DDOS UDP resource depetion attack



  • Hello Everyone,

    This morning I woke up to my internet/server being attacked, It's a good way to wake up fast. I managed to block the attacking IP's manually but I was hoping there would be a automated way.

    Setup
    Internet>>>PFSENSE>>DMZ>>Server>> Service UDP:6969

    What they were doing was sending UDP packets to the server and registering fake clients. The state table of pfsense was around 300.000 stats and the service was also having issues.

    I made the fallowing changes:
    Expanded mem from 256 to 1GB.
    Expanded stats table from 10.000 to 1.000.000.
    Manually went trough the stat table and blocking IP's with to many stats.

    My question is there any way of automating the blocking of IP's who are making to many UDP connections. I found the ratelimit but it's telling me TCP only. I would love your feedback as am sure this will not be the last time and the attackers will adapt to my IP blocking.



  • There are two ways that come to mind.

    1.  On the port you opened for this service, at the bottom in the advanced, set either:
          Maximum number of established connections per host
          Maximum state entries per host
          Maximum new connections / per second(s)

    2.  Use SNORT - It does this sort of thing for you, but I've usually considered it to be overly active for my needs.

    If the attack is coming from one certain region, that no one should be connecting from, you could also try pfBlocker package.
    PFblocker should allow you to block out certain countries or regions or IP ranges.

    (OK - Thats was slightly more than 2, but I'm American…  Counting isn't my strong suit)



  • @kejianshi:

    There are two ways that come to mind.

    1.  On the port you opened for this service, at the bottom in the advanced, set either:
          Maximum number of established connections per host
          Maximum state entries per host
          Maximum new connections / per second(s)

    2.  Use SNORT - It does this sort of thing for you, but I've usually considered it to be overly active for my needs.

    If the attack is coming from one certain region, that no one should be connecting from, you could also try pfBlocker package.
    PFblocker should allow you to block out certain countries or regions or IP ranges.

    (OK - Thats was slightly more than 2, but I'm American…   Counting isn't my strong suit)

    1. Is perfect but the thing is it doesn't work for UDP, I already looked :(
    2. Ill take a look at snort.
    3. Country blocking is no option for me.



  • OOOOOHHHH…..  Then you are down to SNORT.

    (Often, when it comes to DOS attacks, I just grin and bear it.  This is one of the reasons I run a router that is overkill for my needs with memory and WAN NIC card thats over kill for my needs.  To accommodate my actual services and to accommodate the DOS attacks.)
    I've sat back and watch people go for ages and ages at my SIP server.  They quit eventually.  Its also less fun for them if you ignore them.  DOS attacks use their valuable resources also.


  • Banned

    Afraid the snort will just act as DoS amplifier…



  • @kejianshi:

    OOOOOHHHH…..   Then you are down to SNORT.

    (Often, when it comes to DOS attacks, I just grin and bear it.  This is one of the reasons I run a router that is overkill for my needs with memory and WAN NIC card thats over kill for my needs.  To accommodate my actual services and to accommodate the DOS attacks.)
    I've sat back and watch people go for ages and ages at my SIP server.  They quit eventually.  Its also less fun for them if you ignore them.  DOS attacks use their valuable resources also.

    Yah am lauching in my fist (dutch expression) they are still pumping 60Mbit of traffic my way and not accomplishing anything and i don't have a datalimit.

    Afraid the snort will just act as DoS amplifier…

    Thats what am afraid of as well i currently have 100k legitimate stats. If snort doubles the cpu cycles needed am better off just accepting the DDoS.

    It's really to bad that there isn't away to limit UDP connections as in the way you can do TCP.



  • From: http://www.freebsd.org/cgi/man.cgi?query=pf.conf&sektion=5

    The following limits can be set:

    max-src-nodes <number>Limits the maximum number of source addresses which can simultane-
      ously have state table entries.
        max-src-states <number>Limits the maximum number of simultaneous state entries that a sin-
      gle source address can create with this rule.</number></number>

    A couple of days ago we implemented code to allow UDP and ICMP rules to use these (in addition to TCP). I suspect that max-src-states is what you are looking for. Of course, the new code that lets that happen on the GUI is in 2.1-RC0 - if you are on a really new 2.1-RC0 snapshot then you will get this flexibility.



  • For me, when I think about snort, I'm not sure which is worse.  The DOS attack or the hassle of using SNORT.  Flip a coin.



  • Now - There is a good solid reason to go to 2.1 for the masses for sure.



  • @phil.davis:

    From: http://www.freebsd.org/cgi/man.cgi?query=pf.conf&sektion=5

    The following limits can be set:

    max-src-nodes <number>Limits the maximum number of source addresses which can simultane-
      ously have state table entries.
        max-src-states <number>Limits the maximum number of simultaneous state entries that a sin-
      gle source address can create with this rule.</number></number>

    A couple of days ago we implemented code to allow UDP and ICMP rules to use these (in addition to TCP). I suspect that max-src-states is what you are looking for. Of course, the new code that lets that happen on the GUI is in 2.1-RC0 - if you are on a really new 2.1-RC0 snapshot then you will get this flexibility.

    Thats great news. Am currently running 2.1-RC0 (amd64) built on Mon Jul 22 15:44:15 EDT 2013. Ill update my pfsense and report back.

    Edit:

    Perfect works like a charm, You have great timing phil.davis!! if you're ever in in netherlands ill buy you a beer




  • Is this supposed to be in the latest release 2.1?  I have it but the options for udp and icmp are not there.  They are only for tcp.  If not, where do I get this version?



  • The code was enhanced further since that 2.1-RC0 screen shot. Various fields used to only work if you actually specified one of TCP, UDP, TCP/UDP or ICMP as the rule protocol - so the screen had (TCP/UDP/ICMP) in brackets for those to give the user a clue. Later the code was broadened so you could specify "all" protocols and the setting would be applied to "all" the protocols as broadly as it can actually be - e.g. for stateless protocols the "Maximum state entries" obviously will never be exceeded. So the "hints" in brackets have been removed.
    The ones that are left are to indicate fields that really do only apply to TCP.
    I believe it all works  :)
    2.1-RELEASE Firewall Rules Edit, Advanced Features, Advanced Options looks like:




  • Hmmmm….I have the maximum state entries per host set to 1000 and when I flood the wan from the lan with tcp packets, it shuts me down real quick and works as expected.  If I do the same with UDP or ICMP packets, it allows them forever rendering the network useless.  Any ideas?



  • I did a quick test of the rule generation, and it seems OK. When the rule is "Protocol any" it simply does not mention the protocol in the generated rule. So I would hope it works for all the protocols that pf creates state for - TCP, UDP and ICMP.
    Does your rule have "protocol any" selected?
    Can you actually send 1000 new UDP source/destination pairs before the 1st one has timed out? (I expect so - the UDP state timer should be quite long)

    Note: In the "pf" man page - http://www.freebsd.org/cgi/man.cgi?query=pf.conf&sektion=5&n=1 - does seem to imply that these sort of special settings need one of the source track statements:

    source-track rule
    source-track global
    

    pfSense is not putting either of those on the "pf" rule, but it does seem to work without it, certainly for TCP from your testing.


  • Banned

    Snort works very good at handling DDoS… just kill the states when detected and youre fine.

    Runs here on more than 60+ firewalls....



  • Yes, the rule is set for any.  Basically I am testing flooding the wan from the lan to simulate a user on the network trying to bring it down.  According to pfTop there is only 15 states, but each one is sending the packets at wire speed adding up to hundreds of megs and it is then passing through to the WAN.  So I'm thinking the number of states isn't really the problem but I would like be able to detect a user flooding the WAN via the LAN with UDP packets.  Setting the max states works great with TCP and shuts down the traffic from this user on the LAN and the WAN, but if I flood with UDP since the states don't exceed the number in the rule it allows them which saturates the LAN and the WAN.  How do I stop this?  If there a way to set a rule that says if user sends more than XX packets per second to from the LAN to the WAN to block them?