Banda Ancha EU

Comunidad de usuarios
de fibra, móvil y ADSL

Fibra/Cable

Problema ataque RDos con Asus RT-AC66 B1

BocaDePez
BocaDePez

Buenas a todos Resulta que tenia el Compal CG7486E y Y lo estaba probando mediante ataques RDos y mas o menos se comportaba la red esta muy lenta pero no se caia, decidí ponerlo en modo bridge con un Asus RT-AC66 B1 y cual es mi sorpresa que se satura el router asus (firmware merlin) y se me cae toda la red a los pocos segundos.,

target prot opt source destination
RETURN all -- anywhere 192.168.1.200
RETURN tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5
logdrop tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,ACK/SYN
RETURN tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
logdrop tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,ACK/RST
RETURN icmp -- anywhere anywhere icmp echo-request limit: avg 1/sec burst 5
logdrop icmp -- anywhere anywhere icmp echo-request
RETURN all -- anywhere anywhere

¿Alguna idea? Porque menudo negocio....

vukits

¿Qué pinta tiene el iptables del router?

Ningún firewall acepta cristmas tree ...

me parece que no tienes ningun firewall levantado

PD: por cierto, u n mejor firewall es snort

🗨️ 3
BocaDePez
BocaDePez
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
logaccept  all  --  anywhere             anywhere             state RELATED,ESTA                                                                                       BLISHED
logdrop    all  --  anywhere             anywhere             state INVALID
ACCEPT     all  --  anywhere             anywhere             state NEW
ACCEPT     all  --  anywhere             anywhere             state NEW
logaccept  udp  --  anywhere             anywhere             udp spt:bootps dpt                                                                                       :bootpc
logaccept  tcp  --  anywhere             router.asus.com      ctstate DNAT tcp d                                                                                       pt:www
logaccept  icmp --  anywhere             anywhere
logdrop    all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
logaccept  all  --  anywhere             anywhere             state RELATED,ESTA                                                                                       BLISHED
logdrop    all  --  anywhere             anywhere
logdrop    all  --  anywhere             anywhere             state INVALID
logaccept  all  --  anywhere             anywhere
SECURITY   all  --  anywhere             anywhere
logaccept  all  --  anywhere             anywhere             ctstate DNAT

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain FUPNP (0 references)
target     prot opt source               destination

Chain PControls (0 references)
target     prot opt source               destination
logaccept  all  --  anywhere             anywhere

Chain SECURITY (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             192.168.1.200
RETURN     tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,                                                                                       RST,ACK/SYN limit: avg 1/sec burst 5
logdrop    tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,                                                                                       RST,ACK/SYN
RETURN     tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,                                                                                       RST,ACK/RST limit: avg 1/sec burst 5
logdrop    tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,                                                                                       RST,ACK/RST
RETURN     icmp --  anywhere             anywhere             icmp echo-request                                                                                        limit: avg 1/sec burst 5
logdrop    icmp --  anywhere             anywhere             icmp echo-request
RETURN     all  --  anywhere             anywhere

Chain logaccept (8 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere             state NEW LOG leve                                                                                       l warning tcp-sequence tcp-options ip-options prefix "ACCEPT "
ACCEPT     all  --  anywhere             anywhere

Chain logdrop (7 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere             state NEW LOG leve                                                                                       l warning tcp-sequence tcp-options ip-options prefix "DROP "
DROP       all  --  anywhere             anywhere
Miguelito@(none):/tmp/home/root# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
logaccept  all  --  anywhere             anywhere             state RELATED,ESTABLISHED
logdrop    all  --  anywhere             anywhere             state INVALID
ACCEPT     all  --  anywhere             anywhere             state NEW
ACCEPT     all  --  anywhere             anywhere             state NEW
logaccept  udp  --  anywhere             anywhere             udp spt:bootps dpt:bootpc
logaccept  tcp  --  anywhere             router.asus.com      ctstate DNAT tcp dpt:www
logaccept  icmp --  anywhere             anywhere
logdrop    all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
logaccept  all  --  anywhere             anywhere             state RELATED,ESTABLISHED
logdrop    all  --  anywhere             anywhere
logdrop    all  --  anywhere             anywhere             state INVALID
logaccept  all  --  anywhere             anywhere
SECURITY   all  --  anywhere             anywhere
logaccept  all  --  anywhere             anywhere             ctstate DNAT

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain FUPNP (0 references)
target     prot opt source               destination

Chain PControls (0 references)
target     prot opt source               destination
logaccept  all  --  anywhere             anywhere

Chain SECURITY (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             192.168.1.200
RETURN     tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5
logdrop    tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,ACK/SYN
RETURN     tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
logdrop    tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,ACK/RST
RETURN     icmp --  anywhere             anywhere             icmp echo-request limit: avg 1/sec burst 5
logdrop    icmp --  anywhere             anywhere             icmp echo-request
RETURN     all  --  anywhere             anywhere

Chain logaccept (8 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere             state NEW LOG level warning tcp-sequence tcp-options ip-options prefix "ACCEPT "
ACCEPT     all  --  anywhere             anywhere

Chain logdrop (7 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere             state NEW LOG level warning tcp-sequence tcp-options ip-options prefix "DROP "
DROP       all  --  anywhere             anywhere
🗨️ 2
vukits

el log es rotativo ¿no? (i.e. tiene tamaño máximo)...

no vaya a ser que te quedes sin memoria por el log ?

ACCEPT     all  --  anywhere             anywhere             state NEW
ACCEPT     all  --  anywhere             anywhere             state NEW

esta no me gusta... (conexiones entrantes con state new, es un poco cachondeo (excepto puertos muy concretos))

fijate, p.e., este es un firewall muy básico, sacado de Debian wiki

Chain INPUT (policy ACCEPT)

target     prot opt source               destination

ACCEPT     all  --  anywhere             anywhere

REJECT     all  --  anywhere             loopback/8           reject-with icmp-port-unreachable

ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED

LOG        all  --  anywhere             anywhere             limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "

REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination

REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

ACCEPT     all  --  anywhere             anywhere
🗨️ 1
BocaDePez
BocaDePez

Es el iptables que trae por defecto este router, tendre que trastear un poco. gracias.