DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 6th November 2015
pawkolor pawkolor is offline
Fdisk Soldier
 
Join Date: May 2015
Posts: 53
Default Server mail attack DDoS

Hi I would ask advanced user.how to defend mail server for attack DDoS .I have a mail account in Protonmail.com .This is mail server in Switzerland doesn't touch by "NSA".But how using OpenBSD you can defend your mail server.

https://twitter.com/protonmail?lang=pl
https://www.facebook.com/protonmail/

Strange question but important to me .!!
Reply With Quote
  #2   (View Single Post)  
Old 6th November 2015
frcc frcc is offline
Don't Worry Be Happy!
 
Join Date: Jul 2011
Location: hot,dry,dusty,rainy,windy,straight winds, tornado,puts the fear of God in you-Texas
Posts: 200
Default how to defend mail server

Have you read the "Book of PF" by Peter N.M. Hansteen

-OR-

Absolute OpenBSD by Michael W. Lucas


-BOTH-

have good practical examples


goodluck
Reply With Quote
  #3   (View Single Post)  
Old 6th November 2015
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,193
Default

The wordpress page states that this began as an attack against a single server, but continued against the upstream infrastructure.

Without knowing anything more than this, it's impossible to provide any useful advice. So I'll reply in the same vague terms.

There are three steps:
  1. Determine the nature of an attack, and how it differs from valid, desired traffic.
  2. Block the bad traffic, and the bad traffic only.
  3. Go to Step 1, for the next attack.
Can tools like PF help? Sure. Stateful Tracking Options are an easy fix for certain types of DOS attacks. But not for all.

And any sort of PF rule won't help until you reach Step 2. Getting there requires completing Step 1. And that's the hard part.
Reply With Quote
  #4   (View Single Post)  
Old 7th November 2015
pawkolor pawkolor is offline
Fdisk Soldier
 
Join Date: May 2015
Posts: 53
Default

Hi I think malware was use as Linux/Xor.DDOS
http://blog.malwaremustdie.org/

But back for OpenBSD pf is able to filter 100Gbps.If I have mail server open 25 port and filter this port .The Pf is able protect that strong DDoS .

But ProtonMail 3 guy from CERN know how to filter bad package .And doesn't handle with it.

Ok for example I have OpenSMTPD open port 25 and 500 thousand user .
What rule ""PF"" should to use protect me against DDoS .
Reply With Quote
  #5   (View Single Post)  
Old 7th November 2015
Nomega Nomega is offline
New User
 
Join Date: Aug 2014
Posts: 3
Default

You wrong. Biggest botnets are Microsoft related. Tell Microsoft to stop making vulnerabilities in Windows - voilà, no mass hacking, no big botnets.

I wonder why ( you ) Windows User want to use OpenSMTPD and pf?
Reply With Quote
  #6   (View Single Post)  
Old 7th November 2015
pawkolor pawkolor is offline
Fdisk Soldier
 
Join Date: May 2015
Posts: 53
Default

Where I wrote .I want to use Server mail .
Quote:
for example I have OpenSMTPD open port 25 and 500 thousand user .
What rule ""PF"" should to use protect me against DDoS .
I want to understanding How ProtonMail should to protect his mail server .

And guy you not joking with me.You only use Linux and OpenBSD.
if you do not know answer.Please do not waist my time .
Reply With Quote
  #7   (View Single Post)  
Old 7th November 2015
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,193
Default

Quote:
Originally Posted by pawkolor View Post
Hi I think malware was use as Linux/Xor.DDOS
http://blog.malwaremustdie.org/
I do not have access, and without details on the type of ongoing attacks, I cannot point you to any PF rules that would be of value. I must continue to be vague and useless.
I'll repeat: How do you know a "good" packet from a "bad" packet?
Quote:
If I have mail server open 25 port and filter this port .The Pf is able protect that strong DDoS .
I'll try again. Until you can tell your packet filtering "firewall" tool which packets are good and which packets are bad, it doesn't matter which tool you use. As for PF, it can only make decisions based on information available to it in Layer 3, such as IP addresses, IP protocols, and IP / TCP / UDP packet headers.

I mentioned Stateful Tracking Options above. As an example, it can help by blocking an IP address when that IP address violates guidelines which the admin defines as "good" traffic.

Let us pretend that I have a mail server and I wish to block any single client that tries to have more than one connection to my server, or connect more than once every 30 seconds. If an IP address tries to have two connections, or tries to connect more than once every half-minute, it is considered either a Denial Of Service (DOS) attack, or a misuse of services, and the address is blocked.

This example ruleset is likely to block real, legitimate traffic, but I'm only using this to make a point regarding DDOS vs. DOS attacks.
Code:
table <abusive_hosts> persist
block in quick from <abusive_hosts>

pass in on $ext_if proto tcp to $mail_server port 25 keep state \
    (max-src-conn 1, max-src-conn-rate 30/1, overload <abusive_hosts> flush)
What's different about DDOS? It's a Distributed Denial Of Service attack. If there is a bot-army of 100,000 random IP addresses, each connecting twice every minute, that's 200,000 connections per minute that this very restrictuve ruleset would pass to the mail server.

Stateful tracking options can also limit the number of states that are allowed to be established in total from all IP addresses. Here's an example that only permits 1,000 simultaneous connections.
Code:
pass in on $ext_if proto tcp to $mail_server port 25 keep state (max 1000)
That may keep the mail server functional, since it limits the number of connections from all IP addresses, but it does not stop the denial of service, since legitimate traffic is blocked.

If the admin cannot determine which packets are good and which are bad, the admin cannot filter out only the bad traffic. It's that simple. As far as I know, very few evil doers are using the Evil Bit.
Quote:
But back for OpenBSD pf is able to filter 100Gbps.
That blanket statement is not meaningful. PF throughput performance is currently constrained by multiple factors, such as the speed of a single CPU, the specific NICs deployed, and the number of packets per second to be processed.

Last edited by jggimi; 7th November 2015 at 03:46 PM. Reason: typos, clarity, then restructuring for more clarity and more corrections
Reply With Quote
  #8   (View Single Post)  
Old 7th November 2015
frcc frcc is offline
Don't Worry Be Happy!
 
Join Date: Jul 2011
Location: hot,dry,dusty,rainy,windy,straight winds, tornado,puts the fear of God in you-Texas
Posts: 200
Default ddos dos attacks

The above mentioned books do give some nice examples of grey listing which may or
may not help you as well as how to set-up pf for handling (abusive hosts) which gives
you many pf related knobs to turn when determining connection rate, source etc.
The example mentioned above by jggimi concerning (abusive hosts) works well for us.
We use tables for other filtering reasons which pf handles at amazing speed.
Example: we filter out all traffic that is not from a usip (cidr) block.
The search by pf is almost instantaneous for such a large number of ip's.

Once again if you can answer jggimi's question concerning what is a bad packet
pf may be able to help you defend against it.

Reply With Quote
  #9   (View Single Post)  
Old 7th November 2015
e1-531g e1-531g is offline
ISO Quartermaster
 
Join Date: Mar 2014
Posts: 587
Default

Quote:
Originally Posted by pawkolor View Post
But ProtonMail 3 guy from CERN know how to filter bad package .And doesn't handle with it.
Probably they don't have enough hardware (processing power) to deal with such a big DDOS attack.
Reply With Quote
Old 7th November 2015
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,193
Default

I know very little about XOR DDOS attacks themselves, only that they are SYN and DNS attacks with spoofed IP addresses and spoofed TTL values from zombied Linux bot-armies. Commercial firms such as Akamai are selling mitigation solutions with specifics. Since I don't have any specifics, I can only postulate that that the SYN flood attacks, if they are deployed, might be mitigated by PF's synproxy state option. I don't know for certain, and this doesn't address the other possible forms of attack.

Last edited by jggimi; 7th November 2015 at 05:44 PM. Reason: clarity
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
HTTPS-crippling attack threatens tens of thousands of Web and mail servers J65nko News 8 22nd May 2015 06:50 AM
Security Attackers trick 162,000 WordPress sites into launching DDoS attack J65nko News 0 12th March 2014 06:00 PM
Europe shrugs off largest DDoS attack yet, traffic tops 400Gbps J65nko News 0 12th February 2014 01:26 AM
Large-scale DNS DDoS attack on Spamhaus J65nko News 1 28th March 2013 10:54 PM
supress UDP ddos attack chris FreeBSD Security 4 9th July 2008 02:46 PM


All times are GMT. The time now is 07:07 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2021, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick