iptables ddos protection using netfilter/iptables

7/22/2019 Iptables DDoS protection Using Netfilter/iptables

1/38

1/36 DDoS protectionusing Netfilter/iptables

Jesper Dangaard BrouerSenior Kernel Engineer, Red Hat

Network-Services-TeamDevon!"c# $e% &'()

Email* %rouer+redat"com netoptimi#er+%rouer"com awk+kernel"org

DDoS protectionUsing Netfilter/iptables
mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]


2/38

2/36 DDoS protection using Netfilter/iptables

.o am /.o am /

Name* Jesper Dangaard Brouer

0inu1 Kernel Developer at Red Hat

Edu* omputer Science !or 2ni" openagen

$ocus on Network, Dist" s3s and 4S 0inu1 user since (556, pro!essional since (557

S3sadm, Kernel Developer, Em%edded

4penSource pro8ects, autor o!

9DS0-optimi#er, :9N /:Ta%les**li%iptc, /:T;-9nal3#er :atces accepted into

0inu1 kernel, iproute&, ipta%les, li%pcap and .iresark

4rgani#er o! Net!ilter .orksop &'(


3/38


.at will 3ou learn=.at will 3ou learn=

0inu1 Kernel is vulnera%le to simple S>N attacks

End-ost mitigation?s alread3 implemented in kernel

sow it is not enoug

Kernel* serious @listen@ socket scala%ilit3 pro%lem

solution is stalled """ ow to work-around tis

$irewall-%ased solution* s3npro13 Aipta%lesnet!ilter

How !ast is state!ul !irewalling .ere is our pain points

0earn Net!ilter tricks* %oost per!ormance a !actor ('


4/384/36 DDoS protection using Netfilter/iptables

$irst* Basic N/ tuning ('($irst* Basic N/ tuning ('(

9ll tests in presentation

Basic tuning

$irst kill Cir%alance

N/ ardware ueue, are :2 aligned

Disa%le Eternet !low-control

/ntel i1g%e wdriver issue

single %locked w ueue %locks oters $i1 in kernel v



$ocus* $looding DoS attack$ocus* $looding DoS attack

Denial o! Service ADoS attacks

$ocus* T: !looding attacks

9ttacking te N-9K !loods

9K !loods A



0inu1 current end-ost mitigations0inu1 current end-ost mitigations

Jargon R$ )57 AT: S>N $looding 9ttacks and ommon Iitigations

0inu1 uses 3%rid solution

S>N Ccace

Iini reuest socket

Iinimi#e state, dela3 !ull state alloc

S>N C%acklog o! outstanding reuest sockets

9%ove limit, use S>N Ccookies



Details* S>N @cace@ savingsDetails* S>N @cace@ savings

Small initial TB ATransmission ontrol Block

struct reuestGsock Asi#e F6 %3tes

mini sock to represent a connection reuest

But alloc si#e is ((& %3tes S09B %eind ave si#eo!Astruct tcpGreuestGsock

Structs em%edded in eac-oter

F6 %3tes struct reuestGsock

7' %3tes struct inetGreuestGsock ((& %3tes struct tcpGreuestGsock

$ull TB Astruct inetGsock is 7


8/38


Details* /ncreasing S>N %acklogDetails* /ncreasing S>N %acklog

Not recommended to increase !or DoS

4nl3 increase, i! legitimate tra!!ic cause log*

CT:* :ossi%le S>N !looding """

/ncreasing S>N %acklog is not o%vious

9d8ust all tese*

procs3snetipv)tcpGma1Gs3nG%acklog

procs3snetcoresoma1conn

S3scall listenAint sock!d, int backlog


9/38


10/38


Details* S>N-cookiesDetails* S>N-cookies

S>N cookies SH9 calculation is e1pensive

SNI: counters ASince kernel v


11/38


So, wat is te pro%lem=So, wat is te pro%lem=

Oood End-Host counter-measurements

:ro%lem* 0/STEN state scala%ilit3 pro%lem

;ulnera%le !or all !loods

S>N, S>N-9K and 9K !loods

Num%ers* Peon :2 PFFF' ('O i1g%e

N4 0/STEN socket*

&"5')"(&7 pktssec -- S>N attack

0/STEN socket*

&F&"'N attack


12/38


:ro%lem* S>N-cookie vs 0/STEN lock:ro%lem* S>N-cookie vs 0/STEN lock

Iain pro%lem*

S>N cookies live under 0/STEN lock

/ proposed S>N %rownies !i1 AIa3 &'(&

ttp*tread"gmane"orggmane"linu1"network&


13/38


$irewall and :ro13 solutions$irewall and :ro13 solutions

Netork!"ase#ountermeasures

.esle3 I" Edd3, descri%es S>N-pro13

/n isco* Te /nternet :rotocol Journal - ;olume 5,

Num%er ), &''6, link* ttp*goo"gl9(99Q Net!ilter* ipta%les target S$NPR%&$

9vail in kernel


14/38


S>N pro13 conceptS>N pro13 concept


15/38


S>N:R4P> needs conntrack

.ill tat %e a per!ormance issue=

Base per!ormance*

&"56)"'5( pktssec -- N4 0/STEN sock no ipta%les rules &))"(&5 pktssec -- 0/STEN sock no ipta%les rules

0oading conntrack* AS>N !lood, causing new conntrack

)


16/38


onntrack per!ormanceA&onntrack per!ormanceA&

onntrack Alock-less lookups are reallyfast

:ro%lem is insert and delete conntracks

2se to protect against S>N9K and 9K attacks

De!ault net!ilter is in T: Cloose mode 9llow 9K pkts to create new connection

Disa%le via cmd*

sysctl -w net/netfilter/nf_conntrack_tcp_loose=0

Take advantage o! state C/N;90/D Drop invalid pkts beforereacing 0/STEN socket

iptables -m state --state INVALID -j DR!


17/38


onntrack per!A


18/38


onntrack per!A) S>N-9K attackonntrack per!A) S>N-9K attack

S$N!(C) attacks, conntrack per!ormance

S>N-9Ks don?t auto create connections

Tus, canging Cloose setting is not important

De!ault pass /N;90/D pkts Aand Cloose(

&


19/38


S3npro13 per!ormanceS3npro13 per!ormance

%nl* conntrack S$N attack proble+ left

Due to conntrack insert lock scaling

Base per!ormance*

&))"(&5 pktssec -- 0/STEN sock no ipta%les rules 0oading conntrack* AS>N !lood, causing new conntrack

(&"55& pktssec -- 0/STEN sock ' conntrack

Using S$NPR%&$

,-.0-.,1pktssec -- 0/STEN sock s*npro2* conntrack


20/38


ipta%les* s3npro13 setupA(ipta%les* s3npro13 setupA(

2sing S>N:R4P> target is complicated

S>N:R4P> works on untracked conntracks

/n Craw ta%le, Cnotrack S>N packets*

iptables -t raw-I PREROUTING -i $DEV -p tcp -m tcp --syn \

--dport $PORT -j CT --notrack


21/38


ipta%les* s3npro13 setupA&ipta%les* s3npro13 setupA&

Iore strict conntrack andling

Need to get unknown 9Ks A!rom


22/38


ipta%les* s3npro13 setupA target*

iptables -' INPUT -i $DEV -p tcp -m tcp --dport $PORT (

-m state --state INV')ID*UNTR'C+ED (

-j SYNPROXY--sack-perm --timestamp --"scale , --mss ./&


23/38


ipta%les* s3npro13 setupA)ipta%les* s3npro13 setupA)

Trick to catc S>N-9K !loods

Drop rest o! state /N;90/D, contains S>N-9K

iptables -' INPUT -i $DEV -p tcp -m tcp --dport $PORT (

-m state --state INV')ID -j DROP

Ena%le T: timestamping

Because S>N cookies uses T: options !ield

sbins!sctl -" netip0.tcptimestamps%


24/38


ipta%les* s3npro13 setupAFipta%les* s3npro13 setupAF

onntrack entries tuning

Ia1 possi%le entries & Iill

&77 %3tes & Iill F6"' IB

netnet#iltern#conntrackma1%2&&&&&&

/I:4RT9NT* 9lso ad8ust as %ucket si#e

procs3snetnet!iltern!GconntrackG%uckets writea%le

via s3smodulen!Gconntrackparametersassi#e

Has 7 %3tes &Iill (6 IBec3o 2&&&&&& 4 s!smod5len#conntrackparameters3as3si6e


25/38


:er!ormance S>N:R4P>:er!ormance S>N:R4P>

Script ipta%lesGs3npro13"s avail ere* ttps*gitu%"comnetoptimi#ernetwork-testing%lo%masteripta%lesip

ta%lesGs3npro13"s

2sing S>N:R4P> under attack t3pes*

&"765"7&) pktssec S>N-!lood

)"5)7")7' pktssec 9K-!lood

F"6F


26/38


S>N:R4P> parametersS>N:R4P> parameters

Te parameters given to S>N:R4P> target

Iust matc te %ackend-server T: options

Ianual setup Aelper tool n!s3npro13

4nl3 one setting per rule

Not use!ul !or DH: %ased network

Future plan

9uto detect server T: options

Simpl3 allow !irst S>N troug

atc S>N-9K and decode options ARHBQ ('F565 - R$E* S3npro13* auto detect T: options
http://bugzilla.redhat.com/show_bug.cgi?id=1059679http://bugzilla.redhat.com/show_bug.cgi?id=1059679


27/38


Real-li!eA(* Handle 5'' KppsReal-li!eA(* Handle 5'' Kpps


28/38


Real-li!eA&* SH9 sum e1pensiveReal-li!eA&* SH9 sum e1pensive

S>N cookie SH9 sum is e1pensive Bug ('FN cookies calculations
http://bugzilla.redhat.com/show_bug.cgi?id=1057352http://bugzilla.redhat.com/show_bug.cgi?id=1057352


29/38


Real-li!eA


30/38


/ssue* $ull connection scala%ilit3/ssue* $ull connection scala%ilit3

Still e1ists* Scala%ilit3 issue wit !ull conn

Iade it signi!icantl3 more e1pensive !or attackers

Ate3 need real osts

$uture work* !i1 scala%ilit3 !or entral lock* 0/STEN socket lock

entral lock* Net!ilter new conntracks A.ork-in-progress


31/38


$i1ing central conntrack lock$i1ing central conntrack lock

onntrack issue

/nsert delete conntracks takes central lock

.orking on removing tis central lock

ABased on patc !rom Eric Duma#et ARHBQ (')


32/38


Hack* Iulti listen socketsHack* Iulti listen sockets

Hack to work-around 0/STEN socket lock

Simpl3 0/STEN on several ports

2se ipta%les to rewriteDN9T to tese ports


33/38


Hack* $ull conn aslimit trickA(Hack* $ull conn aslimit trickA(

:ro%lem* $ull connections still ave scala%ilit3

:artition /nternet in &) su%nets

A(&7&F6&F6 &'5(F& ) ma1 as list

0imit S>N packets e"g" &'' S>N pps per src su%net

Iem usage* !airl3 ig

$i1ed* ta%le-si#e &'5(F& 7 %3tes (6" IB

;aria%le* entr3 si#e (') %3tes F''''' F& IB


34/38


Hack* $ull conn aslimit trickA&Hack* $ull conn aslimit trickA&

2sing aslimit as work-around

9ttacker needs man3 real osts, to reac !ull connscala%ilit3 limit

iptables -t ra" -' PREROUTING -i $DEV (

-p tcp -m tcp --dport 7& --s!n (

-m 3as3limit (

--3as3limit-abo0e 2&&sec --3as3limit-b5rst &&& (

--3as3limit-mode srcip --3as3limit-name s!n (

--3as3limit-3table-si6e 2&8,92 (

--3as3limit-srcmask 2. -j DROP


35/38


9lternative usage o! @socket@ module9lternative usage o! @socket@ module

9void using conntrack

2se 1tGsocket module

$or local socket matcing

an !ilter out


36/38


Te EndTe End

Tanks to Iartin Topolm and 4ne"com

$or providing real-li!e attack data

Download slides ere*

ttp*people"net!ilter"orgawkpresentationsdevcon!&'()

$eed%ackrating o! talk on*

ttp*devcon!"c#!


37/38


E1tra SlidesE1tra Slides


38/38


Disa%le elper auto loadingDisa%le elper auto loading

De!ault is to auto load conntrack elpers

/t is a securit3 risk

:oking oles in 3our !irewall

Disa%le via cmd*ec"o 0 # /proc/sys/net/netfilter/nf_conntrack_"elper

ontrolled con!ig e1ample*

iptables -t raw -p tcp -p $%$% -j &' --"elper ftp

Read guide ere*ttps*ome"regit"orgnet!ilter-ensecure-use-o!-elpers
https://home.regit.org/netfilter-en/secure-use-of-helpers/https://home.regit.org/netfilter-en/secure-use-of-helpers/

iptables ddos protection using netfilter/iptables

Documents