Professional Documents
Culture Documents
Using Netfilter/iptables
1/36
.,o am /
open,agen
2/36
0inu1 Kernel is vulnera%le to simple S>N attacks End-,ost mitigation?s alread3 implemented in kernel
.,ere is our pain points 0earn Net!ilter tricks* %oost per!ormance a !actor ('
DDoS protection using Netfilter/iptables
3/36
$irst* Basic N/
tuning ('(
4/36
Descri%ed in R$ )57H*
5/36
S>N Ccac,eE Iini reDuest socket Iinimi#e state, dela3 !ull state alloc S>N C%acklogE o! outstanding reDuest sockets
6/36
mini sock to represent a connection reDuest S09B %e,ind ,ave si#eo!Astruct tcpGreDuestGsockB
Structs em%edded in eac,-ot,er
F6 %3tes JJ struct reDuestGsock 7' %3tes JJ struct inetGreDuestGsock ((& %3tes JJ struct tcpGreDuestGsock
7/36
8/36
S>N cookies
Simpli!ied description
S>N packet
don?t create an3 local state Encode state in SELM Aand T : optionsB ontains SELMN( Aand T : timestampB Recover state ;alidate A<.HSB 9 K packet state
S>N-9 K packet
9 K packet
9/36
Details* S>N-cookies
S>N cookies SH9 calculation is e1pensive SNI: counters ASince kernel v<"(B
TCPReqQFullDoCookies * num%er o! times a S>N 44K/E was replied to client TCPReqQFullDrop * num%er o! times a S>N reDuest was dropped %ecause s3ncookies were not ena%led" -proc-s3s-net-ipv)-tcpGs3ncookies J &
9lwa3s on option
10/36
N4 0/STEN socket*
&"5')"(&7 pkts-sec -- S>N attack &F&"'<& pkts-sec -- S>N attack <<6"FH6 pkts-sec -- S>NN9 K attack <<("'H& pkts-sec -- 9 K attack
DDoS protection using Netfilter/iptables
0/STEN socket*
11/36
Iain pro%lem*
12/36
/n isco* T,e /nternet :rotocol Journal - ;olume 5, Num%er ), &''6, link* ,ttp*--goo"gl-9 (99Q 9vail in kernel <"(< and RHE0H
9lso works on local,ost Oeneral solution Solves S>N and 9 K !loods /ndirect trick also solves S>NN9 K
13/36
14/36
onntrack per!ormanceA(B
Base per!ormance*
0ooks %ad"""
15/36
onntrack per!ormanceA&B
:ro%lem is insert and delete conntracks 2se to protect against S>NN9 K and 9 K attacks 9llow 9 K pkts to create new connection Disa%le via cmd*
sysctl -w net/netfilter/nf_conntrack_tcp_loose=0
16/36
(C) attacks, conntrack per!ormance De!ault ClooseJ(E and pass /N;90/D pkts
17/36
S>N-9 Ks don?t auto create connections T,us, c,anging ClooseE setting is not important &<'"<)7 pkts-sec F"<7&"&6F pkts-sec F")'7"<'H pkts-sec
18/36
S3npro13 per!ormance
Due to conntrack insert lock scaling &))"(&5 pkts-sec -- 0/STEN sock N no ipta%les rules (H&"55& pkts-sec -- 0/STEN sock ' conntrack
Base per!ormance*
Using S$NPR%&$
19/36
20/36
21/36
atc,ing state*
22/36
iptables -' INPUT -i $DEV -p tcp -m tcp --dport $PORT ( -m state --state INV')ID -j DROP
Ena%le T : timestamping
23/36
Has, 7 %3tes R &Iill J (6 IB ec3o 2&&&&&& 4 s!s mod5le n#$conntrack parameters 3as3si6e
24/36
:er!ormance S>N:R4P>
,ttps*--git,u%"com-netoptimi#er-network-testing-%lo%-master-ipta%les-ip ta%lesGs3npro13"s,
&"765"7&) pkts-sec S S>N-!lood )"5)7")7' pkts-sec S 9 K-!lood F"6F<"(&' pkts-sec S S>NN9 K-!lood
25/36
S>N:R4P> parameters
Iust matc, t,e %ackend-server T : options Ianual setup A,elper tool n!s3npro13B 4nl3 one setting per rule Not use!ul !or DH : %ased network 9uto detect server T : options Simpl3 allow !irst S>N t,roug,
Future plan
26/36
27/36
28/36
29/36
entral lock* 0/STEN socket lock entral lock* Net!ilter new conntracks A.ork-in-progressB
30/36
onntrack issue
/nsert - delete conntracks takes central lock .orking on removing t,is central lock
)<F"F&' pkts-sec S conntrack wit, central lock ("6&6"H76 pkts-sec S conntrack wit, parallel lock
31/36
32/36
:ro%lem* $ull connections still ,ave scala%ilit3 :artition /nternet in -&) su%nets
0imit S>N packets e"g" &'' S>N pps per src su%net Iem usage* !airl3 ,ig,
$i1ed* ,ta%le-si#e &'5H(F& R 7 %3tes J (6"H IB ;aria%le* entr3 si#e (') %3tes R F''''' J F& IB
33/36
9ttacker needs man3 real ,osts, to reac, !ull conn scala%ilit3 limit
iptables -t ra" -' PREROUTING -i $DEV ( -p tcp -m tcp --dport 7& --s!n ( -m 3as3limit ( --3as3limit-abo0e 2&& sec --3as3limit-b5rst -&&& ( --3as3limit-mode srcip --3as3limit-name s!n ( --3as3limit-3table-si6e 2&8,-92 ( --3as3limit-srcmask 2. -j DROP
34/36
$or local socket matc,ing an !ilter out <.HS-9 Ks Aand ot,er com%osB
,ttps*--git,u%"com-netoptimi#er-network-testing-%lo%-master-ipta%les-ipta%lesGloc alGsocketG,ack"s,
35/36
T,e End
,ttp*--devcon!"c#-!-<H Luestions=
36/36
E1tra Slides
37/36
/t is a securit3 riskT
38/36