Page 1 of 1

ConnectionTracking CT improvement ?! urgent issue

Posted: 15 Dec 2010, 18:21
by Gaucho
Hi,
so I have csf+lfd on cPanel server (CentOS)
so, when someone DoS attack server everything works fine, BUT
but attacker keeps connected for several seconds-minutes... and because I have high frequency of visits on server, always some users suffer because of DoS attack...
and sometimes because my CT_LIMIT is high (500#because of advanced clients, so they usually have too much connections to server), httpd restarts itself, or have some other issues

so my suggestion is to add "tcpkill" - from dsniff package...

so in lfd.pl section:

Code: Select all

###############################################################################
# start connectiontracking


NOT SURE WHERE EXACTLY, BUT PRETTY SURE
eg.

Code: Select all

#...............................
		flock (IN, LOCK_SH);
		my @csftmpdeny = <IN>;
		close (IN);
		chomp @csftmpdeny;

		foreach my $ip (keys %ipcnt) {
			if (($ipcnt{$ip} > $config{CT_LIMIT}) and !&ignoreip($ip)) {

##############################
# PROBABLY HERE !, so that tcpkill kills
# connection before anything else continues
##############################

				if ((grep {$_ =~ /^$ip\b/} @csfdeny) or (grep {$_ =~ /\|$ip\|\|/} @csftmpdeny)) {
					if ($config{DEBUG} >= 1) {&logfile("debug: (CT) IP $ip found to have $ipcnt{$ip} connections - IP already blocked")}
				} else {
					my $tip = &iplookup($ip);
					&ipblock($config{CT_PERMANENT},"(CT) IP $tip found to have $ipcnt{$ip} connections",$ip,"","inout",$config{CT_BLOCK_TIME},0,$iptext{$ip},"CT_LIMIT");

					if ($config{CT_EMAIL_ALERT}) {


#......................
to add:

Code: Select all

my $timetokill = 20; # time to run tcpkill command, and then to kill it
my $attackforce = 9; #(1-9); higher number = heavier kill type
#######################################
#DO NOT TOUCH BELLOW
my $abc='$!';
system("bash", "-c","tcpkill -$attackforce host $ip & sleep $timetokill; kill $abc");
http://en.wikipedia.org/wiki/Tcpkill

What you think about positioning this kind of code in this position, because I'm definitly going to add it inside, because I have load of attack frequently...

And also, with this kind of protection you could secure your Messenger port (because of recent attacks on Messenger port I started to investigate problem deeper...)

THX for your time,
Frane Marinković
Support dep. - Get-Host.net

Re: ConnectionTracking CT improvement ?! urgent issue

Posted: 18 Dec 2010, 17:03
by Gaucho
I'm still waiting any answer from any admin.
So this is what I came up on the end:

Code: Select all

apt-get install dsniff
or
yum install dsniff

*add sudo in front if you'r not root
so in lfd.pl after line 2166:

Code: Select all

		my @csftmpdeny = <IN>;
		close (IN);
		chomp @csftmpdeny;

		foreach my $ip (keys %ipcnt) {
			if (($ipcnt{$ip} > $config{CT_LIMIT}) and !&ignoreip($ip)) {
#BELLOW THIS LINE
you need to add this:

Code: Select all

#####################################################
my $timetokillx = 5; # time to run tcpkill command, and then to kill it
my $attackforcex = 9; #(1-9); higher number = heavier kill type
#################DO NOT TOUCH BELLOW#######################
my $abcx='$!';
system("bash", "-c","tcpkill -$attackforcex host $ip & sleep $timetokillx; kill $abcx"); 
#####################################################
so it looks like this:

Code: Select all

......................................
		foreach my $ip (keys %ipcnt) {
			if (($ipcnt{$ip} > $config{CT_LIMIT}) and !&ignoreip($ip)) {

#####################################################
my $timetokillx = 5; # time to run tcpkill command, and then to kill it
my $attackforcex = 9; #(1-9); higher number = heavier kill type
#################DO NOT TOUCH BELLOW#######################
my $abcx='$!';
system("bash", "-c","tcpkill -$attackforcex host $ip & sleep $timetokillx; kill $abcx");
#####################################################

				if ((grep {$_ =~ /^$ip\b/} @csfdeny) or (grep {$_ =~ /\|$ip\|\|/} @csftmpdeny)) {
					if ($config{DEBUG} >= 1) {&logfile("debug: (CT) IP $ip found to have $ipcnt{$ip} connections - IP already blocked")}
				} else {
......................................
restart lfd

Also $timetokillx is set to 5 seconds, because not to delay any other job lfd needs to do.
It would be better if $timetokillx is higher, but then tcpkill needs to run of this script not to cause any delay in executing...

Is this thing even possible, or just to forget about it, and risk httpd crushes after every larger attack?

Re: ConnectionTracking CT improvement ?! urgent issue

Posted: 29 Dec 2010, 16:23
by chirpy
If you want to run external commands such as tcpkill then you should use the BLOCK_REPORT feature which will pass information to an external script when a block occurs and you can then do what you want to the reported IP address. See the readme.txt for information about that feature.