Monitoring SYNPROXY

Costa Tsaousis edited this page May 17, 2016 · 47 revisions

General


Running Netdata


Alarms

Backends


Netdata Registry


Monitoring Info


Netdata Badges


Data Collection

Binary Modules

Python Modules

Node.js Modules

BASH Modules


API Documentation


Web Dashboards


Running behind another web server

Advanced configurations


Donations


Blog


Other monitoring tools

Clone this wiki locally

image6


Linux Anti-DDoS

SYNPROXY is a TCP SYN packets proxy. It can be used to protect any TCP server (like a web server) from SYN floods and similar DDos attacks.

SYNPROXY is a netfilter module, in the Linux kernel (since version 3.12). It is optimized to handle millions of packets per second utilizing all CPUs available without any concurrency locking between the connections.

The net effect of this, is that the real servers will not notice any change during the attack. The valid TCP connections will pass through and served, while the attack will be stopped at the firewall.

To use SYNPROXY on your firewall, please follow our setup guides:

Real-time monitoring of Linux Anti-DDoS

netdata is able to monitor in real-time (per second updates) the operation of the Linux Anti-DDoS protection.

It visualizes 4 charts:

  1. TCP SYN Packets received on ports operated by SYNPROXY
  2. TCP Cookies (valid, invalid, retransmits)
  3. Connections Reopened
  4. Entries used

Example image:

ddos

See Linux Anti-DDoS in action at: netdata demo site (with SYNPROXY enabled) (but read the note below).


A note for DDoS testers

Since I posted this, a few folks tried to run DDoS against http://netdata.firehol.org.

Well, guys this site is not a test bed for DDoS. Don't do this. You are just wasting bandwidth!

Also, please try to understand what you are doing. SYNPROXY is about spoofed packets. Making a large set of POSTs or instructing exploited wordpress installations to attack the demo site, is not a DDoS that SYNPROXY can detect.

Next, http://netdata.firehol.org is behind cloudflare.com, so even if you manage to make a spoofed IPs attack, you will actually attack cloudflare.com. Do not expect to see the traffic cloudflare detected as spoofed on the netdata demo site (you are reaching the demo site, through cloudflare proxies). You can see a real attack on the demo site, only if you attack its real IP (but, you guessed it - it only accepts requests from cloudflare.com). The demo site is just a demo for netdata, not a demo for DDoS.

And finally, thank you for exposing the IPs and hostnames of the exploited wordpress installations and the IPs of the hosts you manage to instruct them make so many POST requests to us.

Evidence of the attacks:

  1. Attack from wordpress installations

  2. Attack using a large set of POST requests

You actually stressed netdata a bit. What saved the server from your attack was QoS. I had the bandwidth limited to 50Mbps, so your attacks could not bring the server to its limits. Now, I lowered it even more.

This is what happened with the POSTs:

image

And this is what happened with the wordpress attack:

image

Now our nginx configuration includes these:

    if ($http_user_agent ~* "WordPress") {
        return 403;
    }

    if ($request_method !~ ^(GET|HEAD|OPTIONS)$ ) {
        return 403;
    }

    include firehol_webserver.conf;
    include netdata-attacks.conf;

firehol_webserver is this IP Blacklist and netdata-attacks are the IPs given in the evidence above.

So, you are just blacklisted.


Other IP lists, matching the attackers IPs:

IP Blacklist Attacker IPs Matched
firehol_abusers_30d 330
cleantalk_updated_30d 311
cleantalk_30d 303
stopforumspam_365d 297
cleantalk_updated_7d 293
stopforumspam_180d 292
cleantalk_7d 287
firehol_anonymous 280
stopforumspam_90d 277
stopforumspam 275
firehol_proxies 263
stopforumspam_30d 242
proxyrss_30d 237
proxylists_30d 235
proxyrss_7d 226
proxylists_7d 225
firehol_abusers_1d 220
cleantalk_1d 200
cleantalk_updated_1d 199
proxylists_1d 172
proxyrss_1d 170
proxyspy_30d 153
stopforumspam_7d 144
sblam 143
firehol_webserver 133
dronebl_anonymizers 129
pushing_inertia_blocklist 124
ri_web_proxies_30d 121
firehol_level4 120
proxyspy_7d 115
proxz_30d 110
dronebl_auto_botnets 110
iblocklist_level3 97
ib_bluetack_level3 97
proxyrss 95
proxylists 94
botscout_30d 90
jigsaw_malware 68
ri_web_proxies_7d 62
ri_connect_proxies_30d 58
stopforumspam_1d 56
proxyspy_1d 55
proxz_7d 50
sp_anti_infringement 47
botscout_7d 47
sslproxies_30d 42
iblocklist_level1 41
ib_bluetack_level1 41
blocklist_net_ua 36
iblocklist_level2 35
ib_bluetack_level2 35
sorbs_anonymizers 31
ri_connect_proxies_7d 31
sorbs_dul 30
firehol_level3 30
cleantalk_new_30d 30
xroxy_7d 22
xroxy_30d 22
bds_atif 22
tor_exits_7d 21
tor_exits_30d 21
tor_exits_1d 21
tor_exits 21
talosintel_ipfilter 21
snort_ipfilter 21
iblocklist_bogons 21
ib_bluetack_bogons 21
dm_tor 21
bm_tor 21
iblocklist_edu 20
ib_bluetack_edu 20
ib_onion_router 18
iblocklist_onion_router 18
et_tor 18
proxyspy 17
iblocklist_rangetest 17
ib_bluetack_rangetest 17
proxz_1d 16
lashback_ubl 16
botscout_1d 15
ri_connect_proxies_1d 13
cleantalk 13
xroxy_1d 12
cleantalk_updated 12
php_commenters_30d 11
sslproxies_7d 10
sorbs_web 10
sorbs_recent_spam 9
ri_web_proxies_1d 9
dronebl_worms_bots 9
dronebl_irc_drones 9
dshield_30d 8
ri_connect_proxies 7
gofferje_sip 7
sslproxies_1d 6
nixspam 6
xroxy 5
sorbs_new_spam 5
packetmail_ramnode 5
maxmind_proxy_fraud 5
firehol_level2 5
blueliv_crimeserver_online 5
myip 4
cleantalk_new_7d 4
openbl_all 3
jigsaw_attacks 3
iblocklist_spyware 3
ib_bluetack_spyware 3
dshield_7d 3
sorbs_noserver 2
php_commenters_7d 2
iblocklist_isp_comcast 2
iblocklist_isp_charter 2
iblocklist_isp_att 2
iblocklist_badpeers 2
iblocklist_badpeers 2
iblocklist_ads 2
ib_isp_comcast 2
ib_isp_charter 2
ib_isp_att 2
ib_bluetack_badpeers 2
ib_bluetack_ads 2
greensnow 2
gpf_comics 2
dragon_http 2
cybercrime 2
cleantalk_new_1d 2
blocklist_de_mail 2
blocklist_de 2
stopforumspam_toxic 1
sslproxies 1
sorbs_smtp 1
socks_proxy_30d 1
proxz 1
php_harvesters_30d 1
nullsecure 1
ib_org_joost 1
ib_org_blizzard 1
iblocklist_proxies 1
iblocklist_org_microsoft 1
iblocklist_org_joost 1
iblocklist_org_blizzard 1
iblocklist_isp_verizon 1
ib_isp_verizon 1
ib_bluetack_proxies 1
ib_bluetack_ms 1
hphosts_fsa 1
hphosts_emd 1
graphiclineweb 1
dshield_1d 1
dronebl_ddos_drones 1
darklist_de 1
cta_cryptowall 1
cleantalk_new 1
blueliv_crimeserver_last_7d 1
blueliv_crimeserver_last_30d 1