IPFW Under SSDP DDOS, ipfw_install_state: add parent failed

Hi all,

I'm using FreeBSD 10.1 and nginx to provide web services.

From yesterday afternoon, my website is down. And my server didn't response to ping request any more. At that time I checked the server, it seems all services are good, except I got endless alerts in /var/log/messages as below:

Code:
Apr 21 16:01:51 www kernel: ipfw: add_dyn_rule: Cannot allocate rule
Apr 21 16:01:51 www kernel: ipfw: ipfw_install_state: add parent failed
Apr 21 16:01:51 www last message repeated 285 times
Apr 21 16:01:54 www kernel: tate: add parent failed
Apr 21 16:01:54 www kernel: ipfw: ipfw_install_state: add parent failed
Apr 21 16:01:54 www last message repeated 594 times
Apr 21 16:01:54 www kernel: ipfw: add_dyn_rule: Cannot allocate rule
Apr 21 16:01:54 www kernel: ipfw: ipfw_install_state: add parent failed

As soon as I disable IPFW, my website is back to normal. I tried to enable IPFW, and then my server went down again.

Below is my ipfw.conf, can anyone help? I was using these rules and IPFW for more than 5 years without any problem.

Code:
IPF="ipfw -q add"
ipfw -q -f flush

#loopback
$IPF 10 allow all from any to any via lo0
$IPF 15 allow all from 127.0.0.1 to any
$IPF 20 deny all from any to 127.0.0.0/8
$IPF 30 deny all from 127.0.0.0/8 to any
$IPF 40 deny tcp from any to any frag
$IPF 41 deny all from 69.85.93.235 to any
# statefull
$IPF 50 check-state
$IPF 60 allow tcp from any to any established
$IPF 70 allow all from any to any out keep-state
$IPF 80 allow icmp from any to any


# open port ftp (20,21), ssh (22), mail (25)
# http (80), dns (53) etc
$IPF 100 allow tcp from any to any 21 in
$IPF 110 allow tcp from any to any 21 out
$IPF 120 allow tcp from any to any 25 in
$IPF 130 allow tcp from any to any 25 out
$IPF 140 allow udp from any to any 53 in
$IPF 150 allow tcp from any to any 53 in
$IPF 160 allow udp from any to any 53 out
$IPF 175 allow tcp from any to any 53 out
#$IPF 600 allow tcp from any to any 80 in
$IPF 600 allow tcp from any to me 80 in limit src-addr 100
$IPF 600 allow tcp from any to me 81 in
$IPF 610 allow tcp from any to any 81 out
$IPF 610 allow tcp from any to any 80 out

# deny and log everything
$IPF 1000 deny log all from any to any

and

Code:
# sysctl net.inet.ip.fw.dyn_max
net.inet.ip.fw.dyn_max: 65535
 
This afternoon I got attacked again... in 1 hour the /var/log/message is about 15G.
All requests are as following:
Code:
Apr 22 16:00:00 www kernel: Connection attempt to UDP myip:80 from 140.249.63.114:1900
Apr 22 16:00:00 www kernel: Connection attempt to UDP myip:80 from 175.149.53.73:1900
Apr 22 16:00:00 www kernel: Connection attempt to UDP myip:80 from 162.40.147.241:1900
Apr 22 16:00:00 www kernel: Connection attempt to UDP myip:80 from 162.40.147.141:1900
Apr 22 16:00:00 www kernel: Connection attempt to UDP myip:80 from 171.109.81.231:1900
Apr 22 16:00:00 www kernel: Connection attempt to UDP myip:80 from 94.178.22.37:1900
Apr 22 16:00:00 www kernel: Connection attempt to UDP myip:80 from 175.150.243.102:1900
Apr 22 16:00:00 www kernel: Connection attempt to UDP myip:80 from  UDP myip:80 from 175.10.101.245:1900
Apr 22 16:00:00 www kernel: Connection attempt to UDP myip:80 from 175.10.101.245:1900
Apr 22 16:00:00 www kernel: Connection attempt to UDP myip:80 from 175.1.165.247:1900
Apr 22 16:00:00 www kernel: Connection attempt to UDP myip:80 from 87..97.144.211:1900
Apr 22 16:00:00 www kernel: Connection attempt to UDP myip:80 from 87.126.176.109:1900
Apr 22 16:00:00 www kernel: Connection attempt to UDP myip:80 from 190.48.220.229:1900
Apr 22 16:00:00 www kernel: Connection attempt to UDP myip:80 from 175.10.223.46:1900
Apr 22 16:00:00 www kernel: Connection attempt to UDP myip:80 from 175.166.98.51:1900
Apr 22 16:00:00 www kernel: Connection attempt to UDP myip:80 from 175.150.214.29:1900
Apr 22 16:00:00 www kernel: Connection attempt to UDP myip:80 from 190.50.113.185:1900
Apr 22 16:00:00 www kernel: Connection attempt to UDP myip:80 from 175.149.147.109:1900
Apr 22 16:00:00 www kernel: Connection attempt to UDP myip:80 from 140.249.57.8:1900
Apr 22 16:00:00 www kernel: Connection attempt to UDP myip:80 from 175.30.27.112:1900
Apr 22 16:00:00 www kernel: Connection attempt to UDP myip:80 from 173.28.74.510.97.144.211:80 from 140.249.132.114:1900
Apr 22 16:00:00 www kernel: Connection attempt to UDP myip:80 from 175.166.159.33:1900
Apr 22 16:00:00 www kernel: Connection attempt to UDP myip:80 from 171.112.40.199:1900
Apr 22 16:00:00 www kernel: Connection attempt to UDP myip:80 from 175.139.198.1:1900
Apr 22 16:00:00 www kernel: Connection attempt to UDP myip:80 from 175.151.169.190:1900
Apr 22 16:00:00 www kernel: Connection attempt to UDP myip:80 from 175.150.213.67:1900
Apr 22 16:00:00 www kernel: Connection attempt to UDP myip:80 from 140.249.9.24:1900
Apr 22 16:00:00 www kernel: Connection attempt to UDP myip:80 from 140.249.57.160:1900
Apr 22 16:00:00 www kernel: Connection attempt to UDP myip:80 from 175.152.55.182:1900
Apr 22 16:00:00 www kernel: Connection attempt to UDP myip:80 from 175.4.102.199:1900
Anyone can help?
 
Thanks very much for your reply.

I know it's SSDP DDos, now I had blocked all package from 1900 on our router.

But I still get the error
Code:
add_dyn_rule: Cannot allocate rule

Can you advise that how can I fix this issue?
Or I have to use PF instead of IPF?
 
We blocked all package on our core switch which from port 1900. Now the SSDP ddos is gone.
But I still didn't find out the solution for "add_dyn_rule: Cannot allocate rule"
 
I updated my ipfw rules to below one:
Code:
#loopback
$IPF 10 allow all from any to any via lo0
$IPF 20 deny all from any to 127.0.0.0/8
$IPF 30 deny all from 127.0.0.0/8 to any
$IPF 40 deny tcp from any to any frag

# statefull
$IPF 50 check-state
$IPF 60 allow tcp from any to any established
$IPF 70 allow all from any to any out keep-state
$IPF 80 allow icmp from any to any keep-state

# open port

$IPF 100 allow tcp from any to me 21 in setup keep-state
$IPF 110 allow tcp from any to me 80 in setup limit src-addr 100
$IPF 120 allow tcp from any to any 53 setup keep-state
$IPF 130 allow udp from any to any 53


The thing I got now is that if I enable IPFW, my webserver will get 502 error immediately.
I'm using unix socket to connect php-fpm and nginx.

I don't know why these ipfw rules will cause web server 502.
And in /var/log/messages, I can find below errors:
Code:
Sep 23 18:49:23 www kernel: sonewconn: pcb 0xfffff80d401a84b0: Listen queue overflow: 193 already in queue awaiting acceptance (598 occurrences

Does anyone have any idea?
 
Back
Top