hi 3 Jari Arkko, Pekka Nikander and Brje Ohlman

Host Identity Indirection Infrastructure Hi 3 Jari Arkko, Pekka Nikander and Brje Ohlman

Host Identity Indirection Infrastructure Hi 3 Jari Arkko, Pekka Nikander and Brje Ohlman Ericsson Research Presentation outline Motivation Background Secure i 3 Hi 3 Summary 2 Hi 3 motivation Question: How to get

457 views • 21 slides
Listening to the Network: Leveraging Network Flow Telemetry for Security Applications Darren

Listening to the Network: Leveraging Network Flow Telemetry for Security Applications Darren

Listening to the Network: Leveraging Network Flow Telemetry for Security Applications Darren Anstee EMEA Solutions Architect Introduction Security has an increased focus from ALL businesses, whether they are an enterprise, ISP, IDC or

926 views • 60 slides
Alm dos Containers na Nuvem QConSP - Containers & Devops 26 April 2017 Guilherme Rezende

Alm dos Containers na Nuvem QConSP - Containers & Devops 26 April 2017 Guilherme Rezende

Alm dos Containers na Nuvem QConSP - Containers & Devops 26 April 2017 Guilherme Rezende Globo.com About me Software Engineer at Globo.com/Tsuru @guilhermebr (GitHub) in/guilhermebr (LinkedIn) @gbrezende (Twitter) Agenda Cloud Native

636 views • 45 slides
Presented by Jason A. Donenfeld February 28, 2017 Who Who Am I? Am I? Jason Donenfeld, also

Presented by Jason A. Donenfeld February 28, 2017 Who Who Am I? Am I? Jason Donenfeld, also

Presented by Jason A. Donenfeld February 28, 2017 Who Who Am I? Am I? Jason Donenfeld, also known as zx2c4 , no academic affiliation. Background in exploitation, kernel vulnerabilities, crypto vulnerabilities, though quite a bit of

432 views • 31 slides
Time Series Models and its Relevance to Modeling TCP SYN based DoS attacks Cyriac James, Hema A.

Time Series Models and its Relevance to Modeling TCP SYN based DoS attacks Cyriac James, Hema A.

Time Series Models and its Relevance to Modeling TCP SYN based DoS attacks Cyriac James, Hema A. Murthy Department of Computer Science & Engineering Indian Institute of Technology Madras, India June 23, 2011 Cyriac James, Hema A. Murthy

363 views • 18 slides
Topics in the Office of Inspector General Office of Inspector General, U.S. Department of

Topics in the Office of Inspector General Office of Inspector General, U.S. Department of

Topics in the Office of Inspector General Office of Inspector General, U.S. Department of Transportation Presented by: Tony Wysocki | Program Director, Surface Transportation Audits Mike Masoudian | Project Manager, Surface Transportation Audits

800 views • 44 slides
RAD Presentation Lafayette, LA June 21, 2015 Rental Assistance Demonstration Public Housing

RAD Presentation Lafayette, LA June 21, 2015 Rental Assistance Demonstration Public Housing

RAD Presentation Lafayette, LA June 21, 2015 Rental Assistance Demonstration Public Housing Inventory ~ 1.15 million units across 3,100+ PHAs; 16,000+/- projects Capital repair needs in excess of $25.6B across portfolio ($23,365/unit)

674 views • 44 slides

More recommend