Как блокировать пакет с определенным mss, wscale, win?

Question

[louvremaster]

Задалбывают флудом, вот такими пакетами:

03:30:52.656972 IP XXX.XXXX.XXX.XXX.33392 > YYY.YYY.YYY.YYY.80: Flags [S], seq 3759734784, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0

Постоянно одинаковый mss, win, wscale, вообще весь options одинаковый.
Через iptables в таблице mangle могу указать блокировать mss 1460, но могут под блок попадать нужные вещи. Вопрос в том, как указать для блокировки все нужные параметры TCP? По идее можно по u32, но как этот хеш правильно сгенерировать?

Спасибо.

Answer 1

[theg4sh]

Вы уверены, что это действительно SYN flood и после не приходят пакеты ACK c тех же IP-адресов?
Выглядит, как обычное начало соединения. Могли бы вы дать более развернутый пример лога tcpdump, для примера, по одному IP?

Немного по теме:
https://en.wikipedia.org/wiki/SYN_flood
https://www.cyberciti.biz/tips/howto-limit-linux-s...

Comments

[louvremaster]

Более чем уверен, таких пакетов прилетает 600k штук и все однотипные:
03:30:52.656959 IP 162.176.96.136.17311 > YYY.YYY.YYY.YYY.80: Flags [S], seq 58851328, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
03:30:52.656961 IP 77.146.89.138.52683 > YYY.YYY.YYY.YYY.80: Flags [S], seq 3833004032, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
03:30:52.656964 IP 177.221.35.118.47313 > YYY.YYY.YYY.YYY.80: Flags [S], seq 2711224320, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
03:30:52.656968 IP 202.234.66.174.33631 > YYY.YYY.YYY.YYY.80: Flags [S], seq 2203844608, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
03:30:52.656970 IP 72.90.155.77.34937 > YYY.YYY.YYY.YYY.80: Flags [S], seq 1616707584, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
03:30:52.656972 IP 218.116.160.31.33392 > YYY.YYY.YYY.YYY.80: Flags [S], seq 3759734784, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0

18:02:38.965950 IP 108.210.33.125.26699 > YYY.YYY.YYY.YYY.80: Flags [S], seq 2761687040, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
18:02:38.965955 IP 124.16.171.15.34109 > YYY.YYY.YYY.YYY.80: Flags [S], seq 332988416, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
18:02:38.965956 IP 128.12.173.172.45689 > YYY.YYY.YYY.YYY.80: Flags [S], seq 68878336, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
18:02:38.965959 IP 188.253.128.31.21370 > YYY.YYY.YYY.YYY.80: Flags [S], seq 3407347712, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
18:02:38.965964 IP 188.230.122.171.23040 > YYY.YYY.YYY.YYY.80: Flags [S], seq 1638137856, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
18:02:38.965967 IP 75.42.83.180.12597 > YYY.YYY.YYY.YYY.80: Flags [S], seq 1146159104, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
18:02:38.965971 IP 75.42.83.180.12597 > YYY.YYY.YYY.YYY.80: Flags [S], seq 1146159104, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
18:02:38.965974 IP 93.109.242.249.1851 > YYY.YYY.YYY.YYY.80: Flags [S], seq 455802880, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
18:02:38.965978 IP 78.98.87.245.1166 > YYY.YYY.YYY.YYY.80: Flags [S], seq 1240989696, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
18:02:38.965981 IP 106.242.20.0.12150 > YYY.YYY.YYY.YYY.80: Flags [S], seq 1202388992, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
18:02:38.965985 IP 2.62.123.117.29657 > YYY.YYY.YYY.YYY.80: Flags [S], seq 1860698112, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
18:02:38.965986 IP 53.92.218.34.39700 > YYY.YYY.YYY.YYY.80: Flags [S], seq 526712832, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
18:02:38.965990 IP 80.94.72.161.46658 > YYY.YYY.YYY.YYY.80: Flags [S], seq 397934592, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
18:02:38.965993 IP 121.135.109.133.43475 > YYY.YYY.YYY.YYY.80: Flags [S], seq 768409600, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
18:02:38.965995 IP 192.49.191.107.62303 > YYY.YYY.YYY.YYY.80: Flags [S], seq 3052666880, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
18:02:38.965999 IP 136.248.180.129.25398 > YYY.YYY.YYY.YYY.80: Flags [S], seq 3912171520, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
18:02:38.966002 IP 136.248.180.129.25398 > YYY.YYY.YYY.YYY.80: Flags [S], seq 3912171520, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
18:02:38.966008 IP 18.206.103.118.5359 > YYY.YYY.YYY.YYY.80: Flags [S], seq 57868288, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
18:02:38.966010 IP 175.215.200.137.56425 > YYY.YYY.YYY.YYY.80: Flags [S], seq 1922498560, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
18:02:38.966013 IP 58.137.28.35.23278 > YYY.YYY.YYY.YYY.80: Flags [S], seq 208404480, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
18:02:38.966015 IP 63.67.58.29.40986 > YYY.YYY.YYY.YYY.80: Flags [S], seq 3230531584, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
18:02:38.966018 IP 5.222.146.162.3512 > YYY.YYY.YYY.YYY.80: Flags [S], seq 3812491264, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
18:02:38.966022 IP 187.63.153.89.21437 > YYY.YYY.YYY.YYY.80: Flags [S], seq 21168128, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
18:02:38.966025 IP 27.169.190.54.55774 > YYY.YYY.YYY.YYY.80: Flags [S], seq 955383808, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
18:02:38.966029 IP 27.169.190.54.55774 > YYY.YYY.YYY.YYY.80: Flags [S], seq 955383808, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
18:02:38.966032 IP 1.121.219.188.32003 > YYY.YYY.YYY.YYY.80: Flags [S], seq 1052704768, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
18:02:38.966035 IP 113.249.253.22.28942 > YYY.YYY.YYY.YYY.80: Flags [S], seq 1221394432, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
18:02:38.966037 IP 68.90.137.158.62145 > YYY.YYY.YYY.YYY.80: Flags [S], seq 1772355584, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
18:02:38.966041 IP 4.153.76.79.26465 > YYY.YYY.YYY.YYY.80: Flags [S], seq 3003056128, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
18:02:38.966044 IP 150.250.28.199.50676 > YYY.YYY.YYY.YYY.80: Flags [S], seq 2446393344, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
18:02:38.966045 IP 152.12.15.220.15249 > YYY.YYY.YYY.YYY.80: Flags [S], seq 2412052480, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
18:02:38.966051 IP 93.27.140.140.20248 > YYY.YYY.YYY.YYY.80: Flags [S], seq 1675034624, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
18:02:38.966055 IP 190.247.59.124.32746 > YYY.YYY.YYY.YYY.80: Flags [S], seq 3343450112, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
18:02:38.966058 IP 90.255.98.205.31565 > YYY.YYY.YYY.YYY.80: Flags [S], seq 1004273664, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
18:02:38.966061 IP 76.175.134.241.6771 > YYY.YYY.YYY.YYY.80: Flags [S], seq 2388262912, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
18:02:38.966063 IP 76.175.134.241.6771 > YYY.YYY.YYY.YYY.80: Flags [S], seq 2388262912, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
18:02:38.966066 IP 67.188.204.76.17999 > YYY.YYY.YYY.YYY.80: Flags [S], seq 2706571264, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
18:02:38.966068 IP 53.15.72.147.32114 > YYY.YYY.YYY.YYY.80: Flags [S], seq 2726494208, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
18:02:38.966072 IP 167.230.216.44.16729 > YYY.YYY.YYY.YYY.80: Flags [S], seq 4293591040, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
18:02:38.966074 IP 67.183.58.75.21141 > YYY.YYY.YYY.YYY.80: Flags [S], seq 2542993408, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
18:02:38.966078 IP 167.165.205.61.32508 > YYY.YYY.YYY.YYY.80: Flags [S], seq 4183752704, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
18:02:38.966081 IP 167.165.205.61.32508 > YYY.YYY.YYY.YYY.80: Flags [S], seq 4183752704, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
18:02:38.966084 IP 198.93.201.168.4357 > YYY.YYY.YYY.YYY.80: Flags [S], seq 1981743104, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
18:02:38.966087 IP 32.119.161.171.61895 > YYY.YYY.YYY.YYY.80: Flags [S], seq 2037448704, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
18:02:38.966091 IP 32.119.161.171.61895 > YYY.YYY.YYY.YYY.80: Flags [S], seq 2037448704, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0

# tcpdump -A dst port 80 -c 100 -nn
18:58:47.808308 IP 72.103.119.107.29152 > YYY.YYY.YYY.YYY.80: Flags [S], seq 2638675968, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E@.4.Y@.....Hgwk..(cq..P.G........ .)K..............
18:58:47.808311 IP 130.125.34.4.45645 > YYY.YYY.YYY.YYY.80: Flags [S], seq 2608005120, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E@.4..@...N..}"...(c.M.P.s........ .................
18:58:47.808312 IP 182.200.235.0.24418 > YYY.YYY.YYY.YYY.80: Flags [S], seq 3596812288, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E@.4.6@...=.......(c_b.P.c........ . ...............
18:58:47.808313 IP 210.185.58.179.255 > YYY.YYY.YYY.YYY.80: Flags [S], seq 1862205440, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E@.4..@.`. ...:...(c...Pn......... .z...............
18:58:47.808314 IP 79.41.31.73.59228 > YYY.YYY.YYY.YYY.80: Flags [S], seq 1171521536, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E@.4..@.`...O).I..(c.\.PE......... .\...............
18:58:47.808315 IP 194.201.179.86.32544 > YYY.YYY.YYY.YYY.80: Flags [S], seq 1855455232, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E@.4..@.`..=...V..(c. .Pn......... ..l..............
18:58:47.808316 IP 32.151.91.166.25615 > YYY.YYY.YYY.YYY.80: Flags [S], seq 4219404288, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E@.4..@..... .[...(cd..P.......... ..y..............
18:58:47.808317 IP 79.41.31.73.59228 > YYY.YYY.YYY.YYY.80: Flags [S], seq 1171521536, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E@.4..@.`...O).I..(c.\.PE......... .\...............
18:58:47.808319 IP 47.247.198.45.63790 > YYY.YYY.YYY.YYY.80: Flags [S], seq 3323461632, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E@.4..@...../..-..(c...P.......... .B...............
18:58:47.808320 IP 60.53.233.106.25143 > YYY.YYY.YYY.YYY.80: Flags [S], seq 2949906432, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E@.4.U@.`...<5.j..(cb7.P.......... .................
18:58:47.808320 IP 154.116.172.240.61606 > YYY.YYY.YYY.YYY.80: Flags [S], seq 2461859840, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E@.4..@...x..t....(c...P.......... .-|..............
18:58:47.808320 IP 2.16.24.164.31779 > YYY.YYY.YYY.YYY.80: Flags [S], seq 1278935040, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E@.4..@.s..l......(c|#.PL;........ ..3..............
18:58:47.808323 IP 60.53.233.106.25143 > YYY.YYY.YYY.YYY.80: Flags [S], seq 2949906432, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E@.4.U@.`...<5.j..(cb7.P.......... .................
18:58:47.808324 IP 154.116.172.240.61606 > YYY.YYY.YYY.YYY.80: Flags [S], seq 2461859840, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E@.4..@...x..t....(c...P.......... .-|..............
18:58:47.808325 IP 148.150.107.3.44665 > YYY.YYY.YYY.YYY.80: Flags [S], seq 2855010304, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E@.4..@...N...k...(c.y.P.,........ .................
18:58:47.808325 IP 112.160.17.201.5952 > YYY.YYY.YYY.YYY.80: Flags [S], seq 2354774016, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E@.4..@.`.C.p.....(c.@.P.[........ ..@..............
18:58:47.808326 IP 182.191.103.203.54289 > YYY.YYY.YYY.YYY.80: Flags [S], seq 479264768, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E@.46.@.`.n...g...(c...P.......... .................
18:58:47.808327 IP 46.126.145.90.59402 > YYY.YYY.YYY.YYY.80: Flags [S], seq 3692494848, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E@.4..@....S.~.Z..(c.
.P.......... .tJ..............
18:58:47.808330 IP 46.126.145.90.59402 > YYY.YYY.YYY.YYY.80: Flags [S], seq 3692494848, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E@.4..@....S.~.Z..(c.
.P.......... .tJ..............
18:58:47.808330 IP 210.185.58.179.255 > YYY.YYY.YYY.YYY.80: Flags [S], seq 1862205440, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E@.4..@.`. ...:...(c...Pn......... .z...............
18:58:47.808335 IP 112.160.17.201.5952 > YYY.YYY.YYY.YYY.80: Flags [S], seq 2354774016, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E@.4..@.`.C.p.....(c.@.P.[........ ..@..............
18:58:47.808339 IP 186.208.135.178.16248 > YYY.YYY.YYY.YYY.80: Flags [S], seq 759824384, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E@.4.7@...gH......(c?x.P-J........ .I...............
18:58:47.808340 IP 53.245.179.173.36587 > YYY.YYY.YYY.YYY.80: Flags [S], seq 202375168, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E@.4.A@.....5.....(c...P.......... .s...............
18:58:47.808341 IP 157.75.11.242.51228 > YYY.YYY.YYY.YYY.80: Flags [S], seq 2067660800, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E@.4Y&@.`....K....(c...P{>........ .................
18:58:47.808343 IP 76.236.52.244.22027 > YYY.YYY.YYY.YYY.80: Flags [S], seq 3064922112, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E@.4..@...c\L.4...(cV..P.......... .i...............
18:58:47.808344 IP 157.75.11.242.51228 > YYY.YYY.YYY.YYY.80: Flags [S], seq 2067660800, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E@.4Y&@.`....K....(c...P{>........ .................

Все эти настройки iptables, и вообще тюннинг sysctl все не поможет, нужно именно в mangle или raw блокировать. Собственно вопрос в том, как правильно составить правило для определенной атаки.

[theg4sh]

Можно тогда попросить штук десять пакетов с аргументом -X ?

[louvremaster]

theg4sh: К сожалению или к счастью, атака прошла, как только прийдет обязательно прикреплю.

[theg4sh]

Ок. Для меня показались странными вот эти два:
182.200.235.0.2441
210.185.58.179.255
Первый потому, что адрес заканчивается на 0, а второй потому что порт отправителя <1024. Интересненько...

[louvremaster]

theg4sh: Спуфинг, увы и ах.

[theg4sh]

louvremaster cсылочки по теме, во второй как раз выковыривание данных напрямую из заголовка tcp в iptables:
https://forum.ivorde.com/tcpdump-how-to-capture-fi...
https://www.lowendtalk.com/discussion/47469/bpf-a-...