[175023] in North American Network Operators' Group
RE: netfilter/iptables synproxy; need help deciding
daemon@ATHENA.MIT.EDU (Thijs Stuurman)
Wed Oct 8 11:19:26 2014
X-Original-To: nanog@nanog.org
From: Thijs Stuurman <Thijs.Stuurman@is.nl>
To: "nanog@nanog.org" <nanog@nanog.org>
Date: Wed, 8 Oct 2014 15:16:02 +0000
In-Reply-To: <54354D97.5010706@gmail.com>
Errors-To: nanog-bounces@nanog.org
Sorry I am doing multiple things at once and my setup is at home... just a =
bit more information. I used a fresh latest version centos 7 installation f=
or my bridge (3 nics, 2 in bridge). In my case the output of /proc/net/stat=
/synproxy you show on http://pastie.org/private/xwct5opbb0aajcko2tnpw did c=
hange the first number underneath syn_received. I don't believe any other v=
alue changed during my test syn flood (using hping from an external interne=
t server to port 80 of the webserver behind the bridge).
You may contact me off list if you wish more information about what I confi=
gured.
Planning on testing a fullscale flood later this week but I currently lack =
hardware at home.
Kind regards / Vriendelijke groet,
IS Group
Thijs Stuurman
Powered by results.
Wielingenstraat 8 | T +31 (0)299 476 185
1441 ZR Purmerend | F +31 (0)299 476 288
http://www.is.nl | KvK Hoorn 36049256
IS Group is ISO 9001:2008, ISO/IEC 27001:2005,
ISO 20.000-1:2005, ISAE 3402 en PCI DSS certified.
-----Oorspronkelijk bericht-----
Van: NANOG [mailto:nanog-bounces@nanog.org] Namens Paige Thompson
Verzonden: Wednesday, October 8, 2014 4:44 PM
Aan: nanog@nanog.org
Onderwerp: netfilter/iptables synproxy; need help deciding
Hi,
I guess syncookies wasn't enough and the SYNPROXY target is a relatively ne=
w addition to netfilter. If I remember correctly this has been a part of BS=
D PF for quite some time and is pretty easy to get up and working.
I recently tried to set this up on one of my gateways considering that it's=
just one less uncovered means for somebody to be a dick that I have to dea=
l with in the future. But, after spending some time researching and asking =
on Freenode I have been unable to determine whether or not it works, or eve=
n makes any sense. I'm starting to think it's a moot point.
pastie.org/private/gjsypxkpjs8kuev0tlbxrw#22 (iptables rules, plenty of thi=
ngs to pick at but please try to focus on the subject of synproxy for the p=
urpose of this e-mail.)
based on the following table I want to say its not working because it seems=
to never change:
http://pastie.org/private/xwct5opbb0aajcko2tnpw
more info on /proc/stat/synproxy:
http://www.spinics.net/lists/netdev/msg264350.html
My only guess is that you can't do this at all with NAT because it relies o=
n conntrack or maybe it will only work with SNAT? I don't understand this w=
ell enough to say; are proper firewall rules really a science that need to =
be understood that far in depth? Why is this not documented? This tutorial =
seems to indicate that you could use this with a NAT'd network:
http://www.academia.edu/6773989/Homemade_DDoS_Protection_Using_IPTables_SYN=
PROXY
I really would like to come to some closure on this subject. Whether it nee=
ds to be done right or not done at all, I'm tired of it looming over me. I =
really want to believe I should do the very best to have all mitigation tec=
hniques already in place, but I'm having a hard time understanding why this=
is next to impossible to figure out if it's so important. #netfilter on fr=
eenode is next to no help, the mailing list seems to be unavailable.... the=
things people are saying about how I should "just switch" back to using pf=
seem like a drastic solution when people in #netfilter are so content (yet=
many of them have never heard of synproxy before.)
Any thoughts on this are appreciated,
-Paige
