ip_conntrack table full dropping packet

[n3r0x]

I got:


# cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max
220000

This fills in approx 1hour due to heavy DoS attacks.
My iptables filters the attack but ip_conntrack gets full to fast.
And therefor they manage to put my website down..
Been googeling for hours and all i see is higher ip_conntrack_max.
Usually they recommend 160 000 but i got 220 000 and its full.

Is there a way to clear ip_conntrack.. or make it remove old entries faster..
To wait 5days which is the clean time is not possible for me.

a bit more info

#/sbin/iptables -V
iptables v1.3.5


ip_conntrack 2.4

Im thankful for any help

[michaelnel]

Rather than trying to clear the table, how about doing something to help keep it from getting full? I have these rules in my iptables firewall:

[code]
-A RH-Firewall-1-INPUT -p tcp --dport 22 --syn -m limit --limit 1/m --limit-burst 3 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp --dport 22 --syn -j DROP
[/code]

That limits ssh connections from a particular IP to 3 per minute. If they connect more quickly than that (say in an ssh brute force attack) it simply drops their packets. (note that I actually have sshd on a port other than 22, but I used 22 in the example).

[NedSlider]

[quote]
michaelnel wrote:
Rather than trying to clear the table, how about doing something to help keep it from getting full? I have these rules in my iptables firewall:

[code]
-A RH-Firewall-1-INPUT -p tcp --dport 22 --syn -m limit --limit 1/m --limit-burst 3 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp --dport 22 --syn -j DROP
[/code]

That limits ssh connections from a particular IP to 3 per minute. If they connect more quickly than that (say in an ssh brute force attack) it simply drops their packets. (note that I actually have sshd on a port other than 22, but I used 22 in the example).[/quote]

Micheal,

Would you mind if I added your example above to the SSH page on the Wiki?

http://wiki.centos.org/HowTos/Network/SecuringSSH#head-a296ec93e31637aa349538be07b37f67d836688a

[michaelnel]

[quote]NedSlider wrote:
Would you mind if I added your example above to the SSH page on the Wiki?

http://wiki.centos.org/HowTos/Network/SecuringSSH#head-a296ec93e31637aa349538be07b37f67d836688a[/quote]

Not at all. I didn't invent it, I found it somewhere on the net. Works great though, I have it installed on all of our servers. That and moving sshd off of port 22 has virtually stopped brute force ssh attacks on our servers.

[NedSlider]

[quote]
michaelnel wrote:

Not at all. I didn't invent it, I found it somewhere on the net. Works great though, I have it installed on all of our servers. That and moving sshd off of port 22 has virtually stopped brute force ssh attacks on our servers.[/quote]

Thanks - I'll get it added as soon as I get a chance.

The fact that you've thoroughly tested it in a live environment it also useful to know :-)

I'm surprised you see any brute-force attacks running on a high random port, but hey :-D

At present I'm lucky enough to ba able to directly limit access to trusted IPs so I don't get to experience the problem. If you haven't seen it already, this may be of interest from today's diary at the SANS Internet Storm Center:

http://isc.sans.org/diary.html?storyid=4408

Thanks,

Ned

[michaelnel]

[quote]
NedSlider wrote:
I'm surprised you see any brute-force attacks running on a high random port, but hey :-D [/quote]

I don't see much. But occasionally I see a brute force attack starting but it only gets three connects and then it gets dumped. I think the drastic reduction in brute force attacks is due far more to having moved sshd off of 22, but still, it's security by obscurity and I am not comfortable with that.

We run denyhosts, too. I like to have lots of layers ;-)

[n3r0x]

[quote]
n3r0x wrote:
I got:


# cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max
220000

This fills in approx 1hour due to heavy DoS attacks.
My iptables filters the attack but ip_conntrack gets full to fast.
And therefor they manage to put my website down..
Been googeling for hours and all i see is higher ip_conntrack_max.
Usually they recommend 160 000 but i got 220 000 and its full.

Is there a way to clear ip_conntrack.. or make it remove old entries faster..
To wait 5days which is the clean time is not possible for me.

a bit more info

#/sbin/iptables -V
iptables v1.3.5


ip_conntrack 2.4

Im thankful for any help[/quote]


Hehe not that easy to keep it from getting full.. had approx 500mbit (60MB/s) ddos pakages send to port 80.. from approx 20000 different ips..

but only way that i found worked really well was to restart iptables every 30min by using cronjobs..
this stopped the buffer from overflowing and the attacks.

[NedSlider]

Thanks for posting back with your solution.

Thinking out loud, I wonder if one could disable ip_conntrack and stateful packet inspection, and just use stateless inspection accepting every packet for a given port.

[n3r0x]

[quote]
NedSlider wrote:
Thanks for posting back with your solution.

Thinking out loud, I wonder if one could disable ip_conntrack and stateful packet inspection, and just use stateless inspection accepting every packet for a given port.[/quote]

If you would disable it the server would be vurnable to Port overloading attacks like SynFlood, Portfucks and it would allso be vurnable to Bruteforce Attacks.

By disabling those types of attacks your server will be more secure against scriptkiddies since that?s the most common attacks used by scriptkiddies beside SQL Injections but that?s another problem..

:-)

Another good thing you can use is snort.. atleast that?s what i?ve heard.. haven?t had the time to check it out yet.. will do that when my 4 new servers arrive.