topic behaviour with pbox and synatk in Firewall and Security Management

behaviour with pbox and synatk

796570686578 — Tue, 26 Jan 2021 11:07:06 GMT

Hey everyone,

I am currently trying to get a better understanding of SecureXL's PenaltyBox and SYN Attack feature. For that, I set up a Lab with R81 Mgmt & Gateway. On the external interface is the attacker machine and on the internal interface is a target running a webserver.
To simulate a SYN Attack I use hping3 on the attacker machine and flood the webserver with syns.

On the Gateway I have enabled Penalty Box and SYN Defender, with the only configuration change setting the Global Threshold for Syn Defender to 1000 connections via cli. If I understand correctly, once the gateway has more than 1000 half-opened connections, SYN Attack Defender will become active and is enforced before the penalty box?

I tried two different scenarios:

Flood the target with the original IP of Attacker PC
Flood the target with a spoofed IP on Attacker PC

Scenario 1 Flooding with original src IP:

sudo hping3 -c 15000 -d 0 -S -w 64 -p 80 --flood 192.168.1.142

Behavior on the GW:

the attacker is put into the penalty box after a few seconds, future packets getting dropped.
the peak of fw connections table entries right after the attack is ~100k and then drops rapidly (aggressive aging?)
SecureXL connection table doesnt contain any entries
tcpdump shows packets exiting the outgoing interface until put in pbox
SYN Defender shows active and "Under Attack" and sends cookies as expected, connection table doesn't fíll anymore.
Kernel debug shows that the pbox violation counter is updated until it hits the threshold.

Scenario 2 Flooding with spoofed src IP

sudo hping3 -c 15000 -d 0 -S -w 64 -p 80 --flood 192.168.1.142 -a 53.52.51.50

Behavior on the GW:

the attacker is not put into the penalty box
the peak of connection table entries right after the attack is ~150k and the connections dont seem to age out until the default 25 second timer is reached.
SecureXL connection table is beeing filled aswell
tcpdump captures incoming and outgoing packets w. spoofed ip
SYN Defender shows active and "Under Attack" and sends cookies as expected, connection table doesn't fíll anymore.
kernel debug shows that the pbox violation counter isn't updating

Now I have a few questions:

Why is the Attacker is the Attacker in Scenario 1 put into the penalty box but not in Scenario 2? They match the same rule in the rulebase but somehow in Scenario 2, the counter either doesn't get updated or doesn't exceed the threshold..?

A somewhat borad question: How would you defend against a real ddos attack where you have thousands of different source ips?

Re: behaviour with pbox and synatk

_Val_ — Tue, 26 Jan 2021 11:24:17 GMT

Penalty box is thoroughly described in sk112454.

Re: behaviour with pbox and synatk

796570686578 — Tue, 26 Jan 2021 11:53:16 GMT

Thanks I have read it, but I still don't understand why it is once added to the penalty box and the other time its not

Re: behaviour with pbox and synatk

_Val_ — Tue, 26 Jan 2021 12:02:08 GMT

Please share the exact steps you are doing to enable SynDefender and DOS policy. Also, do you have an actual server behind FW to hit?

From where I stand, Penalty box is not in play at all in both of your scenarios.

Re: behaviour with pbox and synatk

796570686578 — Tue, 26 Jan 2021 12:23:07 GMT

Hi, thanks for your help! If you prefere screenshots instead, please let me know, it was just quicker that way 😉

To enable SynDefender: fwaccel synakt -e (enable on external iface, monitor on internal - attacker comes from external(defined in topology)) I have not enabled the SYN Protection in SmartConsole, it is set to inactive.

fwaccel synatk config get:

enabled 1
enforce 1
global_high_threshold 1000
periodic_updates 1
cookie_resolution_shift 6
min_frag_sz 80
high_threshold 500
low_threshold 100
score_alpha 100
monitor_log_interval (msec) 60000
grace_timeout (msec) 30000
min_time_in_active (msec) 60000

To enable Penalty Box: fwaccel dos config set --enable-pbox

fwaccel dos config get:

rate limit: enabled (without policy)
rule cache: enabled
pbox: enabled
deny list: enabled (without policy)
drop frags: disabled
drop opts: disabled
internal: disabled
monitor: disabled
log drops: enabled
log pbox: enabled
notif rate: 100 notifications/second
pbox rate: 500 packets/second
pbox tmo: 180 seconds

I have no rate limit rule configured

[Expert@FW_01_DDOS:0]# fwaccel dos rate get
No DOS/Rate Limiting policy rules found
(0 rules found)

Dos white & blacklist is not configured:

[Expert@FW_01_DDOS:0]# fwaccel dos allow -s
[Expert@FW_01_DDOS:0]# fwaccel dos deny -s
The deny list is empty

Penalty Box whitelist is not configured:

[Expert@FW_01_DDOS:0]# fwaccel dos pbox allow -s
[Expert@FW_01_DDOS:0]#

fwaccel dos stats get:

[Expert@FW_01_DDOS:0]# fwaccel dos stats get

Firewall Instances in Aggregate:
Memory Usage: 0
Total Active Connections: 0
Number of Elements in Tables:
Penalty Box Violating IPs: 3 (size: 8192)
Rate Limit Source Only Tracks: 0 (size: 0)
Rate Limit Source and Service Tracks: 0 (size: 0)

SecureXL:
Memory Usage: 0
New Connections/Second: 0
Packets/Second: 0
Bytes/Second: 0
Reasons Packets Dropped:
IP Fragment: 0
IP Option: 0
Penalty Box: 5736148
Deny list: 0
Rate Limit: 0
Number of Elements in Tables:
Penalty Box: 0 (size: 937432)
Non-Empty Deny lists: 0 (size: 0)
Deny List IPs: 0 (size: 0)
Rate Limit Matches: 0 (size: 0)
Rate Limit Source Only Tracks: 0 (size: 0)
Rate Limit Source and Service Tracks: 0 (size: 0)
Rate Limit Dest Only Tracks: 0 (size: 0)
Rate Limit Dest and Service Tracks: 0 (size: 0)

I also checked the penalty box table with "fwaccel tab -t dos_pbox -f" and it the original IP always lands in there.

Behind the firewall I have an Ubuntu VM which is running a webserver, which I can also browse without any issues.

Re: behaviour with pbox and synatk

Timothy_Hall — Tue, 26 Jan 2021 13:50:53 GMT

> internal: disabled

Which interfaces are you using for these tests? You probably need to run fwaccel dos config set --enable-internal. By default only traffic hitting an external interface will have these mechanisms applied, see:

sk111881: Rate Limiting rules for DoS Mitigation are not taking effect

Re: behaviour with pbox and synatk

796570686578 — Tue, 26 Jan 2021 14:01:35 GMT

The Interface the attacking machine is connected to is eth1 which is defined as an External Interface in Smartconsole. This is the only network adapter they share and a tcpdump on this interface also shows that packets are arriving via this interface in both scenarios.