OVH Community, your new community space.

Bypass Network Firewall OVH


raffo
11.09.2014, 05.00
Oggi ho avuto occasione, finalmente, di testare a pieno il Network Firewall di OVH!
Devo dire che funziona molto bene se l'ip di chi attacca solo uno, ho provato a generare 200mbps da un altro datacenter e ne ricevevo (sul server sotto ovh firewall) solo 2mbps!

Le mie regole:
http://zbyte.it/logs/OVH-Network-Firewall_Webserver.png

Ho ricevuto un attacco alquanto ambiguo che ha generato 600Mbps e 1,4Mpps, prima in UDP (generando la met della banda) e poi in TCP. Entrambi i casi il server andato offline poco dopo l'attacco iniziato.

http://zbyte.it/logs/ddos_11-09-14_.png
http://zbyte.it/logs/ddos_11-09-14.png



Ho analizzato tramite tcpdump i pacchetti e sembrano arrivare da un intera classe /16 proveniente dalla turchia!!
Codice:
http://zbyte.it/logs/tcpdump.log.gz (Estratto sono piu di 2GB)
Lo analizzo con: tshark -r tcpdump.log -V
Ho estratto la lista degli IP dal file di log tcpdump con "tshark -r tcpdump.log -V | grep Src: | awk '{ print $6 }' | sort -u > iplist.txt"
E ottengo questo risultato:
Sono pi di 50 mila IP tutti appartenente alla netblock 78.179.0.0.

Pacchetto TCP che invia:
Codice:
Linux cooked capture    Packet type: Unicast to us (0)
    Link-layer address type: 65535
    Link-layer address length: 0
    Protocol: IP (0x0800)
Internet Protocol Version 4, Src: 78.179.40.229 (78.179.40.229), Dst: 178.33.180.196 (178.33.180.196)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
    Total Length: 52
    Identification: 0x5281 (21121)
    Flags: 0x02 (Don't Fragment)
        0... .... = Reserved bit: Not set
        .1.. .... = Don't fragment: Set
        ..0. .... = More fragments: Not set
    Fragment offset: 0
    Time to live: 88
    Protocol: TCP (6)
    Header checksum: 0xf1c4 [validation disabled]
        [Good: False]
        [Bad: False]
    Source: 78.179.40.229 (78.179.40.229)
    Destination: 178.33.180.196 (178.33.180.196)
    [Source GeoIP: Unknown]
    [Destination GeoIP: Unknown]
Transmission Control Protocol, Src Port: 57383 (57383), Dst Port: http (80), Seq: 1, Ack: 1, Len: 0
    Source port: 57383 (57383)
    Destination port: http (80)
    [Stream index: 1]
    Sequence number: 1    (relative sequence number)
    Acknowledgment number: 1    (relative ack number)
    Header length: 32 bytes
    Flags: 0x010 (ACK)
        000. .... .... = Reserved: Not set
        ...0 .... .... = Nonce: Not set
        .... 0... .... = Congestion Window Reduced (CWR): Not set
        .... .0.. .... = ECN-Echo: Not set
        .... ..0. .... = Urgent: Not set
        .... ...1 .... = Acknowledgment: Set
        .... .... 0... = Push: Not set
        .... .... .0.. = Reset: Not set
        .... .... ..0. = Syn: Not set
        .... .... ...0 = Fin: Not set
    Window size value: 256
    [Calculated window size: 256]
    [Window size scaling factor: -1 (unknown)]
    Checksum: 0x04d4 [validation disabled]
        [Good Checksum: False]
        [Bad Checksum: False]
    Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps
        No-Operation (NOP)
            Type: 1
                0... .... = Copy on fragmentation: No
                .00. .... = Class: Control (0)
                ...0 0001 = Number: No-Operation (NOP) (1)
        No-Operation (NOP)
            Type: 1
                0... .... = Copy on fragmentation: No
                .00. .... = Class: Control (0)
                ...0 0001 = Number: No-Operation (NOP) (1)
        Timestamps: TSval 125819436, TSecr 3679778033
            Kind: Timestamp (8)
            Length: 10
            Timestamp value: 125819436
            Timestamp echo reply: 3679778033
    [SEQ/ACK analysis]
        [TCP Analysis Flags]
            [This is a TCP duplicate ack]
        [Duplicate ACK #: 1]
        [Duplicate to the ACK in frame: 4]
            [Expert Info (Note/Sequence): Duplicate ACK (#1)]
                [Message: Duplicate ACK (#1)]
                [Severity level: Note]
                [Group: Sequence]


Frame 6: 68 bytes on wire (544 bits), 68 bytes captured (544 bits)
    Encapsulation type: Linux cooked-mode capture (25)
    Arrival Time: Sep 11, 2014 03:43:04.131424000 CEST
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1410399784.131424000 seconds
    [Time delta from previous captured frame: 0.001008000 seconds]
    [Time delta from previous displayed frame: 0.001008000 seconds]
    [Time since reference or first frame: 0.112403000 seconds]
    Frame Number: 6
    Frame Length: 68 bytes (544 bits)
    Capture Length: 68 bytes (544 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: sll:ip:tcp]


Le mie domande sono:
1- Si tratta di spoofing!? (credo di no.. ma com' possibile?!)
2- Come comportarsi in questi casi? possibile bloccare una intera classe IP nel firewall? altrimenti risulta totalmente inefficace.

Suggerimenti?