[Lxc-users] Shorewall Firewall / DDOS-Deflate Configuration with LXC Containers

Patrick Kevin McCaffrey pkm at uwm.edu
Wed Jul 18 03:05:43 UTC 2012 

I posted this on the Ubuntu forums, as I've had good luck there in the past, but I think this question goes beyond the scope of most of the members there. Anyway, I copy/pasted for the sake of time, but here goes: 

____________________________________________________________________________________________________________________________________________________ 



A friend of mine recently took me down using a DDOS. I know there isn't really a fool-proof way to safeguard against this, but it got me thinking about beefing up my security a bit. From what my logs show, the 'attack' came from 4 IPs for about three minutes. I did some research, and a script/program called "DDOS-Deflate" is about the best I can find for this sort of thing. It basically checks how many connections a given IP has, and if it's over a certain amount in a period of time, the IP gets blacklisted via iptables. 


<blockquote>


</blockquote>

<blockquote>
This all seems like it should work fine, but I ran some tests, and it's not catching things the way I'd like it to. 


</blockquote>

<blockquote>
My system configuration is as follows: 
</blockquote>

<blockquote>


</blockquote>

<blockquote>

<blockquote>
-Ubuntu 12.04 running Shorewall, acting as firewall and router via 4-port ethernet card 
</blockquote>

<blockquote>
--Apache server in Debian LXC container 
</blockquote>

<blockquote>
--Postgre server in Debian LXC container 
</blockquote>

<blockquote>
--Email server (Postfix/Dovecot) in Debian LXC container 
</blockquote>

<blockquote>


</blockquote>

<blockquote>
Each of the containers runs through a common network bridge (br0) which Shorewall then turns into a subnet that holds just my containers. Each port of the 4-port NIC also runs it's own subnet. For the sake of this example, lets say I have the following (eth0-3 are on the add-on NIC, eth4 is the motherboard): 
</blockquote>

<blockquote>


</blockquote>

<blockquote>

<blockquote>
br0: 192.168.9.255 
</blockquote>

<blockquote>
eth4: external IP (modem) 
</blockquote>

<blockquote>
eth3: 192.168.3.255 
</blockquote>

<blockquote>
eth2: 192.168.2.255 
</blockquote>

<blockquote>
eth1: 192.168.1.255 
</blockquote>

<blockquote>
eth0: 192.168.0.255 
</blockquote>

</blockquote>

<blockquote>


</blockquote>
The problem is that when I try to run a DOS attack against my Apache server (in the DMZ, all requests to 8080 forwarded to it), the DDOS-Deflate script doesn't seem to see the connections being created. I haven't tested it from the outside yet, but I'd expect similar results. I looked around a bit on Google, and had a peek at /usr/local/ddos.conf and /usr/local/ddos.sh For those unfamiliar with DDOS-Deflate, it can be found at this address: http://deflate.medialayer.com 

The line in the script that actually checks the connections looks like this (actually, this is a patched one I found online, as the one that comes with the script has a problem - https://mangesh7rhcss.wordpress.com/2011/03/02/dos-deflate-installation): 


</blockquote>

<blockquote>

<blockquote>
netstat -ntu | grep ':' | awk '{print $5}' | sed 's/::ffff://' | cut -f1 -d ':' | sort | uniq -c | sort -nr > $BAD_IP_LIST 
</blockquote>

</blockquote>

<blockquote>


</blockquote>

<blockquote>
So, I ended up running a DOS attack a few times from my development box (192.168.30.255) to the server, and testing how many connections this script was seeing by manually running netstat on the server via SSH from the dev box. To my dismay, the only connections that it saw from my dev box to the server were the 3 SSH connections I had open in various terminals. 
</blockquote>

<blockquote>


</blockquote>

<blockquote>
Apparently, my Shorewall rules are forwarding the requests immediately to the web server container before DDOS-deflate has a chance to analyze the traffic? 
</blockquote>

<blockquote>

Any other ideas? I'm kinda shooting in the dark here. That's all I can think of though, as even if I simply open a web page (dev box to server's web server container), and then run netstat on the host OS of the server (via SSH), it still doesn't see my HTTP connection in the netstat list - only the open SSH connections. 
</blockquote>

<blockquote>

My only idea is to move the DDOS-deflate script to inside the containers, and see if it catches rogue traffic there, after it's been forwarded to the container by Shorewall. I was hoping having it installed on the host OS would have worked... 
</blockquote>

<blockquote>

Sorry for the lengthy post...let me know if I can clear anything up. 
</blockquote>

<blockquote>


</blockquote>

<blockquote>
____________________________________________________________________________________________________________________________________________________ 
</blockquote>

<blockquote>


</blockquote>

<blockquote>
Long story short, I think the requests are being forwarded to my LXC containers before the DDOS script can even think about it. My thought is that since the connection is being made to the container's IP address, and not the host address, the netstat command is not detecting the connection? 
</blockquote>

<blockquote>


</blockquote>

<blockquote>
Maybe I'm way off base, but whenever the Ubuntu community fails me, the LXC users usually have some valuable input....here's to hoping someone else has a similar config.... 
</blockquote>

<blockquote>


</blockquote>

<blockquote>
-Pat 
</blockquote>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20120717/e9b90629/attachment.html>

More information about the lxc-users mailing list