Wednesday, December 10, 2008

Bad-host-detection

Contents

[hide]

[edit] Attempt to detect and Block Bad Hosts

Network administrators are in a constant battle trying to keep attacks from virus infected computers, computers that have been taken over by malicious people and malicious people them selfs. It's a never ending barrage of attacks trying to exploit any flaw in your network possible. I keep a list of hosts/networks that I consider to be "bad-hosts", this is a manual built list and it works great but I don't always have time to sit and watch for candidates for this list, so I created a set of rules to do it for me.

[edit] Description

When a packet reaches the bottom of the forward chain it will be rejected, so before it is we will run it through this set of rules.

  1. The ip address is added to a address list with life span of 30 seconds
  2. if the ip address is then seen 20 more times in this 30 second span it is then added to another list that will have a life span of 24 hours
  3. if it is in the 24 hour list it will be rejected.



Here is some names I will be using.

  • Address Lists
    • our-networks (ip's/networks in this list are not included in this process, we don't want to block our own traffic.)
    • 30-second-list (this list holds ip's for 30 seconds)
    • 24-hour-list (the ip's in this list have a life span of 24 hours. Ip's in this list are rejected)
    • bogons (bogons are non route able ip's such as 192.168.0.0/16)
  • Filter Chains
    • bad-host-detection (this is the main chain for this process)
    • open-customers (this chain checks for customers/bussiness that don't want my help firewalling)
    • bad-hosts (this chain checks a manual created list that contains hosts/networks that appear to be bad)

[edit] Process


[edit] Step 1

Rule to add in the forward chain:

add action=reject chain=forward comment="Reject if in the 24-hour-list" disabled=no reject-with=icmp-network-unreachable src-address-list=24-hour-list

Make sure this rule is at the top of your forward chain, This is what my top 3 forward chain rules are:

add action=jump chain=forward comment="Check if dest is an open customer" disabled=no dst-address-list=open-customers jump-target=open-customers
add action=jump chain=forward comment="Check Known Bad Hosts" disabled=no jump-target=bad-hosts
add action=reject chain=forward comment="Reject if in the 24-hour-list" disabled=no reject-with=icmp-network-unreachable src-address-list=24-hour-list
  1. If on exclusion list permit (Some customers/business do not want me to firewall anything for them)
  2. I also have a manual list of host I block that I check
  3. Now drop anyone on the one day list


[edit] Step 2
The bad-host-detection chain:
add action=return chain=bad-host-detection comment="Take no action on bogons" disabled=no src-address-list=bogons
add action=add-src-to-address-list address-list=30-seond-list address-list-timeout=30s chain=bad-host-detection comment="Add to the 30 second list" disabled=no
add action=add-src-to-address-list address-list=24-hour-list address-list-timeout="1d 00:00:00" chain=bad-host-detection comment="If seen 20 time in 30 seconds add to the one day block list" disabled=no nth=20,0 src-address-list=30-seond-list
add action=return chain=bad-host-detection comment="" disabled=no
  1. Take no action/return if the host in in the bogons address list
  2. Add the ip to the 30 second list
  3. If ip has been seen 20 time in 30 seconds add to the 24-hour-list
  4. Return to the calling filter chain


This is a small rule set, and could be put directly in the forward chain but over time exclusion and other detection rules could be put here as well.


[edit] Step 3
More rule's for the forward chain:
add action=jump chain=forward comment="jump to the bad-host-detection chain" disabled=no jump-target=bad-host-detection src-address-list=!our-networks

This rule needs to be at the bottom just before the packet is dropped, once again here is how I have mine (my last 3 forward rules)

add action=jump chain=forward comment="jump to the bad-host-detection chain" disabled=no jump-target=bad-host-detection src-address-list=!our-networks
add action=log chain=forward comment="log and reject the rest" disabled=no log-prefix=""
add action=reject chain=forward comment="" disabled=no reject-with=icmp-network-unreachable
  1. Check for bad attempt, if the source address is not in the our-networks address list
  2. Log the packet
  3. Drop the packet


[edit] Notes

  • The list's in this process can get very large and your router must be capable of handling them. If you have a problem with lists sizes, reducing the timeout will reduce the size of the list.
  • 20 rejected attempts in 30 seconds is what I believe is sufficient evidence of an attack, you may adjust them to your liking.
  • This rule set could also be used in the input chain.
  • Other Ideas
    • Using the API to keep an eye on the list's count would be a good idea. Maybe even condense it into subnets.
    • Another idea is to use the API and create a chart showing where the "bad hosts" are coming from.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)