I posted this on the Ubuntu forums, as I've had good luck there in the past,
but I think this question goes beyond the scope of most of the members there.
Anyway, I copy/pasted for the sake of time, but here goes:
____________________________________________________________________________________________________________________________________________________
A friend of mine recently took me down using a DDOS. I know there isn't really
a fool-proof way to safeguard against this, but it got me thinking about
beefing up my security a bit. From what my logs show, the 'attack' came from 4
IPs for about three minutes. I did some research, and a script/program called
"DDOS-Deflate" is about the best I can find for this sort of thing. It
basically checks how many connections a given IP has, and if it's over a
certain amount in a period of time, the IP gets blacklisted via iptables.
<blockquote>
</blockquote>
<blockquote>
This all seems like it should work fine, but I ran some tests, and it's not
catching things the way I'd like it to.
</blockquote>
<blockquote>
My system configuration is as follows:
</blockquote>
<blockquote>
</blockquote>
<blockquote>
<blockquote>
-Ubuntu 12.04 running Shorewall, acting as firewall and router via 4-port
ethernet card
</blockquote>
<blockquote>
--Apache server in Debian LXC container
</blockquote>
<blockquote>
--Postgre server in Debian LXC container
</blockquote>
<blockquote>
--Email server (Postfix/Dovecot) in Debian LXC container
</blockquote>
<blockquote>
</blockquote>
<blockquote>
Each of the containers runs through a common network bridge (br0) which
Shorewall then turns into a subnet that holds just my containers. Each port of
the 4-port NIC also runs it's own subnet. For the sake of this example, lets
say I have the following (eth0-3 are on the add-on NIC, eth4 is the
motherboard):
</blockquote>
<blockquote>
</blockquote>
<blockquote>
<blockquote>
br0: 192.168.9.255
</blockquote>
<blockquote>
eth4: external IP (modem)
</blockquote>
<blockquote>
eth3: 192.168.3.255
</blockquote>
<blockquote>
eth2: 192.168.2.255
</blockquote>
<blockquote>
eth1: 192.168.1.255
</blockquote>
<blockquote>
eth0: 192.168.0.255
</blockquote>
</blockquote>
<blockquote>
</blockquote>
The problem is that when I try to run a DOS attack against my Apache server (in
the DMZ, all requests to 8080 forwarded to it), the DDOS-Deflate script doesn't
seem to see the connections being created. I haven't tested it from the outside
yet, but I'd expect similar results. I looked around a bit on Google, and had a
peek at /usr/local/ddos.conf and /usr/local/ddos.sh For those unfamiliar with
DDOS-Deflate, it can be found at this address: http://deflate.medialayer.com
The line in the script that actually checks the connections looks like this
(actually, this is a patched one I found online, as the one that comes with the
script has a problem -
https://mangesh7rhcss.wordpress.com/2011/03/02/dos-deflate-installation):
</blockquote>
<blockquote>
<blockquote>
netstat -ntu | grep ':' | awk '{print $5}' | sed 's/::ffff://' | cut -f1 -d ':'
| sort | uniq -c | sort -nr > $BAD_IP_LIST
</blockquote>
</blockquote>
<blockquote>
</blockquote>
<blockquote>
So, I ended up running a DOS attack a few times from my development box
(192.168.30.255) to the server, and testing how many connections this script
was seeing by manually running netstat on the server via SSH from the dev box.
To my dismay, the only connections that it saw from my dev box to the server
were the 3 SSH connections I had open in various terminals.
</blockquote>
<blockquote>
</blockquote>
<blockquote>
Apparently, my Shorewall rules are forwarding the requests immediately to the
web server container before DDOS-deflate has a chance to analyze the traffic?
</blockquote>
<blockquote>
Any other ideas? I'm kinda shooting in the dark here. That's all I can think of
though, as even if I simply open a web page (dev box to server's web server
container), and then run netstat on the host OS of the server (via SSH), it
still doesn't see my HTTP connection in the netstat list - only the open SSH
connections.
</blockquote>
<blockquote>
My only idea is to move the DDOS-deflate script to inside the containers, and
see if it catches rogue traffic there, after it's been forwarded to the
container by Shorewall. I was hoping having it installed on the host OS would
have worked...
</blockquote>
<blockquote>
Sorry for the lengthy post...let me know if I can clear anything up.
</blockquote>
<blockquote>
</blockquote>
<blockquote>
____________________________________________________________________________________________________________________________________________________
</blockquote>
<blockquote>
</blockquote>
<blockquote>
Long story short, I think the requests are being forwarded to my LXC containers
before the DDOS script can even think about it. My thought is that since the
connection is being made to the container's IP address, and not the host
address, the netstat command is not detecting the connection?
</blockquote>
<blockquote>
</blockquote>
<blockquote>
Maybe I'm way off base, but whenever the Ubuntu community fails me, the LXC
users usually have some valuable input....here's to hoping someone else has a
similar config....
</blockquote>
<blockquote>
</blockquote>
<blockquote>
-Pat
</blockquote>
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Lxc-users mailing list
Lxc-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-users
