Tom Eastep | 1 Feb 03:07 2009
Picon

DNS DDoS Reflector Filter

I've place my DNSDDOS action files at
http://www.shorewall.net/pub/shorewall/contrib/DNSDDOS/. See the
aaREADME.txt file.

Shorewall-perl users should be able to use it as-is.

-Tom
--

-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
Rayudu Madhava | 1 Feb 04:01 2009
Picon

Squid 3.1 Marking HIT packets


Sir,

    Squid 3.1 has built-in feature to differentiate local cache hits

From Squid-cache.org

qos_flows local-hit=0xff Responses found as a HIT in the local cache

I want to put Linux TC   with MARK 4 on the high speed LAN so that I need not penalize for the cache content. 

Where should I change this in  Shorewall..  and tc is outside shorewall. I am using WEBHTB -- a Web enabled HTB frontend using Ajax, MySql, Htbtools and generating tc rules. I need shorewall to MARK squid cache HIT as 0x04.

I think if I have to do with raw iptables I have to write

iptables -t mangle -A FORWARD -m tcp -p tcp --sport 80 -d 192.168.0.0/24 -j MARK --set-mark 4

iptables -t mangle -A FORWARD  -m mark --mark 4 -j TOS --set-tos 4


Regards
Rayudu.




------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
Tom Eastep | 1 Feb 04:24 2009
Picon

Re: Squid 3.1 Marking HIT packets

Rayudu Madhava wrote:

> Where should I change this in  Shorewall.. 

In the tcrules file -- 'man shorewall-tcrules'.

And don't hijack a thread on this list again if you want to continue to
post here.

-Tom
--

-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
Tom Eastep | 1 Feb 05:10 2009
Picon

Re: DNS DDoS Reflector Filter

Tom Eastep wrote:
> I've place my DNSDDOS action files at
> http://www.shorewall.net/pub/shorewall/contrib/DNSDDOS/. See the
> aaREADME.txt file.
> 
> Shorewall-perl users should be able to use it as-is.

It seems like 90+% of DNS queries against my name server are DDoS:

Counters reset Sat Jan 31 19:02:01 PST 2009

Chain DNSDDOS (1 references)
 pkts bytes target     prot opt in     out     source
destination
 4675  210K DROP       all  --  *      *       0.0.0.0/0
0.0.0.0/0           STRING match "|010000010000000000000000020001|" ALGO
name bm FROM 29 TO 30
  330 23531 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0
gateway:/etc/shorewall #

--

-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
Brian J. Murrell | 1 Feb 09:00 2009
Picon

Re: DNS DDoS Reflector Filter

On Sat, 2009-01-31 at 20:10 -0800, Tom Eastep wrote:
> 
> It seems like 90+% of DNS queries against my name server are DDoS:
> 
> Counters reset Sat Jan 31 19:02:01 PST 2009
> 
> Chain DNSDDOS (1 references)
>  pkts bytes target     prot opt in     out     source
> destination
>  4675  210K DROP       all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           STRING match "|010000010000000000000000020001|" ALGO
> name bm FROM 29 TO 30
>   330 23531 ACCEPT     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
> gateway:/etc/shorewall #

Damn.  I have an iptables installation with the older, 1.3.3 string
match which doesn't support the --algo, --from and --to modifiers.

What are the --to and --from arguments?  I would guess bytes offset from
somewhere, probably the packet start.

But 29-30 is only two bytes.  How does that compute with "hex-string" of
"|010000010000000000000000020001|"?

Thanx for any clarification you can provide.

b.

------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
Tom Eastep | 1 Feb 17:26 2009
Picon

Re: DNS DDoS Reflector Filter

Brian J. Murrell wrote:
> On Sat, 2009-01-31 at 20:10 -0800, Tom Eastep wrote:
>> It seems like 90+% of DNS queries against my name server are DDoS:
>>
>> Counters reset Sat Jan 31 19:02:01 PST 2009
>>
>> Chain DNSDDOS (1 references)
>>  pkts bytes target     prot opt in     out     source
>> destination
>>  4675  210K DROP       all  --  *      *       0.0.0.0/0
>> 0.0.0.0/0           STRING match "|010000010000000000000000020001|" ALGO
>> name bm FROM 29 TO 30
>>   330 23531 ACCEPT     all  --  *      *       0.0.0.0/0
>> 0.0.0.0/0
>> gateway:/etc/shorewall #
> 
> Damn.  I have an iptables installation with the older, 1.3.3 string
> match which doesn't support the --algo, --from and --to modifiers.
> 
> What are the --to and --from arguments?  I would guess bytes offset from
> somewhere, probably the packet start.
> 
> But 29-30 is only two bytes.  How does that compute with "hex-string" of
> "|010000010000000000000000020001|"?
> 
> Thanx for any clarification you can provide.

As is normally the case with iptables/Netfilter, documentation is
practically non-existent; you get to learn how it works by a combination
of code reading and experimentation.

From what I've gleaned, --from and --to specify a byte offset range from
the beginning of the IP header that is to be searched for *the first
byte of the pattern*. The signature pattern begins at byte offset 30. I
have changed the DNSDDOS file to specify "--from 30 --to 31" rather than
"--from 29 --to 30"; while either way works, there is no point at
looking at offset 29.

The implementation is somewhat broken in my view. When the rule is being
loaded into the kernel, an error is raised if from_offset > to_offset.
But if the two are equal, no searching occurs because the search itself
starts with "if from_offset + consummed >= to_offset then we're done"
where 'consummed' is the number of bytes already examined (initially zero).

So in practice, --from must be strictly less than --to.

Another thing to note: Just because you specify --hex-string rather than
--string doesn't cause the following string to be interpreted as a hex
string! To be considered a hex string, it must begin and ends with '|'.
I wasted a good hour yesterday before I did enough code reading to grok
that undocumented 'feature'.

As a side note, the rate of attack seems to be down this morning, I'm
only seeing 40-50% bogus queries.

-Tom
--

-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
Tom Eastep | 1 Feb 18:11 2009
Picon

Re: DNS DDoS Reflector Filter

Tom Eastep wrote:
> I've place my DNSDDOS action files at
> http://www.shorewall.net/pub/shorewall/contrib/DNSDDOS/. See the
> aaREADME.txt file.
> 
> Shorewall-perl users should be able to use it as-is.

As with Perl, with Shorewall "there is more than one way to do it".

You can also accomplish the same thing using /etc/shorewall/compile:
--------------
use strict;
use Shorewall::Chains;

my $chainref = ensure_manual_chain qw/DNSDDOS/;

add_rule $chainref, q(-m string --algo bm --from 30 --to 31 --hex-string
       "|010000010000000000000000020001|" -j DROP);
add_rule $chainref, q(-j ACCEPT);

1;
---------------
As with the action technique, the first add_rule call should be on a
single line. The rules file change is the same as when using the files
at the URL above; see the aaREADME.txt file.

-Tom
--

-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
alex | 2 Feb 15:52 2009
Picon

ESFQ vs NET_CLS_FLOW

   Hello!
   Sometime before i wrote to list about new queueing discipline - ESFQ
(http://fatooh.org/esfq-2.6/) that allow allocates bandwidth fairly per 
source
IP rather than per connection when we use traffic shaping ability. But we
have not this feature in current kernel by default.
   It seems that we can use 'cls_flow' 
(http://cateee.net/lkddb/web-lkddb/NET_CLS_FLOW.html) kernel module for 
reach this goal.
   This is very good news if i am correct.
   What do you think about this?

------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
Tom Eastep | 2 Feb 16:51 2009
Picon

Re: ESFQ vs NET_CLS_FLOW

alex wrote:
>    Hello!
>    Sometime before i wrote to list about new queueing discipline - ESFQ
> (http://fatooh.org/esfq-2.6/) that allow allocates bandwidth fairly per 
> source
> IP rather than per connection when we use traffic shaping ability. But we
> have not this feature in current kernel by default.
>    It seems that we can use 'cls_flow' 
> (http://cateee.net/lkddb/web-lkddb/NET_CLS_FLOW.html) kernel module for 
> reach this goal.
>    This is very good news if i am correct.
>    What do you think about this?

Where is the documentation for configuring this qdisc. Also, when was tc
support added for it? My version (2.6.25-xxx) doesn't seem to include
such support.

-Tom
--

-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
alex | 2 Feb 17:16 2009
Picon

Re: ESFQ vs NET_CLS_FLOW

>>    Hello!
>>    Sometime before i wrote to list about new queueing discipline - ESFQ
>> (http://fatooh.org/esfq-2.6/) that allow allocates bandwidth fairly per 
>> source
>> IP rather than per connection when we use traffic shaping ability. But we
>> have not this feature in current kernel by default.
>>    It seems that we can use 'cls_flow' 
>> (http://cateee.net/lkddb/web-lkddb/NET_CLS_FLOW.html) kernel module for 
>> reach this goal.
>>    This is very good news if i am correct.
>>    What do you think about this?
> 
> Where is the documentation for configuring this qdisc. Also, when was tc
> support added for it? My version (2.6.25-xxx) doesn't seem to include
> such support.

   I agree, this feature is not very clear yet.
   Several links about this module (cls_flow):

http://lwn.net/Articles/236200/
http://kerneltrap.org/mailarchive/linux-netdev/2008/1/31/667679
http://kerneltrap.org/mailarchive/linux-netdev/2008/2/5/727434
http://lkml.org/lkml/2008/7/22/2

------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword

Gmane