Community discussions

 
User avatar
apteixeira
Trainer
Trainer
Topic Author
Posts: 50
Joined: Fri Oct 05, 2012 5:54 pm

dst-limit possible problem

Mon Jul 18, 2016 8:10 pm

Hello,

I have being developing an advance firewall for an ISP in order to mitigate as much as possible DoS and DDoS attacks. The problem started when I was testing the property dst-limit with value src-and-dst-addresses in firewall filter.

Example: to simulate attack and firewall rule behavior I use KALI to generate the attacks and some firewall rules with action= passthrough just to check the amount of data being processed by the dst-limit rule.

Here are the firewall filter rules:
/ip firewall filter
add action=passthrough chain=forward comment=test in-interface=ether1-wan log-prefix=""
add action=passthrough chain=forward comment=test in-interface=ether1-wan log-prefix=""
add action=passthrough chain=forward comment=test dst-limit=10,10,src-and-dst-addresses/10s in-interface=ether1-wan log-prefix=""
add action=passthrough chain=forward comment=test in-interface=ether1-wan log-prefix=""
add action=accept chain=forward comment=test in-interface=ether1-wan log-prefix=""
As you can see the first 4 rules have action=passthrough and the rules 0, 1 and 3 are identical. It means that those three rules must match all the incoming packets.

The issue is that they are NOT matching all packets when:
1) dst-limit uses src-and-dst-addresses value
2) The amount of packet per second is high (more than 30.000 packets per second)
3) Multiple source address attacking one host

Image

KALI command: hping3 -p 81 -2 190.107.176.253 -w 64 -i u10 --rand-source

Otherwise, if you do the same attack but from only one source this behavior does not occur

KALI command: hping3 -p 81 -2 190.107.176.253 -w 64 -i u10 -a 3.3.3.3

Here is a video with the demonstration: https://dl.dropboxusercontent.com/u/381 ... _error.zip

I tested with CHR and x86 with 6.35.4 and 6.36rc40.

Here is the supout.rif: https://dl.dropboxusercontent.com/u/381 ... supout.rif

Best regards.
 
User avatar
macgaiver
Forum Guru
Forum Guru
Posts: 1721
Joined: Wed May 18, 2005 5:57 pm
Location: Sol III, Sol system, Sector 001, Alpha Quadrant

Re: dst-limit possible problem

Tue Jul 19, 2016 10:43 am

First of all, showing your real IP in public forums will be the first thing that will get you DoS DDoS attack :)

what is your CPU load on that test?
With great knowledge comes great responsibility, because of ability to recognize id... incompetent people much faster.
 
User avatar
apteixeira
Trainer
Trainer
Topic Author
Posts: 50
Joined: Fri Oct 05, 2012 5:54 pm

Re: dst-limit possible problem

Tue Jul 19, 2016 3:51 pm

Hello macgaiver,

Those IP are not real. They are just for LAB test and routed internally.

Regards.
 
alisb
just joined
Posts: 1
Joined: Tue Aug 27, 2019 9:54 am

Re: dst-limit possible problem

Fri Sep 06, 2019 5:36 pm

how detect and protect my router from hping?
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1790
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: dst-limit possible problem

Fri Sep 06, 2019 8:24 pm

only allow them at specified rate, drop rest

Who is online

Users browsing this forum: Google [Bot] and 107 guests