-
Recently Browsing 0 members
- No registered users viewing this page.
-
Activity
-
20
-
5
-
6
Viable protections against Layer7 attacks on servers
Running a layer7 attack via a public stresser, using a method called "HTTP-SOCKET", which is spamming GET requests to [Hidden Content] with 30 requests per ip, using around 2k ips with random geolocation. Here's my pf conf: # This is a minimalistic configuration with basic rate limiting # Change the value to reflect your public interface. You can see this with ifconfig. ext_if="vtnet0" # Ports used for services (ssh, http, https) service_ports="{ 22, 3306 }" # Ports game_ports="{20076, 20083, 20081, 20079, 20077 }" auth_ports="{20085}" icmp_types = "{ echoreq, unreach }" # table for abusive_hosts = Block IP´s. table <abusive_hosts> persist file "/usr/home/game/Firewall/abusive_hosts" # IP addresses that should override the firewall rules, such as your web server. table <whitelist> const { 127.0.0.1 } martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \ 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \ 0.0.0.0/8, 240.0.0.0/4 255.255.255.255/32 \ ::/128 ::1/128 ::ffff:0:0/96 ::/96 100::/64 \ 2001:10::/28 2001:db8::/32 fc00::/7 fe80::/10 \ fec0::/10 ff00::/8 }" set block-policy drop set limit { states 100000, frags 20000, src-nodes 100000, table-entries 200000 } set loginterface $ext_if set skip on lo scrub on $ext_if reassemble tcp no-df random-id antispoof quick for { lo0 $ext_if } block in block in quick from <abusive_hosts> # Drop all Non-Routable Addresses block drop in quick on $ext_if from $martians to any block drop out quick on $ext_if from any to $martians pass out all keep state pass out on $ext_if all modulate state # Allow ping pass inet proto icmp all icmp-type $icmp_types keep state # Rate limits pass in on $ext_if proto tcp to any port $service_ports flags S/SA synproxy state \ (max-src-conn 30, max-src-conn-rate 15/5, overload <abusive_hosts> flush global) pass in on $ext_if proto tcp to any port $game_ports flags S/SA synproxy state \ (max-src-conn 30, max-src-conn-rate 15/5, overload <abusive_hosts> flush global) pass in on $ext_if proto tcp to any port $auth_ports flags S/SA synproxy state \ (max-src-conn 30, max-src-conn-rate 15/3, overload <abusive_hosts> flush global) pass in quick from <whitelist> -
6
Viable protections against Layer7 attacks on servers
What sort of attack are you running and what is your pf.conf? -
6
Viable protections against Layer7 attacks on servers
Sorry, here's the tcpdump using your arguments & the port of the attacked channel. (tcpdump -i vtnet0 -n -vvv port 20085 in my case) [Hidden Content] And here is the tcpdump for every port besides the one of my ssh (in my case is 22 since it's a test server) [Hidden Content]- 1
-
-
6
Viable protections against Layer7 attacks on servers
Please use the -n option and exclude the ssh port. Otherwise the dump isn't useful. tcpdump -i vtnet0 -n -vvv port not <your ssh port number>- 1
-
-
6
Viable protections against Layer7 attacks on servers
I have direct access to the stresser and can always test it, I tried to block it myself but unfortunately failed. I even tried to install nginx & deny all connections but that didn't worked LOL. The attack is simply sending requests to [Hidden Content] where the ip is of course, the server's ip and the port being either a channel or the auth, won't matter as it will completely break the whole auth. Here's a tcpdump (using tcpdump -i vtnet0 tcp) log while attacking for 5 minutes: [Hidden Content] (pastebin alternative cuz the text is way longer then 500kb) -
946
[40250] Reference Serverfile + Client + Src [15 Available Languages]
Thanx for your sharing i`ll try it -
6
Viable protections against Layer7 attacks on servers
Every server out there has an attack vector of some sort. Then it's all up to the patience and skill of the attacker. The real question here is: are you able to figure out what and how is hitting you? If the answer is yes then you can establish some sort of countermeasure. Even if it involves some discomfort for your users. There has been layer 7 attacks always, so you need to be more specific or provide tcpdump logs.- 1
-
-
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now