netfilter/iptables synproxy; need help deciding
Hi, I guess syncookies wasn't enough and the SYNPROXY target is a relatively new addition to netfilter. If I remember correctly this has been a part of BSD PF for quite some time and is pretty easy to get up and working. I recently tried to set this up on one of my gateways considering that it's just one less uncovered means for somebody to be a dick that I have to deal with in the future. But, after spending some time researching and asking on Freenode I have been unable to determine whether or not it works, or even makes any sense. I'm starting to think it's a moot point. pastie.org/private/gjsypxkpjs8kuev0tlbxrw#22 (iptables rules, plenty of things to pick at but please try to focus on the subject of synproxy for the purpose of this e-mail.) based on the following table I want to say its not working because it seems to never change: http://pastie.org/private/xwct5opbb0aajcko2tnpw more info on /proc/stat/synproxy: http://www.spinics.net/lists/netdev/msg264350.html My only guess is that you can't do this at all with NAT because it relies on conntrack or maybe it will only work with SNAT? I don't understand this well enough to say; are proper firewall rules really a science that need to be understood that far in depth? Why is this not documented? This tutorial seems to indicate that you could use this with a NAT'd network: http://www.academia.edu/6773989/Homemade_DDoS_Protection_Using_IPTables_SYNP... I really would like to come to some closure on this subject. Whether it needs to be done right or not done at all, I'm tired of it looming over me. I really want to believe I should do the very best to have all mitigation techniques already in place, but I'm having a hard time understanding why this is next to impossible to figure out if it's so important. #netfilter on freenode is next to no help, the mailing list seems to be unavailable.... the things people are saying about how I should "just switch" back to using pf seem like a drastic solution when people in #netfilter are so content (yet many of them have never heard of synproxy before.) Any thoughts on this are appreciated, -Paige
On Oct 8, 2014, at 9:43 PM, Paige Thompson <paigeadele@gmail.com> wrote:
Any thoughts on this are appreciated,
<http://mailman.nanog.org/pipermail/nanog/2010-January/016747.html> <https://app.box.com/s/e6hdt0iansu1sdb6m42t> pp. 30-36. ---------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com> Equo ne credite, Teucri. -- Laocoön
On 10/08/14 17:54, Roland Dobbins wrote:
On Oct 8, 2014, at 9:43 PM, Paige Thompson <paigeadele@gmail.com> wrote:
Any thoughts on this are appreciated, <http://mailman.nanog.org/pipermail/nanog/2010-January/016747.html>
<https://app.box.com/s/e6hdt0iansu1sdb6m42t> pp. 30-36.
---------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
Equo ne credite, Teucri.
-- Laocoön
Re pp: 30-36 I think I catch your drift (ie: using cisco netflow to detect a synflood?) but would you care to summarize just in case because I am not this savvy, but would like to understand. Also in regards to snort inline, I've been trying to figure out whether or not Snort/DAQ/NFQ (netfilter) is appropriate or not. I cannot get this to work but it seems like on a gatway, for example where I have all of this iptables stuff that NFQ would be appropriate and would probably help with all of the false positives (3 way handshake and a couple of others) I see when trying to use the pcap driver (the only one that will work.)
On Oct 8, 2014, at 10:24 PM, Paige Thompson <paigeadele@gmail.com> wrote:
Re pp: 30-36 I think I catch your drift (ie: using cisco netflow to detect a synflood?) but would you care to summarize just in case because I am not this savvy, but would like to understand.
Yes, you can do that - there are plenty of open-source tools out there. But pay attention to the infrastructure and host BCPs in that preso, as well.
Also in regards to snort inline, I've been trying to figure out whether or not Snort/DAQ/NFQ (netfilter) is appropriate or not.
Yes, you can use it as a super-ACL. Beyond that, reverse-proxy caches are useful, as well, as noted in the cited historical email. ---------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com> Equo ne credite, Teucri. -- Laocoön
Sorry I am doing multiple things at once and my setup is at home... just a bit more information. I used a fresh latest version centos 7 installation for my bridge (3 nics, 2 in bridge). In my case the output of /proc/net/stat/synproxy you show on http://pastie.org/private/xwct5opbb0aajcko2tnpw did change the first number underneath syn_received. I don't believe any other value changed during my test syn flood (using hping from an external internet server to port 80 of the webserver behind the bridge). You may contact me off list if you wish more information about what I configured. Planning on testing a fullscale flood later this week but I currently lack hardware at home. Kind regards / Vriendelijke groet, IS Group Thijs Stuurman Powered by results. Wielingenstraat 8 | T +31 (0)299 476 185 1441 ZR Purmerend | F +31 (0)299 476 288 http://www.is.nl | KvK Hoorn 36049256 IS Group is ISO 9001:2008, ISO/IEC 27001:2005, ISO 20.000-1:2005, ISAE 3402 en PCI DSS certified. -----Oorspronkelijk bericht----- Van: NANOG [mailto:nanog-bounces@nanog.org] Namens Paige Thompson Verzonden: Wednesday, October 8, 2014 4:44 PM Aan: nanog@nanog.org Onderwerp: netfilter/iptables synproxy; need help deciding Hi, I guess syncookies wasn't enough and the SYNPROXY target is a relatively new addition to netfilter. If I remember correctly this has been a part of BSD PF for quite some time and is pretty easy to get up and working. I recently tried to set this up on one of my gateways considering that it's just one less uncovered means for somebody to be a dick that I have to deal with in the future. But, after spending some time researching and asking on Freenode I have been unable to determine whether or not it works, or even makes any sense. I'm starting to think it's a moot point. pastie.org/private/gjsypxkpjs8kuev0tlbxrw#22 (iptables rules, plenty of things to pick at but please try to focus on the subject of synproxy for the purpose of this e-mail.) based on the following table I want to say its not working because it seems to never change: http://pastie.org/private/xwct5opbb0aajcko2tnpw more info on /proc/stat/synproxy: http://www.spinics.net/lists/netdev/msg264350.html My only guess is that you can't do this at all with NAT because it relies on conntrack or maybe it will only work with SNAT? I don't understand this well enough to say; are proper firewall rules really a science that need to be understood that far in depth? Why is this not documented? This tutorial seems to indicate that you could use this with a NAT'd network: http://www.academia.edu/6773989/Homemade_DDoS_Protection_Using_IPTables_SYNP... I really would like to come to some closure on this subject. Whether it needs to be done right or not done at all, I'm tired of it looming over me. I really want to believe I should do the very best to have all mitigation techniques already in place, but I'm having a hard time understanding why this is next to impossible to figure out if it's so important. #netfilter on freenode is next to no help, the mailing list seems to be unavailable.... the things people are saying about how I should "just switch" back to using pf seem like a drastic solution when people in #netfilter are so content (yet many of them have never heard of synproxy before.) Any thoughts on this are appreciated, -Paige
participants (3)
-
Paige Thompson
-
Roland Dobbins
-
Thijs Stuurman