DDOS/tech

From kJams Wiki
Jump to navigation Jump to search

Work performed by Jesse -help with determining why website isnt loading properly. specifically https -appears to be failing in the TLS handshake; the website will simply hang when trying to load -Mac mini server's CPU is spiking from the SQL daemon; Mac mini is hosted at cruzio -hosts a couple customized WordPress sites https://karaoke.kjams.com davecotter.com

-Had Adam log into the web server and extract the Apache logs -there are thousands/millions of requests to the server, particularly the forum -they appear to be Chinese, but could be a mix

-worked on blocking the connections in the Ubiquiti EdgeMax router

EdgeMax EdgeRouter 4 v2.0.8 ; web access/control to the firewall via edge.davecotter.com 63.249.65.78 ;

Main server is libre.davecotter.com 192.50.23.104 NATed from 63.249.66.43 ; has .41 , .42 root of the mac mini server, .43 web server, .44, .45 nothing? , .46 needs a login

-examined the settings, current config, did a lot of research on firewall rules for this specific model firewall. -spent a lot of time reading thru the Geo-blocking and Emerging Threats rules in the ubiquiti forums

-Found someone who had some scripts and files prepared in the forum that others had recommended that worked well; I followed his procedure, with modifications to actually make it work properly (a handful of tweaks were needed to his steps and scripts) https://github.com/WaterByWind/edgeos-bl-mgmt -On the page, you need to download the updBlackList.sh , fw-BlackList-URLs.txt , loadBlackList.sh files -I then used WinSCP to log into the router to Secure Copy the blacklist.txt and .sh files to the router, then was able to enter the commands to run them. -SFTP works too, which is what Adam used.

-in the router, you can choose the CLI option (top-right corner), or SSH into the device as well once in the CLI, you need to get into configuration mode. Type "configure" to do so

-to make the .sh file executable: or with WinSCP you can edit the properties, which I did for the .sh files and .txt file. Set to R/W for all when the script wasnt running properly. chmod 777 /config/scripts/updBlackList.sh or chmod +x /config/scripts/updBlackList.sh -to add the iprange feature, the Mips option needs to be used. -to save changes: commit save ; to reboot the router: reboot now

As per the WaterByWind page, perform these steps on your EdgeRouter from a CLI configure prompt: This creates the network group settings ; can also be done in the GUI > For IPv4: set firewall group network-group Nets4-BlackList description 'Blacklisted IPv4 Sources' 

   For IPv6: set firewall group ipv6-network-group Nets6-BlackList description 'Blacklisted IPv6 Sources'

Done with WinSCP > cp updBlackList.sh /config/scripts/updBlackList.sh Done with WinSCP > cp fw-BlackList-URLs.txt /config/user-data/fw-BlackList-URLs.txt Done with WinSCP > cp loadBlackList.sh /config/scripts/post-config.d/loadBlackList.sh Done from CLI > set system task-scheduler task Update-Blacklists executable path /config/scripts/updBlackList.sh Done from CLI > set system task-scheduler task Update-Blacklists interval 12h Done from CLI, runs the script to fetch the current blacklists > sudo /config/scripts/updBlackList.sh

the blacklists will download to /config/user-data/ and be called fw-IPSET-4.txt and fw-IPSET-6.txt ;but they don't immediately update..theres some delay and I'm not sure why. maybe its parsing the data

You will also need to create a firewall rule to deny inbound source addresses that MUST match the network-group Nets4-BlackList due to how the script is written. An example using a zone-based firewall might look like: set firewall name WAN_IN rule 1 source group network-group Nets4-BlackList set firewall name WAN_IN rule 1 action drop set firewall name WAN_IN rule 1 protocol all

(I tried with the defaults the WaterByWind page had with the name wan-lan-4, but because Dave already had a WAN_IN rule, I deleted the wan-lan-4 related rules after testing, and just used his rule to keep things cleaner and shorter)

-Set it up to use the optional iprange for optimization and reduction. These packages are downloaded from the internet automatically: mkdir -p /config/data/firstboot/install-packages cd /config/data/firstboot/install-packages For Cavium-based platforms (MIPS): 

   curl -O http://http.us.debian.org/debian/pool/main/i/iprange/iprange_1.0.3+ds-1_mips.deb
   sudo dpkg --install iprange_1.0.3+ds-1_mips.deb

-Strangely, even after getting all the scripts setup and running, part way thru the processing of the script and download of the blacklists, it would fail with a seemingly random error and then never complete. -After a lot of trial and error and parsing thru the script code and researching alternative posts. I figured out the error that kept getting thrown when trying to run the sudo /config/scripts/updBlackList.sh ;which runs the blacklist fetch/update script. -A few of the blacklists that were being fetched had invalid entries in them. one example was the https://lists.blocklist.de/lists/all.txt ; which had a IPv6 address in the IPv4 list, so it just failed and wouldn't move forward. One error I finally got that I recognized as an IPv6 address was 240e:f7:4f01:c::3 , then manually downloading the lists..I saw that same address. -commented out all the lists in the fetch script, then commented in one by one to determine which lists were funky and kept them commented out. Also interesting is that the IPv6 script pull/lists dont seem to work. or any list with an IPv6 address. The script just gets stuck. So I left them all disabled.

other resources/info used in putting this together: https://dl.ubnt.com/guides/edgemax/EdgeOS_UG.pdf https://help.ubnt.com/hc/en-us/articles/204962154-EdgeRouter-How-to-Create-a-WAN-Firewall-Rule http://community.ubnt.com/edgemax https://www.ipdeny.com/ipblocks/ for specific country lists https://github.com/amarcu5/EdgeOS-Blacklist https://github.com/WaterByWind/edgeos-bl-mgmt

To View the iptables: sudo /sbin/iptables -v -L

-Dave asked about opening up SMB and AFP access to the libre server. I HIGHLY recommended AGAINST opening file sharing to the world, especially considering it's already under attack. -Thru a secure VPN connection would be fine though. Which can be setup. -Dave was testing and says AFP works, but SMB doesnt; port 548 does report as open on 63.249.66.43 ; but 139 and 445 dont.

Recommendations: keep an eye on the web traffic/attacks. Verify the blacklists are working and updating. You can add or remove some blacklists as desired by editing the scripts. you can change the frequency of the blacklist updating by editing the schedule. It may be a good idea to get a higher-end firewall, with geo-tagging built into the GUI interface (easier in any case). You could use CloudFlare (or like vendor) to cloud filter the attacks. May be easier to hand this all off to webhosting vendor so you're not responsible for this type of thing.


Work performed by Adam:

  • Running MAMP server on Mac Mini at Cruzio. Also managing their own router for web traffic proxy. Hosting 10+ websites. Services running very slow---
  • Initial access attempts to server and router via SSH, SFTP, web and VNC with client provided credentials -- success, can access both devices.
  • Reviewed overall setup -- highly customized hobbyist setup and certain key technologies are out of date. Could be a minefield of issues, high probability of breaking something.
  • Reviewed Apache server logs and native Apple network logs / utilities -- hundreds of current connections to machine, many queued or stalled. Large variety of IP addresses. Looked up a random sample of IP addresses, all are coming out of China -- web server is under a DDoS attack.
  • Had client restart MAMP and machine -- this temporarily alleviated the connection load, but after a few hours the DDoS attack ramped back up.
  • Installed Malwarebytes on machine, ran scan -- clean. See no signs or behaviors of machine being hijacked.
  • Client is blocked from accessing WordPress admin panel and requested assistance with this. I was able to get in. WP security plugin has blacklisted his IP. Whitelisted IP -- client can successfully log in.
  • Client's web forum is having issues. Reviewing logs and tracing HTTP connections, forum is getting targeted in attack as well.
  • Reviewed router settings and firewall. Multiple connection interfaces with some custom routing. Recommend add firewall rules to block IP range or region for China -- client approves.
  • There does not appear to be a method outside scripting to populate firewall blacklist rules.
  • Does not appear to be a way to directly block geographical regions -- reading in router manufacturer forums confirms this.
  • At this point a simpler and more effective solution would be to sign-up for a free DNS proxy service like Cloudflare and route traffic through there. This should mitigate the DDoS attack.
  • Client does not want to add another service into the mix.
  • Another solution is to use an Apache geo-locating library to identify and block traffic. It is designed to address tasks such as this.
  • Client does not want web server to filter traffic, wants it done at the router.
  • From here on hours spent in router forums looking for a trustworthy solution to configure firewall with hundreds of IPs to block China. Claimed up-to-date China IP lists found. Multiple shell or PERL scripts found that 'auto populate' the firewall with up-to-date China IPs.
  • Chose one that has wide-spread support and is hosted through GitHub. Setup script on router -- consistently fails trying to parse external IP lists. Turns out one of the 3rd party IP list resources has changed, thus causing the script to error out. Author warns about this in his GIST forum -- Question -- where is the error catching in the script to prevent failure if one out of many IP list resources is down?

At this point pause work. Am not comfortable pulling random PERL scripts off web forums that are to be used in production environments. This is not a stable professional solution and could be a recipe for disaster. Solution needs to move away from self management, not further entrench it. Will let client and Jesse work out specifics beyond this point.

  • Recommendation is to use Cloudflare for security and/or a professional web hosting company that will do this as part of their package.
Retrieved from "https://karaoke.kjams.com/w/index.php?title=DDOS/tech&oldid=12213"