Ongoing DDoS attack on masternode network
- Thread starter UdjinM6
- Start date
I would guess your are on ubuntu 14.04 and not 16.04
You should see the rules you pasted in, it will be easier to see if you make the putty window bigger.
Crap yeah that's on me, I was modifying my original script by adding chaeplins better ddos rules and missed that. Removed the line.
Cofresí
Member
Hey Figl, do you recommend setting a low maxconnections setting in dash.conf or high? I have it on maxconnections=64 and some of my nodes went down even with good specs. Maybe better to set a lower value? Thanks for spreading the knowledge
Figlmüller
Member
Sorry to bother you again, but I checked your rules once again and stumbled upon the first rules:
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
It's already late here in central Europe, I'm dead tired and I might be wrong. But aren't those lines instantaneously rejecting any kind of UDP packets, followed by TCP packets, and finally rejecting ALL packets with a protocol unreachable icmp packet - thus effectively preventing all kinds of connections?!
AndyDark
Well-known member
despite i had the requested hardware Dual Core CPU and 2 GB Ram i was kicked from the masternode list and lost 2 dash that i needed to get now !
Moving to Vultr $20 Quad CPU and 4GB RAM
Hey - please make sure to set the recommended IP tables too, that might be the cause and not the HW if you're on the recommended spec already: https://gist.github.com/chaeplin/5dabcef736f599f3bc64bdce7b62b817
Figlmüller
Member
Hey Figl, do you recommend setting a low maxconnections setting in dash.conf or high? I have it on maxconnections=64 and some of my nodes went down even with good specs. Maybe better to set a lower value? Thanks for spreading the knowledge
I'm running all nodes at a limit of 256 connections. Depending on the kind of attack and measures taken to stop packets reaching the listening application, it still may be not enough. I don't really know the impact of allowing 256 connections on a dash node regarding memory allocation/usage and CPU load caused by the operating system or the daemon. Neither I know the effects on the networking stack in that case.
What I know, is that during the current attacks, I had 30-40 connections or connection attempts at a time on the affected machines using rate limiting and other measures. Temporarily disabling those measures (for science
) ended up in hitting the limit of 256 within seconds. I did not analyze the attacks and packets sent in detail, but I noticed a significant growth of used memory on the host. I did not check whether this was caused by the networking stack (Kernel) or the daemon (processing bogus data?! memory allocation for clients?!...), as I switched the firewall(s) back on after that.I could not find any information whether the daemon itself is hardened against bogus input, and if so, how. Digging into the code isn't something I would like to do right now
Last edited:
The next line down over-ruled that for connections on 9999 and then the next chain is chaeplin's new rules that handle the ddos, which seemed confirmed since my nodes are active and getting payed. Unless mine are an example of lazy masternodes, I am changing the rules on one of my nodes and will monitor the cpu usage.
Edited
Last edited:
Figlmüller
Member
Correct me if 'm wrong, but already established connections should not be affected because of -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT before the mentioned lines, which may include existing masternode connections. At least as I understand it, you should not be able to establish any kind of (new) connection to a server using that iptables configuration. Did you try to SSH (new connection) into a server using that iptables config?
Maybe I'm failing to see something obvious and maybe I'm totally wrong. Will check back later, after some sleep
Correct me if 'm wrong, but already established connections should not be affected because of -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT before the mentioned lines, which may include existing masternode connections. At least as I understand it, you should not be able to establish any kind of (new) connection to a server using that iptables configuration. Did you try to SSH (new connection) into a server using that iptables config?
Maybe I'm failing to see something obvious and maybe I'm totally wrong. Will check back later, after some sleep
Yes that's true, but those are the rules I used as I was setting up my masternodes, so there were no connections to continue then and I can still ssh into them. As I understand it all connections run through all the rules in Iptables only those not changed by the following rules would remain rejected.
Sleep well mate, I'll recheck everything just to be sure
Last edited:
AndyDark
Well-known member
Incident report and how to harden your Masternode: https://www.dash.org/2017/03/08/DDoSReport.html
Last edited:
hi,
i try to set the iptables following tease intructions:
but
invoke-rc.d netfilter-persistent save
returns error
invoke-rc.d: unknown initscript, /etc/init.d/netfilter-persistent not found.
Did I miss something?
i try to set the iptables following tease intructions:
but
invoke-rc.d netfilter-persistent save
returns error
invoke-rc.d: unknown initscript, /etc/init.d/netfilter-persistent not found.
Did I miss something?
Are you on Ubuntu 16.04 or 14.04?
on 16.04.2 # invoke-rc.d netfilter-persistent save fails for me:
# invoke-rc.d netfilter-persistent save
* Saving netfilter rules...
run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-ip4tables save
run-parts: /usr/share/netfilter-persistent/plugins.d/15-ip4tables exited with return code 1
run-parts: executing /usr/share/netfilter-persistent/plugins.d/25-ip6tables save
run-parts: /usr/share/netfilter-persistent/plugins.d/25-ip6tables exited with return code 1
[fail]
solved forgot sudo
iptables -L gives me
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Is that ok?
# invoke-rc.d netfilter-persistent save
* Saving netfilter rules...
run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-ip4tables save
run-parts: /usr/share/netfilter-persistent/plugins.d/15-ip4tables exited with return code 1
run-parts: executing /usr/share/netfilter-persistent/plugins.d/25-ip6tables save
run-parts: /usr/share/netfilter-persistent/plugins.d/25-ip6tables exited with return code 1
[fail]
solved forgot sudo
iptables -L gives me
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Is that ok?
Last edited:
I'm on Ubuntu 14.04
Figlmüller
Member
Some toughts I would like to add to the suggested ruleset by chaeplin:
The default policy on the INPUT chain there is ACCEPT. Going through the firewall will, as expected, reduce the impact of the current attacks. So far so good. But the firewall will still allow connections to any listening socket on the host, because the approach is to accept all packets, but drop/reject unwanted ones (blacklist). Although this approach will less likely disrupt other services or lock out operators from their machines and is more suitable for less tech-savvy admins just deploying the rules, I am more a supporter of a whitelisting approach. In my opinion it would be better to DROP by default, and only ACCEPT if the right conditions are met. You will then have to explicitly allow traffic to the services (without locking yourself out of course). This also includes UDP traffic used for DNS (answers to DNS requests), for example. More checks and rules will be needed, but the overall security will improve in my opinion, as the suggested configuration by chaeplin will not protect against attacks related to DNS, ICMP and other ones, or will not hide/restrict other listening services. Still, the rules by chaeplin are very useful regarding the current attack situation.
The default policy on the INPUT chain there is ACCEPT. Going through the firewall will, as expected, reduce the impact of the current attacks. So far so good. But the firewall will still allow connections to any listening socket on the host, because the approach is to accept all packets, but drop/reject unwanted ones (blacklist). Although this approach will less likely disrupt other services or lock out operators from their machines and is more suitable for less tech-savvy admins just deploying the rules, I am more a supporter of a whitelisting approach. In my opinion it would be better to DROP by default, and only ACCEPT if the right conditions are met. You will then have to explicitly allow traffic to the services (without locking yourself out of course). This also includes UDP traffic used for DNS (answers to DNS requests), for example. More checks and rules will be needed, but the overall security will improve in my opinion, as the suggested configuration by chaeplin will not protect against attacks related to DNS, ICMP and other ones, or will not hide/restrict other listening services. Still, the rules by chaeplin are very useful regarding the current attack situation.
demo
Well-known member
Buy it. Its a bargain!
https://github.com/ewust/DDoSCoin
A ddoscoin is the reverse of the proof of bandwidth coins.
Ddoscoin is the virus, and PoW coins (like Torcoin) is the antivirus.
https://github.com/ewust/DDoSCoin
A ddoscoin is the reverse of the proof of bandwidth coins.
Ddoscoin is the virus, and PoW coins (like Torcoin) is the antivirus.
Last edited:
demo
Well-known member
And what is the moral of this DDos attack?
You are 4000 representatives of the generation 2014-2016 and you hold most the dash for yourself.
In case the future generations will be pissed off from your richness , you have no hope.
People who do not own dash (due to its designed time-space assymetry) are more than 4000, they are almost 7000000000 (the earth population).
Imagine a DDos from 700000000 IPs and calculate your chance to survive.
Unless of course you ask the help of the state to protect you.
But if you are asking the protection of the state, then you belong to the state, and you cannot avoid the state's rules (to respect the state's money, to respect the holders of that money, and to pay the taxes of course!)
Because with those taxes, the state is capable to protect the 4000 dash masternode owners from the DDOs attack of the rest 7 billion people (who do not own a single dash-duff). Are you listening @camosoul?
"War is the father and king of all: some he has made gods, and some men; some slaves and some free."
You are 4000 representatives of the generation 2014-2016 and you hold most the dash for yourself.
In case the future generations will be pissed off from your richness , you have no hope.
People who do not own dash (due to its designed time-space assymetry) are more than 4000, they are almost 7000000000 (the earth population).
Imagine a DDos from 700000000 IPs and calculate your chance to survive.
Unless of course you ask the help of the state to protect you.
But if you are asking the protection of the state, then you belong to the state, and you cannot avoid the state's rules (to respect the state's money, to respect the holders of that money, and to pay the taxes of course!)
Because with those taxes, the state is capable to protect the 4000 dash masternode owners from the DDOs attack of the rest 7 billion people (who do not own a single dash-duff). Are you listening @camosoul?
"War is the father and king of all: some he has made gods, and some men; some slaves and some free."
Last edited:
camosoul
Well-known member
This. MNs should be Fort Knox, not Best Buy.
How about a more "hardcore" ruleset script?
There shouldn't be anything but dashd, sentinel, and immediate supporting services. Dashd is no longer a side service on a machine doing 100 other things.It pays enough to grow up and take it seriously with dedicated resources. Only ports 9999 and a non-standard SSH port should even be awake. Everything else should blackhole. Not even ICMP response. Masternodes have much better and more useful means of event failure notification. As a dedicated dashd node, it doesn't need to ping.
You can get even better by running tor, and routing ssh to a hidden service that only listens after a port knock. You can't DDoS a port you can't find. 9999 is still exposed, but iptables can do a hell of a job focusing for dashd specific traffic with a ban-all-then-add-whitelist mentality.
The only way to improve upon that would be to dump ubuntu for gentoo and run hardened.
MNs need to become a much more serious matter, and an iptables plan that permits only whitelist is it.
Last edited: