Other HTTP TCP Amplification

FlorinMarian · Dec 10, 2014

Hi guys!

I'm using FreeBSD 10.0 for a web host because in my opinion it has the best security options. For a few months I didn't have problems with them but since three days someone has been blocking the network with attack time "TCP Amplifier".

My actual security is based on:

Code:

IPF="ipfw -q add"
ipfw -q -f flush
ipfw add 1 allow tcp from any to any dst-port 53 in via xn0 setup limit src-addr 2
ipfw add 2 allow tcp from any to any dst-port 80 in via xn0 setup limit src-addr 2
#################################################
# Allow Loopback and Deny Loopback Spoofing
#################################################
$IPF allow all from any to any via lo0
$IPF deny all from any to 127.0.0.0/8
$IPF deny all from 127.0.0.0/8 to any
$IPF deny tcp from any to any frag

$IPF check-state
$IPF deny tcp from any to any established
$IPF allow all from any to any out keep-state
$IPF deny icmp from any to any

Code:

ext_if="xn0"
service_ports="{ 53, 80 }"
table <abusive_hosts> persist
# options
set block-policy drop
set loginterface $ext_if
set skip on lo
scrub on $ext_if reassemble tcp no-df random-id
antispoof quick for { lo0 $ext_if }
block in
pass out all keep state
pass out on $ext_if all modulate state
pass in quick from <trusted_hosts>
block in quick from <abusive_hosts>
pass in inet proto icmp all icmp-type echoreq
pass in on $ext_if proto tcp to <trused_hosts> port $service_ports flags S/SA keep state \
(max-src-conn-rate 15/1, overload <abusive_hosts> flush)

Code:

net.inet.tcp.syncookies=1
net.inet.ip.forwarding=1
net.inet.ip.fastforwarding=1
net.inet.tcp.nolocaltimewait=1
net.inet.tcp.syncache.rexmtlimit=1
net.inet.ip.check_interface=1
net.inet.ip.portrange.randomized=1
net.inet.ip.process_options=0
net.inet.ip.random_id=1
net.inet.ip.redirect=0
net.inet.ip.accept_sourceroute=0
net.inet.ip.sourceroute=0
net.inet.icmp.bmcastecho=0
net.inet.icmp.maskfake=0
net.inet.icmp.maskrepl=0
net.inet.icmp.log_redirect=0
net.inet.icmp.drop_redirect=1
net.inet.tcp.drop_synfin=1
net.inet.tcp.ecn.enable=1
net.inet.tcp.fast_finwait2_recycle=1
net.inet.tcp.icmp_may_rst=0
net.inet.tcp.maxtcptw=15000
net.inet.tcp.msl=5000
net.inet.tcp.path_mtu_discovery=0
net.inet.tcp.rfc3042=0
net.inet.udp.blackhole=1
net.inet.tcp.blackhole=2
net.inet.ip.rtexpire=60
net.inet.ip.rtminexpire=2
net.inet.ip.rtmaxcache=1024
kern.ipc.shmmax=134217728

When my system is under attack I have over 25,000 entries (tested with pfctl -si).

Help me please.

SirDice · Dec 10, 2014

As far as I know there's no such thing as a "TCP Amplification" attack. There are, however, several other amplification attacks. The most common at this time are abusing NTP and DNS, both use UDP for this (as it's easily spoofed).

If you are on the receiving end of a DoS or DDoS, there really isn't anything you can do about it. Contact your hosting provider or ISP and see if they can help out.

FlorinMarian · Dec 10, 2014

They can't help me.

The attacker ~~it's~~ is using www.inboot.me with the TCP Amplification method.

DutchDaemon · Dec 10, 2014

According to them it's DNS amplification, though my pflog reports NTPv2 attacks on my port 80. I can't say I'm impressed. Install a proper firewall (or a firewall properly).

Code:

Dec 10 15:05:11 box pf: 15:05:00.075785 rule 0..16777216/0(match): block in on em1: 78.24.185.34.123 > myip.80: NTPv2, Reserved, length 440
Dec 10 15:05:11 box pf: 15:05:00.075904 rule 0..16777216/0(match): block in on em1: 78.24.185.34.123 > myip.80: NTPv2, Reserved, length 440
Dec 10 15:05:11 box pf: 15:05:00.076029 rule 0..16777216/0(match): block in on em1: 78.24.185.34.123 > myip.80: NTPv2, Reserved, length 440
Dec 10 15:05:11 box pf: 15:05:00.076046 rule 0..16777216/0(match): block in on em1: 109.24.221.165.123 > myip.80: NTPv2, Reserved, length 440
Dec 10 15:05:11 box pf: 15:05:00.076148 rule 0..16777216/0(match): block in on em1: 211.186.111.58.123 > myip.80: NTPv2, Reserved, length 440
Dec 10 15:05:11 box pf: 15:05:00.076275 rule 0..16777216/0(match): block in on em1: 40.134.193.250.123 > myip.80: NTPv2, Reserved, length 440
Dec 10 15:05:11 box pf: 15:05:00.076286 rule 0..16777216/0(match): block in on em1: 211.186.111.58.123 > myip.80: NTPv2, Reserved, length 440
Dec 10 15:05:11 box pf: 15:05:00.076405 rule 0..16777216/0(match): block in on em1: 74.40.5.209.123 > myip.80: NTPv2, Reserved, length 440
Dec 10 15:05:11 box pf: 15:05:00.076416 rule 0..16777216/0(match): block in on em1: 74.40.5.209.123 > myip.80: NTPv2, Reserved, length 440
Dec 10 15:05:11 box pf: 15:05:00.076522 rule 0..16777216/0(match): block in on em1: 74.40.5.209.123 > myip.80: NTPv2, Reserved, length 440
Dec 10 15:05:11 box pf: 15:05:00.076647 rule 0..16777216/0(match): block in on em1: 74.40.5.209.123 > myip.80: NTPv2, Reserved, length 440
Dec 10 15:05:11 box pf: 15:05:00.076653 rule 0..16777216/0(match): block in on em1: 74.40.5.209.123 > myip.80: NTPv2, Reserved, length 440
Dec 10 15:05:11 box pf: 15:05:00.076664 rule 0..16777216/0(match): block in on em1: 78.24.185.34.123 > myip.80: NTPv2, Reserved, length 440
Dec 10 15:05:11 box pf: 15:05:00.076781 rule 0..16777216/0(match): block in on em1: 61.91.190.30.123 > myip.80: NTPv2, Reserved, length 440
Dec 10 15:05:11 box pf: 15:05:00.076898 rule 0..16777216/0(match): block in on em1: 61.91.190.30.123 > myip.80: NTPv2, Reserved, length 440
Dec 10 15:05:11 box pf: 15:05:00.076911 rule 0..16777216/0(match): block in on em1: 109.24.221.165.123 > myip.80: NTPv2, Reserved, length 440
Dec 10 15:05:11 box pf: 15:05:00.077029 rule 0..16777216/0(match): block in on em1: 109.24.221.165.123 > myip.80: NTPv2, Reserved, length 440
Dec 10 15:05:11 box pf: 15:05:00.077148 rule 0..16777216/0(match): block in on em1: 109.24.221.165.123 > myip.80: NTPv2, Reserved, length 440
Dec 10 15:05:11 box pf: 15:05:00.077158 rule 0..16777216/0(match): block in on em1: 109.24.221.165.123 > myip.80: NTPv2, Reserved, length 440
Dec 10 15:05:11 box pf: 15:05:00.077281 rule 0..16777216/0(match): block in on em1: 109.24.221.165.123 > myip.80: NTPv2, Reserved, length 440
Dec 10 15:05:11 box pf: 15:05:00.077398 rule 0..16777216/0(match): block in on em1: 211.186.111.58.123 > myip.80: NTPv2, Reserved, length 440
Dec 10 15:05:11 box pf: 15:05:00.077403 rule 0..16777216/0(match): block in on em1: 61.91.190.30.123 > myip.80: NTPv2, Reserved, length 440
Dec 10 15:05:11 box pf: 15:05:00.077523 rule 0..16777216/0(match): block in on em1: 78.24.185.34.123 > myip.80: NTPv2, Reserved, length 440
Dec 10 15:05:11 box pf: 15:05:00.077534 rule 0..16777216/0(match): block in on em1: 78.24.185.34.123 > myip.80: NTPv2, Reserved, length 440
Dec 10 15:05:11 box pf: 15:05:00.077654 rule 0..16777216/0(match): block in on em1: 62.0.0.156.123 > myip.80: NTPv2, Reserved, length 440
Dec 10 15:05:11 box pf: 15:05:00.077778 rule 0..16777216/0(match): block in on em1: 89.249.251.30.123 > myip.80: NTPv2, Reserved, length 440
Dec 10 15:05:11 box pf: 15:05:00.077789 rule 0..16777216/0(match): block in on em1: 59.126.87.240.123 > myip.80: NTPv2, Reserved, length 440
Dec 10 15:05:11 box pf: 15:05:00.077904 rule 0..16777216/0(match): block in on em1: 210.214.205.234.123 > myip.80: NTPv2, Reserved, length 440
Dec 10 15:05:11 box pf: 15:05:00.078023 rule 0..16777216/0(match): block in on em1: 62.0.0.156.123 > myip.80: NTPv2, Reserved, length 440
Dec 10 15:05:11 box pf: 15:05:00.078035 rule 0..16777216/0(match): block in on em1: 109.24.221.165.123 > myip.80: NTPv2, Reserved, length 440
Dec 10 15:05:11 box pf: 15:05:00.078154 rule 0..16777216/0(match): block in on em1: 109.24.221.165.123 > myip.80: NTPv2, Reserved, length 440
Dec 10 15:05:11 box pf: 15:05:00.078273 rule 0..16777216/0(match): block in on em1: 211.186.111.58.123 > myip.80: NTPv2, Reserved, length 440
Dec 10 15:05:11 box pf: 15:05:00.078285 rule 0..16777216/0(match): block in on em1: 109.24.221.165.123 > myip.80: NTPv2, Reserved, length 440
Dec 10 15:05:11 box pf: 15:05:00.078403 rule 0..16777216/0(match): block in on em1: 61.91.190.30.123 > myip.80: NTPv2, Reserved, length 440
Dec 10 15:05:11 box pf: 15:05:00.078416 rule 0..16777216/0(match): block in on em1: 37.59.150.199.123 > myip.80: NTPv2, Reserved, length 440
Dec 10 15:05:11 box pf: 15:05:00.078528 rule 0..16777216/0(match): block in on em1: 37.59.150.199.123 > myip.80: NTPv2, Reserved, length 440
Dec 10 15:05:11 box pf: 15:05:00.078647 rule 0..16777216/0(match): block in on em1: 37.59.150.199.123 > myip.80: NTPv2, Reserved, length 440
Dec 10 15:05:11 box pf: 15:05:00.078657 rule 0..16777216/0(match): block in on em1: 37.59.150.199.123 > myip.80: NTPv2, Reserved, length 440
Dec 10 15:05:11 box pf: 15:05:00.078772 rule 0..16777216/0(match): block in on em1: 37.59.150.199.123 > myip.80: NTPv2, Reserved, length 440
Dec 10 15:05:11 box pf: 15:05:00.078783 rule 0..16777216/0(match): block in on em1: 37.59.150.199.123 > myip.80: NTPv2, Reserved, length 440
Dec 10 15:05:11 box pf: 15:05:00.078903 rule 0..16777216/0(match): block in on em1: 62.0.0.156.123 > myip.80: NTPv2, Reserved, length 440
Dec 10 15:05:11 box pf: 15:05:00.079022 rule 0..16777216/0(match): block in on em1: 61.91.190.30.123 > myip.80: NTPv2, Reserved, length 440
Dec 10 15:05:11 box pf: 15:05:00.079033 rule 0..16777216/0(match): block in on em1: 61.91.190.30.123 > myip.80: NTPv2, Reserved, length 440
Dec 10 15:05:11 box pf: 15:05:00.079152 rule 0..16777216/0(match): block in on em1: 61.91.190.30.123 > myip.80: NTPv2, Reserved, length 440
Dec 10 15:05:11 box pf: 15:05:00.079272 rule 0..16777216/0(match): block in on em1: 109.24.221.165.123 > myip.80: NTPv2, Reserved, length 440
Dec 10 15:05:11 box pf: 15:05:00.079282 rule 0..16777216/0(match): block in on em1: 109.24.221.165.123 > myip.80: NTPv2, Reserved, length 440
Dec 10 15:05:11 box pf: 15:05:00.079404 rule 0..16777216/0(match): block in on em1: 211.153.8.169.123 > myip.80: NTPv2, Reserved, length 484
Dec 10 15:05:11 box pf: 15:05:00.079521 rule 0..16777216/0(match): block in on em1: 211.153.8.169.123 > myip.80: NTPv2, Reserved, length 484
Dec 10 15:05:11 box pf: 15:05:00.079646 rule 0..16777216/0(match): block in on em1: 211.153.8.169.123 > myip.80: NTPv2, Reserved, length 484
Dec 10 15:05:11 box pf: 15:05:00.079655 rule 0..16777216/0(match): block in on em1: 211.153.8.169.123 > myip.80: NTPv2, Reserved, length 484
Dec 10 15:05:11 box pf: 15:05:00.079779 rule 0..16777216/0(match): block in on em1: 114.32.36.148.123 > myip.80: NTPv2, Reserved, length 440
Dec 10 15:05:11 box pf: 15:05:00.079784 rule 0..16777216/0(match): block in on em1: 211.153.8.169.123 > myip.80: NTPv2, Reserved, length 484
Dec 10 15:05:11 box pf: 15:05:00.079901 rule 0..16777216/0(match): block in on em1: 61.91.190.30.123 > myip.80: NTPv2, Reserved, length 440
Dec 10 15:05:11 box pf: 15:05:00.080020 rule 0..16777216/0(match): block in on em1: 61.91.190.30.123 > myip.80: NTPv2, Reserved, length 440
Dec 10 15:05:11 box pf: 15:05:00.080030 rule 0..16777216/0(match): block in on em1: 61.91.190.30.123 > myip.80: NTPv2, Reserved, length 440
Dec 10 15:05:11 box pf: 15:05:00.080150 rule 0..16777216/0(match): block in on em1: 211.153.8.169.123 > myip.80: NTPv2, Reserved, length 484
Dec 10 15:05:11 box pf: 15:05:00.080271 rule 0..16777216/0(match): block in on em1: 61.91.190.30.123 > myip.80: NTPv2, Reserved, length 440
Dec 10 15:05:11 box pf: 15:05:00.080281 rule 0..16777216/0(match): block in on em1: 61.91.190.30.123 > myip.80: NTPv2, Reserved, length 440
Dec 10 15:05:11 box pf: 15:05:00.080404 rule 0..16777216/0(match): block in on em1: 62.0.0.156.123 > myip.80: NTPv2, Reserved, length 440
Dec 10 15:05:11 box pf: 15:05:00.080520 rule 0..16777216/0(match): block in on em1: 61.91.190.30.123 > myip.80: NTPv2, Reserved, length 440
Dec 10 15:05:11 box pf: 15:05:00.080531 rule 0..16777216/0(match): block in on em1: 61.91.190.30.123 > myip.80: NTPv2, Reserved, length 440
Dec 10 15:05:11 box pf: 15:05:00.080651 rule 0..16777216/0(match): block in on em1: 61.91.190.30.123 > myip.80: NTPv2, Reserved, length 440
Dec 10 15:05:11 box pf: 15:05:00.080661 rule 0..16777216/0(match): block in on em1: 61.91.190.30.123 > myip.80: NTPv2, Reserved, length 440
Dec 10 15:05:11 box pf: 15:05:00.080775 rule 0..16777216/0(match): block in on em1: 211.153.8.169.123 > myip.80: NTPv2, Reserved, length 348
Dec 10 15:05:11 box pf: 15:05:00.080780 rule 0..16777216/0(match): block in on em1: 62.0.0.156.123 > myip.80: NTPv2, Reserved, length 440

FlorinMarian · Dec 10, 2014

I'm sorry, can you give me a guide or make one for me?

Thank you.

DutchDaemon · Dec 10, 2014

Do your homework: pf.conf(5).

FlorinMarian · Dec 10, 2014

Mr. Teacher, is it OK now?

Code:

pass in on $ext_if proto tcp to any port $service_ports flags S/SA keep state \
(max 2048, source-track rule, max-src-nodes 1000, max-src-states 1, max-src-conn 2, max-src-conn-rate 1/5  overload <abusive_hosts> flush global)

SirDice · Dec 10, 2014

FlorinMarian said:
The attacker is using www.inboot.me with the TCP Amplification method.

Perhaps you should contact them? Apparently somebody is abusing their services to attack networks that do not belong to them.

Even if you filter out the bad traffic on your firewall, nothing you can do will stop the traffic from arriving in the first place.

Other HTTP TCP Amplification

FlorinMarian

SirDice

Administrator

FlorinMarian

DutchDaemon

Administrator

FlorinMarian

DutchDaemon

Administrator

FlorinMarian

SirDice

Administrator