Linux Iptables To Block Different Attacks

May 10, 2011 | By
| 1 Reply More

Iptables is a Linux kernel based packet filter firewall. The iptables modules are present in the kernel itself, there is no separate daemon for it. This makes the firewall very fast and effective. The Iptables rules control the incoming and outgoing traffic on a network device. In this article, we will discuss about some of the common network attacks, and how we can block them using iptables. Some of the common network attacks are SYN flood attack, smurf attack, land attack, attacks by malfunctioning ICMP packet, and some other forms of DOS attack. Before going into the details of these attacks, let’s have an overview of iptables, and how to use this command.

Iptables

iptables have 3 filtering points for the default table: INPUT, OUTPUT and FORWARD. These are called 'chains' in iptables. As their name suggests, they specify whether a packet is destined for the system (INPUT), originating from it (OUTPUT) or is routed to another node in the network (FORWARD).
The rules in iptables are stored in the form of records in a table. To list the rules, run “iptables -L” as follows:

root@raghu-Inspiron-1440:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Here, no rules are present for any chain.These rules are read from top to bottom, and if a match occurs, no further rules are checked. So, if one rule overwrites any previous rule, then it must have come below that rule. So, we will append the existing rules that occur later. But, if your requirement is to insert explicitly, then you can insert them as well.

To insert a rule (above all other rules or at a specified number), -i, and to append, -A option is used. We need to specify the chain, for which we wish to write the rule. The -j option specifies the target, i.e. what we want to do with the packet if a rule is matched. Some of the values are ACCEPT, DROP (or REJECT), RETURN etc. The target can be some other existing or user defined chain. But, for the purpose of this article, we will confine ourselves to existing chains only, and will not go into further details.

The general syntax of iptables is:

iptables CHAIN RULE_SPECIFICATION

Now, let's create a simple rule using the options explained above.

root@raghu-Inspiron-1440:~# iptables -A INPUT -j ACCEPT

This will accept all the incoming packets and the rule can be checked now using "iptables -L":

root@raghu-Inspiron-1440:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Iptables provide many options as modules, so that we can use these options when we include the corresponding module. One such module that we will use in our discussion is the limit module. The details of this module will be given later, but for now, I just want you to know that in order to include a module, -m option is used. So to include the 'limit module', we will use '-m limit' in the rule. Now that we know about iptables, let’s talk about the common attacks and how we can block them using IPtables.

Types of attacks and their protection

LAND Attack

LAND stands for Local Area Network Denial. In this attack, a packet is spoofed with source address as the address of the target itself, i.e., the source and destination addresses are the same. The target machine ends up replying to itself continuously. Although Linux and some other modern systems are not vulnerable to this attack, still you might want to be sure.

To block all packets from your own IP (assuming 47.156.66.17 as IP of the machine), do the following:

root@raghu-Inspiron-1440:~# iptables -A INPUT -s 47.156.66.17/32 -j DROP

With the -s option in the above command, source IP address is specified. Further, to block any packet from local network (self IP):

root@raghu-Inspiron-1440:~# iptables -A INPUT -s 127.0.0.0/8 -j DROP

XMAS Packet

A christmas tree packet is a packet in which all the flags in any protocol are set. The FIN, URG and PSH bits in the TCP header of this kind of packet are set. This packet is called Christmas Tree packet because all the fields of header are "lightened up" like a Christmas tree. This type of packet requires much more processing than the usual packets, so the server allocates a large number of resources for this packet. Hence, this can be used to perform a DOS attack on the server. These type of packets can be blocked with:

root@raghu-Inspiron-1440:~# iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP

Here, -p option specifies the protocol for which the rule is applicable. The --tcp-flags is used to specify the flags of TCP header. It requires two options, the 1st option is 'mask', in which we specify what flags should be examined (ALL), and the 2nd option is 'comp' i.e. the flags that must be set. So here we want to examine ALL flags of which FIN, PSH and URG must be set.

Smurf Attack

The attacker in this attack sends a large number of ICMP echo broadcast packet, with source IP address spoofed to that of target's IP address. All the machines in the network recieve this broadcast message and reply to the target with echo reply packet. One way to block this attack is to block all the ICMP packets, but if that can't be done, a limit may be applied to the icmp packets allowed.

For limiting the number of icmp packets:

root@raghu-Inspiron-1440:~# iptables -A INPUT -p icmp -m limit --limit 2/second --limit-burst 2 -j ACCEPT

To block all the ICMP packets:

root@raghu-Inspiron-1440:~# iptables -A INPUT -p icmp -j DROP

Before proceeding any further, let’s talk about the limit module. The limit module can be used to put a limit on the incoming connections. It uses a token bucket filter. This module can be included with '-m limit'. The options available with this module are --limit and --limit-burst.

According to the manual page of iptables:

--limit rate[/second|/minute|/hour|/day]

Maximum average matching rate: specified as a number, with an optional `/second', `/minute', `/hour', or `/day' suffix; the default is 3/hour.

--limit-burst

Maximum initial number of packets to match: this number gets recharged by one every time the limit specified above is not reached, up to this number; the default is 5.

Don't worry if it sounds confusing. Let me provide an analogy to understand these two options. Suppose there is a token bucket that has some tokens in it. The --limit gives the rate at which tokens arrive at the bucket. The default value is 3/hour, so in every 20 minutes, a token arrives in the bucket but the bucket has a maximum capacity. That capacity is given with --limit-burst option. The default value is 5. A packet can only pass through this bucket if it has a token. So, initially the bucket is full. So, if we take the default values, at first, 5 packets will pass through this rule. No further packets will pass, because no tokens are available. Now according to the burst rate, next token will arrive after 20 minutes. So, 6th packet will be passed only after 20 minutes have passed. If no packets arrive in the 20 minute interval, then tokens will start accumulating. And after 100 minutes (20*5), bucket will be full. No further tokens will accumulate in the coming 20 minutes.

(Note that the limit in the above command is for the purpose of example only. Actual limit will depend upon the resources available on the server.)
Blocking the icmp packets will prevent the system from ping of death attack as well (although current systems are not vulnerable to it)

SYN Flood

SYN flood is a type of DOS (Denial Of Service) attack. To understand SYN flooding, let’s have a look at three way TCP handshake.

TCP is a reliable connection oriented protocol. Before any information is exchanged between a client and the server using TCP protocol, a connection is formed by the TCP handshake. This handshake is a three step process:

1. The client requests the server that they want to establish a connection, by sending a SYN request.
2. The server receives client's request, and replies with 'SYN/ACK', acknowledging that it has received the request from the client. The server allocates the resources and waits for the client to acknowledge.
3. The client acknowledges by sending ACK back to server.

The attacker can create a large number of forged SYN requests that have their source IP addresses spoofed, and send it to the target. The target replies with SYN/ACK, and allocates its resources for the connection, but never gets back ACK reply. The target machine’s resources are exhausted and it stops serving any further requests from any legitimate machine.

This attack and some other form of DOS/DDOS attacks can be blocked by limiting the incoming TCP connection request packets. A point to be noted here is that, we should not put a limit to requests from established connections. For avoiding this type of attack, only new connection requests need to be controlled. Moreover, the number of requests a server can handle depends on the server's available resources. So in the example below, the limit on the TCP connection must be changed according to the capacity of the server:

root@raghu-Inspiron-1440:~# iptables -A INPUT -p tcp -m state --state NEW -m limit --limit 2/second --limit-burst 2 -j ACCEPT

In this command, a new module 'state' is included for specifying the state of the packet. Don’t forget to drop all other packets that do not match above rule, otherwise they will be allowed by default. So, after you have given the above command, issue the following command as well:

root@raghu-Inspiron-1440:~# iptables -A INPUT –p tcp –m state --state NEW –j DROP

Filed Under : FIREWALL, LINUX HOWTO, LINUX IPTABLES

Tagged With :

Free Linux Ebook to Download

Comments (1)

Trackback URL | Comments RSS Feed

  1. John says:

    The problem of land attacks, that is packets directed to a particular IP from that same IP, seems further compounded by them not necessarily being from and to 127/8 or my host IP range. With source routing disabled I'm at a loss as to how the packets arrive but they do and they chew up quite a bit of throughput (bandwidth).

    We need a way to say if the source IP equals the destination IP then jump to DROP. Bear in mind the packets may arrive from a Google or Akamai, etc., IP addressed to the same IP. This is even with every protocol dropped save for TCPv4, UDPv4 and ICMPv4 (obviously except pure Ethernet packets) and with most ports of those protocols dropped especially those relating to tunneling.

Leave a Reply

Commenting Policy:
Promotion of your products ? Comment gets deleted.
All comments are subject to moderation.