iptables ddos protection using netfilter/iptables
Post on 10-Feb-2018
267 Views
Preview:
TRANSCRIPT
-
7/22/2019 Iptables DDoS protection Using Netfilter/iptables
1/38
1/36 DDoS protectionusing Netfilter/iptables
Jesper Dangaard BrouerSenior Kernel Engineer, Red Hat
Network-Services-TeamDevon!"c# $e% &'()
Email* %rouer+redat"com netoptimi#er+%rouer"com awk+kernel"org
DDoS protectionUsing Netfilter/iptables
mailto:brouer@redhat.commailto:netoptimizer@brouer.commailto:brouer@redhat.commailto:netoptimizer@brouer.commailto:hawk@kernel.orgmailto:hawk@kernel.orgmailto:netoptimizer@brouer.commailto:brouer@redhat.com -
7/22/2019 Iptables DDoS protection Using Netfilter/iptables
2/38
2/36 DDoS protection using Netfilter/iptables
.o am /.o am /
Name* Jesper Dangaard Brouer
0inu1 Kernel Developer at Red Hat
Edu* omputer Science !or 2ni" openagen
$ocus on Network, Dist" s3s and 4S 0inu1 user since (556, pro!essional since (557
S3sadm, Kernel Developer, Em%edded
4penSource pro8ects, autor o!
9DS0-optimi#er, :9N /:Ta%les**li%iptc, /:T;-9nal3#er :atces accepted into
0inu1 kernel, iproute&, ipta%les, li%pcap and .iresark
4rgani#er o! Net!ilter .orksop &'(
-
7/22/2019 Iptables DDoS protection Using Netfilter/iptables
3/38
3/36 DDoS protection using Netfilter/iptables
.at will 3ou learn=.at will 3ou learn=
0inu1 Kernel is vulnera%le to simple S>N attacks
End-ost mitigation?s alread3 implemented in kernel
sow it is not enoug
Kernel* serious @listen@ socket scala%ilit3 pro%lem
solution is stalled """ ow to work-around tis
$irewall-%ased solution* s3npro13 Aipta%lesnet!ilter
How !ast is state!ul !irewalling .ere is our pain points
0earn Net!ilter tricks* %oost per!ormance a !actor ('
-
7/22/2019 Iptables DDoS protection Using Netfilter/iptables
4/384/36 DDoS protection using Netfilter/iptables
$irst* Basic N/ tuning ('($irst* Basic N/ tuning ('(
9ll tests in presentation
Basic tuning
$irst kill Cir%alance
N/ ardware ueue, are :2 aligned
Disa%le Eternet !low-control
/ntel i1g%e wdriver issue
single %locked w ueue %locks oters $i1 in kernel v
-
7/22/2019 Iptables DDoS protection Using Netfilter/iptables
5/385/36 DDoS protection using Netfilter/iptables
$ocus* $looding DoS attack$ocus* $looding DoS attack
Denial o! Service ADoS attacks
$ocus* T: !looding attacks
9ttacking te N-9K !loods
9K !loods A
-
7/22/2019 Iptables DDoS protection Using Netfilter/iptables
6/386/36 DDoS protection using Netfilter/iptables
0inu1 current end-ost mitigations0inu1 current end-ost mitigations
Jargon R$ )57 AT: S>N $looding 9ttacks and ommon Iitigations
0inu1 uses 3%rid solution
S>N Ccace
Iini reuest socket
Iinimi#e state, dela3 !ull state alloc
S>N C%acklog o! outstanding reuest sockets
9%ove limit, use S>N Ccookies
-
7/22/2019 Iptables DDoS protection Using Netfilter/iptables
7/387/36 DDoS protection using Netfilter/iptables
Details* S>N @cace@ savingsDetails* S>N @cace@ savings
Small initial TB ATransmission ontrol Block
struct reuestGsock Asi#e F6 %3tes
mini sock to represent a connection reuest
But alloc si#e is ((& %3tes S09B %eind ave si#eo!Astruct tcpGreuestGsock
Structs em%edded in eac-oter
F6 %3tes struct reuestGsock
7' %3tes struct inetGreuestGsock ((& %3tes struct tcpGreuestGsock
$ull TB Astruct inetGsock is 7
-
7/22/2019 Iptables DDoS protection Using Netfilter/iptables
8/38
8/36 DDoS protection using Netfilter/iptables
Details* /ncreasing S>N %acklogDetails* /ncreasing S>N %acklog
Not recommended to increase !or DoS
4nl3 increase, i! legitimate tra!!ic cause log*
CT:* :ossi%le S>N !looding """
/ncreasing S>N %acklog is not o%vious
9d8ust all tese*
procs3snetipv)tcpGma1Gs3nG%acklog
procs3snetcoresoma1conn
S3scall listenAint sock!d, int backlog
-
7/22/2019 Iptables DDoS protection Using Netfilter/iptables
9/38
-
7/22/2019 Iptables DDoS protection Using Netfilter/iptables
10/38
10/36 DDoS protection using Netfilter/iptables
Details* S>N-cookiesDetails* S>N-cookies
S>N cookies SH9 calculation is e1pensive
SNI: counters ASince kernel v
-
7/22/2019 Iptables DDoS protection Using Netfilter/iptables
11/38
11/36 DDoS protection using Netfilter/iptables
So, wat is te pro%lem=So, wat is te pro%lem=
Oood End-Host counter-measurements
:ro%lem* 0/STEN state scala%ilit3 pro%lem
;ulnera%le !or all !loods
S>N, S>N-9K and 9K !loods
Num%ers* Peon :2 PFFF' ('O i1g%e
N4 0/STEN socket*
&"5')"(&7 pktssec -- S>N attack
0/STEN socket*
&F&"'N attack
-
7/22/2019 Iptables DDoS protection Using Netfilter/iptables
12/38
12/36 DDoS protection using Netfilter/iptables
:ro%lem* S>N-cookie vs 0/STEN lock:ro%lem* S>N-cookie vs 0/STEN lock
Iain pro%lem*
S>N cookies live under 0/STEN lock
/ proposed S>N %rownies !i1 AIa3 &'(&
ttp*tread"gmane"orggmane"linu1"network&
-
7/22/2019 Iptables DDoS protection Using Netfilter/iptables
13/38
13/36 DDoS protection using Netfilter/iptables
$irewall and :ro13 solutions$irewall and :ro13 solutions
Netork!"ase#ountermeasures
.esle3 I" Edd3, descri%es S>N-pro13
/n isco* Te /nternet :rotocol Journal - ;olume 5,
Num%er ), &''6, link* ttp*goo"gl9(99Q Net!ilter* ipta%les target S$NPR%&$
9vail in kernel
-
7/22/2019 Iptables DDoS protection Using Netfilter/iptables
14/38
14/36 DDoS protection using Netfilter/iptables
S>N pro13 conceptS>N pro13 concept
-
7/22/2019 Iptables DDoS protection Using Netfilter/iptables
15/38
15/36 DDoS protection using Netfilter/iptables
S>N:R4P> needs conntrack
.ill tat %e a per!ormance issue=
Base per!ormance*
&"56)"'5( pktssec -- N4 0/STEN sock no ipta%les rules &))"(&5 pktssec -- 0/STEN sock no ipta%les rules
0oading conntrack* AS>N !lood, causing new conntrack
)
-
7/22/2019 Iptables DDoS protection Using Netfilter/iptables
16/38
16/36 DDoS protection using Netfilter/iptables
onntrack per!ormanceA&onntrack per!ormanceA&
onntrack Alock-less lookups are reallyfast
:ro%lem is insert and delete conntracks
2se to protect against S>N9K and 9K attacks
De!ault net!ilter is in T: Cloose mode 9llow 9K pkts to create new connection
Disa%le via cmd*
sysctl -w net/netfilter/nf_conntrack_tcp_loose=0
Take advantage o! state C/N;90/D Drop invalid pkts beforereacing 0/STEN socket
iptables -m state --state INVALID -j DR!
-
7/22/2019 Iptables DDoS protection Using Netfilter/iptables
17/38
17/36 DDoS protection using Netfilter/iptables
onntrack per!A
-
7/22/2019 Iptables DDoS protection Using Netfilter/iptables
18/38
18/36 DDoS protection using Netfilter/iptables
onntrack per!A) S>N-9K attackonntrack per!A) S>N-9K attack
S$N!(C) attacks, conntrack per!ormance
S>N-9Ks don?t auto create connections
Tus, canging Cloose setting is not important
De!ault pass /N;90/D pkts Aand Cloose(
&
-
7/22/2019 Iptables DDoS protection Using Netfilter/iptables
19/38
19/36 DDoS protection using Netfilter/iptables
S3npro13 per!ormanceS3npro13 per!ormance
%nl* conntrack S$N attack proble+ left
Due to conntrack insert lock scaling
Base per!ormance*
&))"(&5 pktssec -- 0/STEN sock no ipta%les rules 0oading conntrack* AS>N !lood, causing new conntrack
(&"55& pktssec -- 0/STEN sock ' conntrack
Using S$NPR%&$
,-.0-.,1pktssec -- 0/STEN sock s*npro2* conntrack
-
7/22/2019 Iptables DDoS protection Using Netfilter/iptables
20/38
20/36 DDoS protection using Netfilter/iptables
ipta%les* s3npro13 setupA(ipta%les* s3npro13 setupA(
2sing S>N:R4P> target is complicated
S>N:R4P> works on untracked conntracks
/n Craw ta%le, Cnotrack S>N packets*
iptables -t raw-I PREROUTING -i $DEV -p tcp -m tcp --syn \
--dport $PORT -j CT --notrack
-
7/22/2019 Iptables DDoS protection Using Netfilter/iptables
21/38
21/36 DDoS protection using Netfilter/iptables
ipta%les* s3npro13 setupA&ipta%les* s3npro13 setupA&
Iore strict conntrack andling
Need to get unknown 9Ks A!rom
-
7/22/2019 Iptables DDoS protection Using Netfilter/iptables
22/38
22/36 DDoS protection using Netfilter/iptables
ipta%les* s3npro13 setupA target*
iptables -' INPUT -i $DEV -p tcp -m tcp --dport $PORT (
-m state --state INV')ID*UNTR'C+ED (
-j SYNPROXY--sack-perm --timestamp --"scale , --mss ./&
-
7/22/2019 Iptables DDoS protection Using Netfilter/iptables
23/38
23/36 DDoS protection using Netfilter/iptables
ipta%les* s3npro13 setupA)ipta%les* s3npro13 setupA)
Trick to catc S>N-9K !loods
Drop rest o! state /N;90/D, contains S>N-9K
iptables -' INPUT -i $DEV -p tcp -m tcp --dport $PORT (
-m state --state INV')ID -j DROP
Ena%le T: timestamping
Because S>N cookies uses T: options !ield
sbins!sctl -" netip0.tcptimestamps%
-
7/22/2019 Iptables DDoS protection Using Netfilter/iptables
24/38
24/36 DDoS protection using Netfilter/iptables
ipta%les* s3npro13 setupAFipta%les* s3npro13 setupAF
onntrack entries tuning
Ia1 possi%le entries & Iill
&77 %3tes & Iill F6"' IB
netnet#iltern#conntrackma1%2&&&&&&
/I:4RT9NT* 9lso ad8ust as %ucket si#e
procs3snetnet!iltern!GconntrackG%uckets writea%le
via s3smodulen!Gconntrackparametersassi#e
Has 7 %3tes &Iill (6 IBec3o 2&&&&&& 4 s!smod5len#conntrackparameters3as3si6e
-
7/22/2019 Iptables DDoS protection Using Netfilter/iptables
25/38
25/36 DDoS protection using Netfilter/iptables
:er!ormance S>N:R4P>:er!ormance S>N:R4P>
Script ipta%lesGs3npro13"s avail ere* ttps*gitu%"comnetoptimi#ernetwork-testing%lo%masteripta%lesip
ta%lesGs3npro13"s
2sing S>N:R4P> under attack t3pes*
&"765"7&) pktssec S>N-!lood
)"5)7")7' pktssec 9K-!lood
F"6F
-
7/22/2019 Iptables DDoS protection Using Netfilter/iptables
26/38
26/36 DDoS protection using Netfilter/iptables
S>N:R4P> parametersS>N:R4P> parameters
Te parameters given to S>N:R4P> target
Iust matc te %ackend-server T: options
Ianual setup Aelper tool n!s3npro13
4nl3 one setting per rule
Not use!ul !or DH: %ased network
Future plan
9uto detect server T: options
Simpl3 allow !irst S>N troug
atc S>N-9K and decode options ARHBQ ('F565 - R$E* S3npro13* auto detect T: options
http://bugzilla.redhat.com/show_bug.cgi?id=1059679http://bugzilla.redhat.com/show_bug.cgi?id=1059679 -
7/22/2019 Iptables DDoS protection Using Netfilter/iptables
27/38
27/36 DDoS protection using Netfilter/iptables
Real-li!eA(* Handle 5'' KppsReal-li!eA(* Handle 5'' Kpps
-
7/22/2019 Iptables DDoS protection Using Netfilter/iptables
28/38
28/36 DDoS protection using Netfilter/iptables
Real-li!eA&* SH9 sum e1pensiveReal-li!eA&* SH9 sum e1pensive
S>N cookie SH9 sum is e1pensive Bug ('FN cookies calculations
http://bugzilla.redhat.com/show_bug.cgi?id=1057352http://bugzilla.redhat.com/show_bug.cgi?id=1057352 -
7/22/2019 Iptables DDoS protection Using Netfilter/iptables
29/38
29/36 DDoS protection using Netfilter/iptables
Real-li!eA
-
7/22/2019 Iptables DDoS protection Using Netfilter/iptables
30/38
30/36 DDoS protection using Netfilter/iptables
/ssue* $ull connection scala%ilit3/ssue* $ull connection scala%ilit3
Still e1ists* Scala%ilit3 issue wit !ull conn
Iade it signi!icantl3 more e1pensive !or attackers
Ate3 need real osts
$uture work* !i1 scala%ilit3 !or entral lock* 0/STEN socket lock
entral lock* Net!ilter new conntracks A.ork-in-progress
-
7/22/2019 Iptables DDoS protection Using Netfilter/iptables
31/38
31/36 DDoS protection using Netfilter/iptables
$i1ing central conntrack lock$i1ing central conntrack lock
onntrack issue
/nsert delete conntracks takes central lock
.orking on removing tis central lock
ABased on patc !rom Eric Duma#et ARHBQ (')
-
7/22/2019 Iptables DDoS protection Using Netfilter/iptables
32/38
32/36 DDoS protection using Netfilter/iptables
Hack* Iulti listen socketsHack* Iulti listen sockets
Hack to work-around 0/STEN socket lock
Simpl3 0/STEN on several ports
2se ipta%les to rewriteDN9T to tese ports
-
7/22/2019 Iptables DDoS protection Using Netfilter/iptables
33/38
33/36 DDoS protection using Netfilter/iptables
Hack* $ull conn aslimit trickA(Hack* $ull conn aslimit trickA(
:ro%lem* $ull connections still ave scala%ilit3
:artition /nternet in &) su%nets
A(&7&F6&F6 &'5(F& ) ma1 as list
0imit S>N packets e"g" &'' S>N pps per src su%net
Iem usage* !airl3 ig
$i1ed* ta%le-si#e &'5(F& 7 %3tes (6" IB
;aria%le* entr3 si#e (') %3tes F''''' F& IB
-
7/22/2019 Iptables DDoS protection Using Netfilter/iptables
34/38
34/36 DDoS protection using Netfilter/iptables
Hack* $ull conn aslimit trickA&Hack* $ull conn aslimit trickA&
2sing aslimit as work-around
9ttacker needs man3 real osts, to reac !ull connscala%ilit3 limit
iptables -t ra" -' PREROUTING -i $DEV (
-p tcp -m tcp --dport 7& --s!n (
-m 3as3limit (
--3as3limit-abo0e 2&&sec --3as3limit-b5rst &&& (
--3as3limit-mode srcip --3as3limit-name s!n (
--3as3limit-3table-si6e 2&8,92 (
--3as3limit-srcmask 2. -j DROP
-
7/22/2019 Iptables DDoS protection Using Netfilter/iptables
35/38
35/36 DDoS protection using Netfilter/iptables
9lternative usage o! @socket@ module9lternative usage o! @socket@ module
9void using conntrack
2se 1tGsocket module
$or local socket matcing
an !ilter out
-
7/22/2019 Iptables DDoS protection Using Netfilter/iptables
36/38
36/36 DDoS protection using Netfilter/iptables
Te EndTe End
Tanks to Iartin Topolm and 4ne"com
$or providing real-li!e attack data
Download slides ere*
ttp*people"net!ilter"orgawkpresentationsdevcon!&'()
$eed%ackrating o! talk on*
ttp*devcon!"c#!
-
7/22/2019 Iptables DDoS protection Using Netfilter/iptables
37/38
37/36 DDoS protection using Netfilter/iptables
E1tra SlidesE1tra Slides
-
7/22/2019 Iptables DDoS protection Using Netfilter/iptables
38/38
38/36 DDoS protection using Netfilter/iptables
Disa%le elper auto loadingDisa%le elper auto loading
De!ault is to auto load conntrack elpers
/t is a securit3 risk
:oking oles in 3our !irewall
Disa%le via cmd*ec"o 0 # /proc/sys/net/netfilter/nf_conntrack_"elper
ontrolled con!ig e1ample*
iptables -t raw -p tcp -p $%$% -j &' --"elper ftp
Read guide ere*ttps*ome"regit"orgnet!ilter-ensecure-use-o!-elpers
https://home.regit.org/netfilter-en/secure-use-of-helpers/https://home.regit.org/netfilter-en/secure-use-of-helpers/
top related