다양한 유형의 DOS/DDOS 공격을 방지하기 위해 IP 테이블 규칙을 설치하려는 네트워크 스위치가 있습니다. 아래는 네트워크 레이아웃입니다.
Laptop-1 ------- router ---- Network switch ---- customer devices
|
Laptop-2 -----------
Laptop-1에서 스위치를 공격하려고 하는데 스위치가 정지 상태가 됩니다.
다음은 제가 예방하려고 시도한 DoS/DDoS 공격입니다.
IP spoofing
Attack command: hping3 -a 192.168.1.1 -S -p 80 --flood 192.168.22.140
Result: System hangs
SYN flood - half handshake
Attack command: hping3 -V -c 1000 -d 10 -S -p 80 --flood 192.168.22.140
Result: System hangs
ICMP flood
Attack command: hping3 -1 --flood -a 192.168.22.140 192.168.22.140
Attack command: hping3 -1 --flood -a 192.168.22.15 192.168.22.140
Result: System hangs
ICMP 플러딩의 경우 이미 규칙이 있지만 IP 스푸핑 및 SYN 플러딩 공격에 필요한 규칙을 찾는 데 도움이 필요합니다. 이 규칙은 모든 서브넷의 공격자를 차단하는 방식으로 설치되어야 합니다.
다음 iptables 버전을 사용하고 있습니다.iptables-1.8.5 (legacy build)
답변1
#!/bin/bash
# Variables
IPTABLES="/sbin/iptables"
RLIMIT="-m limit --limit 10/s --limit-burst 10"
#---------------------------------------------------------------------------
# Drop invalid packets
$IPTABLES -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP
#----------------------------------------------------------------------------
# Drop TCP packets that are new and are not SYN
$IPTABLES -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
#---------------------------------------------------------------------------------------
# Drop SYN packets with suspicious MSS value
$IPTABLES -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
#-------------------------------------------------------------------------------------------------------
# Block packets with bogus TCP flags
$IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
#---------------------------------------------------------------------------------------
# Limit TCP connections per source IP
$IPTABLES -A INPUT -p tcp -m connlimit --connlimit-above 20 -j REJECT --reject-with tcp-reset
#-----------------------------------------------------------------------------------------
# Protection against SYN FLOOD
$IPTABLES -N SYN_FLOOD
$IPTABLES -A INPUT -p tcp --syn -j SYN_FLOOD
$IPTABLES -A SYN_FLOOD $RLIMIT -j RETURN
$IPTABLES -A SYN_FLOOD -j DROP
#-------------------------------------------------------------------------------------------
# Save the rules
/sbin/iptables-save