Tuesday 24 January 2023

DoS Detection for NTP server with Iptables

NTP service is one of the most popular target services. Almost Linux servers install an Iptables firewall by default that we can config Iptables to detect or block NTP flooding packets. This topic shows you an example use case of Iptables for handling DoS traffic. 

Example 1.  Logging flood by source IP address (without limit logging rate).

In this example, we create a new firewall chain named NTP in the 1st line, append the rate limit rule to allow normal usage in the 2nd line, and log abnormal packets in the 3rd line.

iptables -N NTP

iptables -A NTP --match hashlimit --hashlimit-mode srcip  --hashlimit-upto  10/sec  --hashlimit-burst 20  --hashlimit-name conn_rate_limit  -j ACCEPT

iptables -A NTP -j LOG --log-prefix "NTP-DoS: " 

iptables -A NTP -j ACCEPT

iptables -A INPUT -p udp --dport 123  -j NTP

Example 2. Logging flood by source IP address with limit log output.

In 3rd line, we set the rate limit for logging at a rate of 1 event per second.

iptables -N NTP

iptables -A NTP --match hashlimit --hashlimit-mode srcip  --hashlimit-upto 10/sec  --hashlimit-burst 20  --hashlimit-name conn_rate_limit  -j ACCEPT

iptables -A NTP --match hashlimit --hashlimit-mode srcip  --hashlimit-upto 1/sec --hashlimit-burst 1  --hashlimit-name log_limit  -j LOG --log-prefix "NTP-DoS: "

iptables -A NTP -j ACCEPT

iptables -A INPUT -p udp --dport 123  -j NTP

Example 3. Logging and Dropping flood packet.

In the 4th line, Iptables will drop a packet that incoming packet more than a threshold in the 2nd line.

iptables -N NTP

iptables -A NTP --match match hashlimit --hashlimit-mode srcip  --hashlimit-upto 10/sec  --hashlimit-burst 20  --hashlimit-name conn_rate_limit  -j ACCEPT

iptables -A NTP --match hashlimit --hashlimit-mode srcip  --hashlimit-upto 1/sec --hashlimit-burst 1  --hashlimit-name log_limit  -j LOG --log-prefix "NTP-DoS: "

iptables -A NTP -j DROP

iptables -A INPUT -p udp --dport 123  -j NTP


Example 4. Block flood source IP address for 5 minutes with ipset

Create a blacklist source IP address set with an Ipset name NTP-BLOCK. every item added in this set will countdown from 300 seconds, and will remove when the counter is over. 

ipset create NTP-BLOCK hash:ip family inet hashsize 8182 maxelem 65536 timeout 300


2nd line: Apply blocking rules with an option  "-m set --match-set" with a set named "NTP-BLOCK"  for the source IP address of the incoming packet.
6th line: Update item in "NTP-BLOCK" set with option "-j SET --add-set" to push source IP of a packet that matches this rule.

iptables -N NTP

iptables -A NTP  -m set --match-set NTP-BLOCK src -j DROP

iptables -A NTP --match match hashlimit --hashlimit-mode srcip  --hashlimit-upto 10/sec  --hashlimit-burst 20  --hashlimit-name conn_rate_limit  -j ACCEPT

iptables -A NTP --match hashlimit --hashlimit-mode srcip  --hashlimit-upto 1/sec --hashlimit-burst 1  --hashlimit-name log_limit  -j LOG --log-prefix "NTP-DoS: "

iptables -A NTP -j SET --add-set NTP-BLOCK src

iptables -A INPUT -p udp --dport 123  -j NTP




at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Import SSH Private Key to Yubikey (PIV) for SSH Authentication

Introduction: This guide will walk you through the process of importing your SSH private key to a Yubikey (PIV) for SSH authentication on y...