DDoS Mitigation

[infinitnet]

Just wanted to suggest to implement some of the rules found here https://javapipe.com/iptables-ddos-protection into Firehol.

[ktsaou]

It already there, more than a year.

https://github.com/firehol/firehol/wiki/Working-with-SYNPROXY https://github.com/firehol/firehol/wiki/Working-with-SYNPROXY-and-traps

Also, there is support for synproxy in netdata: https://github.com/firehol/netdata/wiki/Monitoring-SYNPROXY

Also firehol has the most complete SYNPROXY support I have seen. It supports SYNPROXY in all possible setups.

[infinitnet]

I know SYNPROXY is there, I was rather talking about using the mangle table + PREROUTING chain for better performance and the malformed packet rules.

[ktsaou]

Oh! I see. Sorry!

firehol already has several such rules under the protection keyword. It does not apply them to mangle, since this breaks the netfilter guidelines that mandate all filtering to be done at the filter table. firehol also allows you to define which of them you want per interface or router.

Check this: https://firehol.org/firehol-manual/firehol-protection/

and here are the current rules:

https://github.com/firehol/firehol/blob/master/sbin/firehol.in#L5894-L6043

It would be good if we could compare all one-by-one to find which one is missing. I am under pressure with netdata these days, so if you can help, please do. Otherwise, I will have a look...

[infinitnet]

According to the article, using the PREROUTING chain and mangle table for filtering increases the performance a lot, so maybe it's worth to consider breaking the netfilter guidelines in this particular case.

Anyway, I've been looking at your current rules and the ones that seem to be missing according to the link you provided are:

/sbin/iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP
/sbin/iptables -t mangle -A PREROUTING -s 224.0.0.0/3 -j DROP
/sbin/iptables -t mangle -A PREROUTING -s 169.254.0.0/16 -j DROP
/sbin/iptables -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP
/sbin/iptables -t mangle -A PREROUTING -s 192.0.2.0/24 -j DROP
/sbin/iptables -t mangle -A PREROUTING -s 192.168.0.0/16 -j DROP
/sbin/iptables -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP
/sbin/iptables -t mangle -A PREROUTING -s 0.0.0.0/8 -j DROP
/sbin/iptables -t mangle -A PREROUTING -s 240.0.0.0/5 -j DROP
/sbin/iptables -t mangle -A PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP
/sbin/iptables -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 4 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP

[ktsaou]

Thanks!

The ones with IP addresses should not be hardcoded. In firehol the user may add these to rules, using the "${PRIVATE_IPS}" or "${UNROUTABLE_IPS}".

I guess what remains are:

1. Add the TCP flags ones to malformed-bad
2. Add uncommon-mss
3. Add rst-floods

Regarding the mangle table for filtering, I agree, but on modern server hardware this should be a problem only if you have 10+Gbps link to the internet. With just <1Gbps I don't think you will even notice the performance difference. I have to admit however that I like the idea of adding a helper statement to apply these protection rules globally. They have to be constrained however to the traffic the admin wants to filter. I'll think about it.

I guess it would also be nice to write a wiki page regarding firehol and DDoS mitigation on the internet facing interfaces and routers. I'll attempt to do this too.

[infinitnet]

Yes, that's about what I'd love to see in firehol. Thank you for your time!