forum.lissyara.su

Добавлено: **2012-04-13 20:05:59**

Всем привет!

Идет DDOS- атака с подменой ip, 500 - 800 тыщ пакетов в секунду.
Тела всех пакетов имеют нулевую длину.

Вопрос - можно ли средствами pf (или какими-нить другими) отсекать эти пакеты?

Спасибо.

Добавлено: **2012-04-13 22:19:11**

Я pf не знаю не юзаю, но там есть лимиты. ЧОт типа pass in on $ext_if proto tcp to $web_server \
port www flags S/SA keep state \
(max-src-conn 100, max-src-conn-rate 15/5, overload <abusive_hosts> flush)
не подходит?

Добавлено: **2012-04-14 0:46:58**

Спасибо за ответ.
Я это уже включил, эффективно при небольших SYN-флудах, но когда кол-во запросов в секунду возрастает до миллиона, да ещё и с разных ипов (подмена ипа), данный метод уже неэффективен.
Поменял параметры sysctl, дал больше соединений и кол-во открытых сокетов (благо машина мощная), отсёк трафик на непрослушиваемые порты - так же немного помогло.
Мощные атаки как правило долго не держатся, появляются временами, так же внезапно прекращаются как и начались. Знаю, что бороться с ними тяжело, но всё же может кто нибудь имел опыт?

Вот мой конфиг PF:

Код: Выделить всё

# Внешка
ext_if="em0"

non_route_nets_inet="{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }"

set block-policy drop
set skip on lo0
set timeout { frag 10, tcp.established 3600 }
scrub in all

# Для ssh с моей домашней тачкой
pass in quick on $ext_if proto tcp from **.**.**.** to $ext_if port *****

block all

# Исходящий траф - пропускаем
pass out on $ext_if from $ext_if to any keep state

antispoof quick for { lo0, $ext_if }

block drop in log quick on $ext_if from $non_route_nets_inet to any

table <ddos> persist
block in quick from <ddos>

pass in on $ext_if proto tcp to $ext_if \
port http flags S/SA keep state \
(max-src-conn 100024 max-src-conn-rate 20/1, overload <ddos> flush)

# К named - пропускаем
pass in log on $ext_if proto { tcp, udp } from any to $ext_if port 53

В tcpdump творится примерно такая штука:

Код: Выделить всё

maket24# tcpdump -i em0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em0, link-type EN10MB (Ethernet), capture size 65535 bytes
01:42:23.288737 IP node-40-132-23-217.caravan.ru.13159 > ip-213-141-154-88.bb.netbynet.ru.55197: Flags [P.], seq 609283201:609283393, ack 971065072, win 1035, options [nop,nop,TS val 2485468669 ecr 274501], length 192
01:42:23.289191 IP 41.107.28.230.56295 > node-40-132-23-217.caravan.ru.http: Flags [S], seq 2336436301, win 8192, options [mss 1440,nop,nop,sackOK], length 0
01:42:23.290152 IP 88.242.181.51.dynamic.ttnet.com.tr.24187 > node-40-132-23-217.caravan.ru.http: Flags [S], seq 3276945759, win 65535, options [mss 1452,nop,wscale 3,nop,nop,sackOK], length 0
01:42:23.291218 IP 88.242.181.51.dynamic.ttnet.com.tr.24190 > node-40-132-23-217.caravan.ru.http: Flags [S], seq 3663822118, win 65535, options [mss 1452,nop,wscale 3,nop,nop,sackOK], length 0
01:42:23.291348 IP 201.220.233.210.60762 > node-40-132-23-217.caravan.ru.http: Flags [S], seq 139443439, win 64380, options [mss 1410], length 0
01:42:23.291836 IP ip-213-141-154-88.bb.netbynet.ru.55197 > node-40-132-23-217.caravan.ru.13159: Flags [.], ack 192, win 1002, options [nop,nop,TS val 274504 ecr 2485468669], length 0
01:42:23.292868 IP 189.223.38.22.dsl.dyn.telnor.net.49879 > node-40-132-23-217.caravan.ru.http: Flags [S], seq 1050668586, win 8192, options [mss 1452,nop,wscale 8,nop,nop,sackOK], length 0
01:42:23.293276 IP host-41-196-105-192.static.link.com.eg.m2ua > node-40-132-23-217.caravan.ru.http: Flags [S], seq 1022658870, win 65535, options [mss 1452,nop,wscale 1,nop,nop,TS val 0 ecr 0,nop,nop,sackOK], length 0
01:42:23.293519 IP 182.177.77.184.56351 > node-40-132-23-217.caravan.ru.http: Flags [S], seq 2398007314, win 8192, options [mss 1452,nop,wscale 2,nop,nop,sackOK], length 0
01:42:23.294362 IP dsl-187-152-236-120-dyn.prod-infinitum.com.mx.29725 > node-40-132-23-217.caravan.ru.http: Flags [S], seq 3585621394, win 8192, options [mss 1400,nop,nop,sackOK], length 0
01:42:23.294529 IP 115.249.169.206.36242 > node-40-132-23-217.caravan.ru.http: Flags [S], seq 148147544, win 8192, options [mss 1260,nop,nop,sackOK], length 0
01:42:23.295058 IP 200-203-209-176.ctame705.dsl.brasiltelecom.net.br.5840 > node-40-132-23-217.caravan.ru.http: Flags [S], seq 1684787239, win 65535, options [mss 1452,nop,nop,sackOK], length 0
01:42:23.296453 IP node-40-132-23-217.caravan.ru.http > 39.210.69.226.54853: Flags [.], seq 2286619672:2286621132, ack 2751328445, win 524, length 1460
01:42:23.296633 IP 217.218.241.67.62987 > node-40-132-23-217.caravan.ru.http: Flags [S], seq 969967206, win 8192, options [mss 1412,nop,nop,sackOK], length 0
01:42:23.297208 IP 200-203-209-176.ctame705.dsl.brasiltelecom.net.br.5841 > node-40-132-23-217.caravan.ru.http: Flags [S], seq 2070376878, win 65535, options [mss 1452,nop,nop,sackOK], length 0
01:42:23.297386 IP 88.242.181.51.dynamic.ttnet.com.tr.26915 > node-40-132-23-217.caravan.ru.http: Flags [R], seq 4160710189, win 65535, length 0
01:42:23.297511 IP 182.177.77.184.56352 > node-40-132-23-217.caravan.ru.http: Flags [S], seq 3917596757, win 8192, options [mss 1452,nop,wscale 2,nop,nop,sackOK], length 0
01:42:23.297948 IP customer111096.megacable.com.ar.1862 > node-40-132-23-217.caravan.ru.http: Flags [S], seq 2851938205, win 16384, options [mss 1414,nop,nop,sackOK], length 0
01:42:23.299327 IP dsl-187-171-226-233-dyn.prod-infinitum.com.mx.63193 > node-40-132-23-217.caravan.ru.http: Flags [S], seq 4182771189, win 8192, options [mss 1452,nop,wscale 8,nop,nop,sackOK], length 0
01:42:23.299504 IP 88.242.181.51.dynamic.ttnet.com.tr.25276 > node-40-132-23-217.caravan.ru.http: Flags [S], seq 3188309401, win 65535, options [mss 1452,nop,wscale 3,nop,nop,sackOK], length 0
01:42:23.299629 IP 124.130.166.207.57985 > node-40-132-23-217.caravan.ru.http: Flags [S], seq 1510839357, win 8192, options [mss 1420,nop,nop,sackOK], length 0
01:42:23.299754 IP 200-203-209-176.ctame705.dsl.brasiltelecom.net.br.5842 > node-40-132-23-217.caravan.ru.http: Flags [S], seq 2752992540, win 65535, options [mss 1452,nop,nop,sackOK], length 0
01:42:23.300481 IP 88.242.181.51.dynamic.ttnet.com.tr.23233 > node-40-132-23-217.caravan.ru.http: Flags [R], seq 1034841604, win 65535, length 0
01:42:23.301116 IP 201.143.209.199.dsl.dyn.telnor.net.62362 > node-40-132-23-217.caravan.ru.http: Flags [S], seq 325677804, win 8192, options [mss 1452,nop,nop,sackOK], length 0
01:42:23.301241 IP dsl-187-152-236-120-dyn.prod-infinitum.com.mx.29726 > node-40-132-23-217.caravan.ru.http: Flags [S], seq 3532766612, win 8192, options [mss 1400,nop,nop,sackOK], length 0
01:42:23.301394 IP 88.242.181.51.dynamic.ttnet.com.tr.23231 > node-40-132-23-217.caravan.ru.http: Flags [S], seq 1824174861, win 65535, options [mss 1452,nop,wscale 3,nop,nop,sackOK], length 0
01:42:23.301680 IP 124.130.166.207.57988 > node-40-132-23-217.caravan.ru.http: Flags [S], seq 542274714, win 8192, options [mss 1420,nop,nop,sackOK], length 0
01:42:23.301805 IP 124.130.166.207.57987 > node-40-132-23-217.caravan.ru.http: Flags [S], seq 1980304260, win 8192, options [mss 1420,nop,nop,sackOK], length 0
01:42:23.301809 IP customer-187-174-179-226.uninet-ide.com.mx.62298 > node-40-132-23-217.caravan.ru.http: Flags [S], seq 2374761830, win 8192, options [mss 1460,nop,nop,sackOK], length 0
01:42:23.301930 IP 201.143.209.199.dsl.dyn.telnor.net.62357 > node-40-132-23-217.caravan.ru.http: Flags [S], seq 2454283989, win 8192, options [mss 1452,nop,nop,sackOK], length 0
01:42:23.301934 IP dsl-189-251-231-184-dyn.prod-infinitum.com.mx.21623 > node-40-132-23-217.caravan.ru.http: Flags [S], seq 3740263232, win 16384, options [mss 1400,nop,nop,sackOK], length 0
01:42:23.302175 IP host-41-196-105-192.static.link.com.eg.2921 > node-40-132-23-217.caravan.ru.http: Flags [S], seq 2729118791, win 65535, options [mss 1452,nop,wscale 1,nop,nop,TS val 0 ecr 0,nop,nop,sackOK], length 0
01:42:23.302445 IP node-40-132-23-217.caravan.ru.http > 208.131.186.64.5207: Flags [S.], seq 3336883525, ack 1872832260, win 32768, options [mss 1360,nop,wscale 6,sackOK,eol], length 0
01:42:23.302486 IP dsl-189-152-62-237-dyn.prod-infinitum.com.mx.59513 > node-40-132-23-217.caravan.ru.http: Flags [S], seq 1222865587, win 8192, options [mss 1452,nop,nop,sackOK], length 0
01:42:23.302627 IP 124.130.166.207.57986 > node-40-132-23-217.caravan.ru.http: Flags [S], seq 1525307662, win 8192, options [mss 1420,nop,nop,sackOK], length 0
01:42:23.303182 IP 200-203-209-176.ctame705.dsl.brasiltelecom.net.br.5839 > node-40-132-23-217.caravan.ru.http: Flags [S], seq 1226126410, win 65535, options [mss 1452,nop,nop,sackOK], length 0
01:42:23.303307 IP 124.130.166.207.57989 > node-40-132-23-217.caravan.ru.http: Flags [S], seq 404561893, win 8192, options [mss 1420,nop,nop,sackOK], length 0
01:42:23.303438 IP 182.177.77.184.56353 > node-40-132-23-217.caravan.ru.http: Flags [S], seq 1170882196, win 8192, options [mss 1452,nop,wscale 2,nop,nop,sackOK], length 0
01:42:23.303557 IP 124.130.166.207.57990 > node-40-132-23-217.caravan.ru.http: Flags [S], seq 1065040709, win 8192, options [mss 1420,nop,nop,sackOK], length 0
01:42:23.303810 IP customer-187-174-179-226.uninet-ide.com.mx.62299 > node-40-132-23-217.caravan.ru.http: Flags [S], seq 3348429898, win 8192, options [mss 1460,nop,nop,sackOK], length 0
01:42:23.304600 IP host-41-196-105-192.static.link.com.eg.2919 > node-40-132-23-217.caravan.ru.http: Flags [S], seq 2648538701, win 65535, options [mss 1452,nop,wscale 1,nop,nop,TS val 0 ecr 0,nop,nop,sackOK], length 0
01:42:23.304818 IP 201.143.209.199.dsl.dyn.telnor.net.62363 > node-40-132-23-217.caravan.ru.http: Flags [S], seq 1978002072, win 8192, options [mss 1452,nop,nop,sackOK], length 0
01:42:23.304943 IP 201.143.209.199.dsl.dyn.telnor.net.62409 > node-40-132-23-217.caravan.ru.http: Flags [S], seq 3779163283, win 8192, options [mss 1452,nop,nop,sackOK], length 0
01:42:23.304947 IP host-186-3-9-166.uio.telconet.net.51884 > node-40-132-23-217.caravan.ru.http: Flags [S], seq 2283073989, win 8192, options [mss 1460,nop,nop,sackOK], length 0
01:42:23.305315 IP 200-203-209-176.ctame705.dsl.brasiltelecom.net.br.5843 > node-40-132-23-217.caravan.ru.http: Flags [S], seq 2891852522, win 65535, options [mss 1452,nop,nop,sackOK], length 0
01:42:23.305559 IP 186.2.144.231.29907 > node-40-132-23-217.caravan.ru.http: Flags [S], seq 65176248, win 8192, options [mss 1460,nop,nop,sackOK], length 0
01:42:23.306090 IP 189.223.38.22.dsl.dyn.telnor.net.49807 > node-40-132-23-217.caravan.ru.http: Flags [S], seq 3698527435, win 8192, options [mss 1452,nop,wscale 8,nop,nop,sackOK], length 0
01:42:23.307337 IP 201.143.209.199.dsl.dyn.telnor.net.62410 > node-40-132-23-217.caravan.ru.http: Flags [S], seq 403154991, win 8192, options [mss 1452,nop,nop,sackOK], length 0
01:42:23.307595 IP 200-203-209-176.ctame705.dsl.brasiltelecom.net.br.5844 > node-40-132-23-217.caravan.ru.http: Flags [S], seq 3199829057, win 65535, options [mss 1452,nop,nop,sackOK], length 0
01:42:23.308217 IP dsl-189-251-231-184-dyn.prod-infinitum.com.mx.21624 > node-40-132-23-217.caravan.ru.http: Flags [S], seq 2816355137, win 16384, options [mss 1400,nop,nop,sackOK], length 0
01:42:23.308871 IP 190.43.137.111.11942 > node-40-132-23-217.caravan.ru.http: Flags [S], seq 2448068128, win 8192, options [mss 1452,nop,wscale 8,nop,nop,sackOK], length 0
01:42:23.309209 IP 182.177.77.184.56354 > node-40-132-23-217.caravan.ru.http: Flags [S], seq 2284103536, win 8192, options [mss 1452,nop,wscale 2,nop,nop,sackOK], length 0
01:42:23.309338 IP 190.43.137.111.11941 > node-40-132-23-217.caravan.ru.http: Flags [S], seq 1197008829, win 8192, options [mss 1452,nop,wscale 8,nop,nop,sackOK], length 0
01:42:23.309643 IP dsl-189-155-152-132-dyn.prod-infinitum.com.mx.59082 > node-40-132-23-217.caravan.ru.http: Flags [S], seq 279372752, win 8192, options [mss 1452,nop,wscale 8,nop,nop,sackOK], length 0
01:42:23.309768 IP dsl-187-152-236-120-dyn.prod-infinitum.com.mx.29727 > node-40-132-23-217.caravan.ru.http: Flags [S], seq 679194293, win 8192, options [mss 1400,nop,nop,sackOK], length 0
01:42:23.309984 IP 217.218.241.67.62970 > node-40-132-23-217.caravan.ru.http: Flags [S], seq 1910597702, win 8192, options [mss 1412,nop,nop,sackOK], length 0
01:42:23.310157 IP 95.8.137.217.dynamic.ttnet.com.tr.62041 > node-40-132-23-217.caravan.ru.http: Flags [S], seq 3509232409, win 8192, options [mss 1452,nop,wscale 2,nop,nop,sackOK], length 0
01:42:23.310447 IP node-40-132-23-217.caravan.ru.http > 39.210.69.226.equationbuilder: Flags [.], seq 1317449455:1317450903, ack 548818641, win 520, options [nop,nop,TS val 710414071 ecr 2913008242], length 1448
01:42:23.310773 IP 201.143.209.199.dsl.dyn.telnor.net.62364 > node-40-132-23-217.caravan.ru.http: Flags [S], seq 3526138477, win 8192, options [mss 1452,nop,nop,sackOK], length 0
01:42:23.311106 IP 200-203-209-176.ctame705.dsl.brasiltelecom.net.br.5845 > node-40-132-23-217.caravan.ru.http: Flags [S], seq 307321936, win 65535, options [mss 1452,nop,nop,sackOK], length 0
01:42:23.311231 IP host-41-196-105-192.static.link.com.eg.2955 > node-40-132-23-217.caravan.ru.http: Flags [S], seq 3537807988, win 65535, options [mss 1452,nop,wscale 1,nop,nop,TS val 0 ecr 0,nop,nop,sackOK], length 0
01:42:23.312292 IP 41.107.28.230.56299 > node-40-132-23-217.caravan.ru.http: Flags [S], seq 4153356292, win 8192, options [mss 1440,nop,nop,sackOK], length 0
01:42:23.313135 IP 200-203-209-176.ctame705.dsl.brasiltelecom.net.br.5846 > node-40-132-23-217.caravan.ru.http: Flags [S], seq 1822216078, win 65535, options [mss 1452,nop,nop,sackOK], length 0
01:42:23.313259 IP 182.177.77.184.56355 > node-40-132-23-217.caravan.ru.http: Flags [S], seq 2431453719, win 8192, options [mss 1452,nop,wscale 2,nop,nop,sackOK], length 0
01:42:23.313393 IP 201.143.209.199.dsl.dyn.telnor.net.62411 > node-40-132-23-217.caravan.ru.http: Flags [S], seq 1706697497, win 8192, options [mss 1452,nop,nop,sackOK], length 0
01:42:23.314176 IP 41.107.28.230.56300 > node-40-132-23-217.caravan.ru.http: Flags [S], seq 566432412, win 8192, options [mss 1440,nop,nop,sackOK], length 0
01:42:23.315565 IP 200-203-209-176.ctame705.dsl.brasiltelecom.net.br.5847 > node-40-132-23-217.caravan.ru.http: Flags [S], seq 1008740820, win 65535, options [mss 1452,nop,nop,sackOK], length 0
01:42:23.315855 IP 248-118-137-186.fibertel.com.ar.3534 > node-40-132-23-217.caravan.ru.http: Flags [S], seq 3293465691, win 65535, options [mss 1460,nop,nop,sackOK], length 0
01:42:23.316171 IP 41.107.28.230.56298 > node-40-132-23-217.caravan.ru.http: Flags [S], seq 813532247, win 8192, options [mss 1440,nop,nop,sackOK], length 0
01:42:23.316296 IP dsl-189-251-231-184-dyn.prod-infinitum.com.mx.21625 > node-40-132-23-217.caravan.ru.http: Flags [S], seq 1593018543, win 16384, options [mss 1400,nop,nop,sackOK], length 0
01:42:23.316486 IP 190.43.137.111.11943 > node-40-132-23-217.caravan.ru.http: Flags [S], seq 3172385069, win 8192, options [mss 1452,nop,wscale 8,nop,nop,sackOK], length 0
01:42:23.317147 IP 182.177.77.184.56356 > node-40-132-23-217.caravan.ru.http: Flags [S], seq 1460014243, win 8192, options [mss 1452,nop,wscale 2,nop,nop,sackOK], length 0
01:42:23.318861 IP dsl-189-152-62-237-dyn.prod-infinitum.com.mx.59514 > node-40-132-23-217.caravan.ru.http: Flags [S], seq 2758616240, win 8192, options [mss 1452,nop,nop,sackOK], length 0
01:42:23.318984 IP 200-203-209-176.ctame705.dsl.brasiltelecom.net.br.5848 > node-40-132-23-217.caravan.ru.http: Flags [S], seq 3578721754, win 65535, options [mss 1452,nop,nop,sackOK], length 0
01:42:23.318988 IP KD113150240091.ppp-bb.dion.ne.jp.dlswpn > node-40-132-23-217.caravan.ru.http: Flags [S], seq 729599320, win 65535, options [mss 1460,nop,nop,sackOK], length 0
01:42:23.319750 IP KD113150240091.ppp-bb.dion.ne.jp.2068 > node-40-132-23-217.caravan.ru.http: Flags [S], seq 2024552250, win 65535, options [mss 1460,nop,nop,sackOK], length 0
01:42:23.320006 IP rev-77-92-163-190.gccngn.com.33970 > node-40-132-23-217.caravan.ru.http: Flags [S], seq 3805317911, win 8192, options [mss 1460,sackOK,TS val 2333185 ecr 0], length 0
01:42:23.320530 IP rev-77-92-163-190.gccngn.com.33980 > node-40-132-23-217.caravan.ru.http: Flags [S], seq 600817238, win 8192, options [mss 1460,sackOK,TS val 2333185 ecr 0], length 0
01:42:23.321238 IP 200-203-209-176.ctame705.dsl.brasiltelecom.net.br.5849 > node-40-132-23-217.caravan.ru.http: Flags [S], seq 2322769923, win 65535, options [mss 1452,nop,nop,sackOK], length 0
01:42:23.321658 IP 88.242.181.51.dynamic.ttnet.com.tr.20525 > node-40-132-23-217.caravan.ru.http: Flags [R], seq 3990947577, win 65535, length 0
01:42:23.322108 IP 182.177.77.184.56357 > node-40-132-23-217.caravan.ru.http: Flags [S], seq 3326999451, win 8192, options [mss 1452,nop,wscale 2,nop,nop,sackOK], length 0
01:42:23.322358 IP host-41-196-105-192.static.link.com.eg.2957 > node-40-132-23-217.caravan.ru.http: Flags [S], seq 311427313, win 65535, options [mss 1452,nop,wscale 1,nop,nop,TS val 0 ecr 0,nop,nop,sackOK], length 0
01:42:23.323296 IP 200-203-209-176.ctame705.dsl.brasiltelecom.net.br.5854 > node-40-132-23-217.caravan.ru.http: Flags [S], seq 2959078386, win 65535, options [mss 1452,nop,nop,sackOK], length 0
^X^C01:42:23.324719 IP 216.110.118.203.54782 > node-40-132-23-217.caravan.ru.http: Flags [S], seq 3924983344, win 8192, options [mss 1452,nop,wscale 8,nop,nop,sackOK], length 0

84 packets captured
20075 packets received by filter
10301 packets dropped by kernel

Посоветуйте пожалуйста, чем можно дополнить PF? Или какие-нить другие средства подключить?

P.S. Я знаю про CISCO Guard, собираюсь приобрести, но пока данный девайс мне не по карману

Спасибо.

Добавлено: **2012-04-14 0:49:35**

P.S. Атака идет ТОЛЬКО на 80 порт.
Прошу прощения за флуд.

forum.lissyara.su

DDos с подменой IP

DDos с подменой IP

Re: DDos с подменой IP

Re: DDos с подменой IP

Re: DDos с подменой IP