Don't try to use my system to attack another / 2015-03-30

2015-03-30 Don't try to use my system to attack another 2 years ago
A growing part of the 'Internet background noise' that my server is receiving seems to be tcp syn packets from faked source addresses. I mentioned this before in Am I part of an interesting attack?. Looking at the traffic with p0f shows that the source addresses (and ports!) are constant but the operating system and the time to live changes so these probably come from multiple hijacked systems:
174.128.225.126:57282 - Windows XP/2000 (RFC1323+, w+, tstamp-) [GENERIC]
  Signature: [8192:93:1:52:M1460,N,W8,N,N,S:.:Windows:?]
  -> xx.xx.xx.xx:80 (distance 35, link: ethernet/modem)
174.128.225.126:57282 - UNKNOWN [8192:87:1:52:M1460,N,W8,N,N,S:.:?:?]
  -> xx.xx.xx.xx:80 (link: ethernet/modem)
174.128.225.126:57282 - UNKNOWN [8192:85:1:52:M1460,N,W8,N,N,S:.:?:?]
  -> xx.xx.xx.xx:80 (link: ethernet/modem)
174.128.225.126:57282 - Windows XP/2000 (RFC1323+, w+, tstamp-) [GENERIC]
  Signature: [8192:98:1:52:M1460,N,W8,N,N,S:.:Windows:?]
  -> xx.xx.xx.xx:80 (distance 30, link: ethernet/modem)
174.128.225.126:57282 - UNKNOWN [8192:81:1:52:M1460,N,W8,N,N,S:.:?:?]
  -> xx.xx.xx.xx:80 (link: ethernet/modem)
174.128.225.126:57282 - Windows XP/2000 (RFC1323+, w+, tstamp-) [GENERIC]
  Signature: [8192:116:1:52:M1460,N,W8,N,N,S:.:Windows:?]
  -> xx.xx.xx.xx:80 (distance 12, link: ethernet/modem)
174.128.225.126:57282 - Windows XP/2000 (RFC1323+, w+, tstamp-) [GENERIC]
  Signature: [8192:102:1:52:M1460,N,W8,N,N,S:.:Windows:?]
  -> xx.xx.xx.xx:80 (distance 26, link: ethernet/modem)
I'd like to do some filtering on these because I don't want to be part of an attack flood. Basically loading tcp syns without establishing a connection is a pattern I don't like. Especially since the use of constant source port numbers mean the attackers don't want the intermediate (that would be 'me') to notice a strange number of open sockets. The above packets would mean my system would acknowledge each of them but there would be only one socket in state SYN_RECV from 174.128.225.126:57282.

The basic iptables rules look simple:
iptables -t filter -A INPUT -p tcp --syn -m recent --name tcpsyn --update --seconds 120 --hitcount 10 -j LOGDROP
iptables -t filter -A INPUT -p tcp --syn -m recent --name tcpsyn --set
iptables -t filter -A INPUT -p tcp \! --syn -m recent --name tcpsyn --remove
This took a bit of searching because the rules for stateful filtering interfered: the established connection never passed the --remove rule which is needed to stop monitoring IP addresses that establish a working connection. So I moved this rule above that rule
iptables -t filter -A INPUT -j ACCEPT --protocol all -m state --state ESTABLISHED,RELATED
I'm not perfectly happy with this at the moment, but it helps reduce my part in the Internet background noise.

This is all possible because some networks still allow traffic with spoofed source addresses. Filtering helps a bit in reducing 'my' replies, but the amount of traffic seems to increase.

Update:
In the evening the rates of traffic were going up. Maybe a result of the US waking up?

Update 2015-03-31:
And the next day the rates stay high. Not the US, different causes at work.

And another interesting datapoint: I have access to other webservers where I can check for this behaviour, but those are in a datacenter. The traffic type isn't visible there.

Tags: ,

, reachable as koos+website@idefix.net. PGP encrypted e-mail preferred.

PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers pgp key statistics for 0x5BA9368BE6F334E4 Koos van den Hout
RSS
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews, Weather maps
This page generated in 0.009686 seconds.