[JDEV] Jabber DevZone News - @jabber.org server

Thomas Muldowney temas at box5.net
Wed Jun 6 13:40:29 CDT 2001 

Again it's not necessarily a matter that simple.  The pipe gets filled, rate
limitting takes affect and things seem to slow down.  Some of it is also acting
as legitimate traffic and that causes some of the development things to spazz.
So we're trying to seperate production level from development level pieces as 
the first step, and then we'll also be putting in an actual box to act as the
router for the jabber.org (jabelin.org as well) domain.  It will be using
either a recent kernel and iptables or possible OpenBSD + ipf power.

--temas

On Wed, May 23, 2001 at 10:39:06AM -0700, Ron Wills wrote:
>   I don't know if this is an option, but have you though of upgrading you kernel to 2.4 (I find 2.4.2
> to be the stablest) and using iptables (netfilter) as a fire wall against DDos and Various other
> attacts. I know compiling a new kernel and having to restart a server is a huge inconvence for
> everyone, but with iptables the security has increased ten fold (in my opinion). Even with ipchains,
> nmap (port scanner), will show several holes still in the firewall. Here's a configuration that seems
> to work good:
> 
> # Block NULL, FIN, Xmas style attacks
> iptables -N attacks
> iptables -A attacks -p tcp --tcp-flags ALL NONE -j DROP
> iptables -A attacks -p tcp --tcp-flags ALL FIN -j DROP
> iptables -A attacks -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
> iptables -A INPUT -j attacks
> iptables -A FORWARD -j attacks
> 
> # Prevent Dos Attacks
> iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
> # Furtive port scanner
> iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
> # Prevent Flood Pings
> iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
> 
> # Filter out anyone trying to connect to us
> iptables -N block
> iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A block -m state --state NEW -i ! eth0 -j ACCEPT
> 
> # Connections to accept
> iptables -A block -m state --state NEW -i eth0 -p tcp --dport 5222 -j ACCEPT
> iptables -A block -m state --state NEW -i eth0 -p icmp --icmp-type echo-request -j ACCEPT
> 
> iptables -A block -j DROP
> iptables -A INPUT -j block
> iptables -A FORWARD -j block
> 
> Jabber DevZone wrote:
> 
> > @jabber.org server
> >
> > The following was posted by jer at jabber.org via the Jabber DevZone web site (http://dev.jabber.org/):
> >
> > For the past few weeks the server hosting jabber.org has been under
> > frequent DDoS (Distributed
> > Denial of Service) attacks.  The type of attack has been a SYN flood
> > to port 5222, originating from
> > various networks and most likely compromised hosts.  We're not sure
> > who or why, and don't yet have any
> > information about the abuse, but it's not uncommon for popular open
> > chat systems to be targeted in
> > such a way (IRC for instance).
> >
> > There are two results of the attacks, one is congesting the server on
> > port 5222 so that nobody can
> > connect.  To combat this, as soon as an attack is recognized we
> > immediately apply ipchains filters to
> > block network access to the box and drop all packets from the
> > offending hosts.  The larger problem is
> > that on a few occassions the size of the attack is greater than and
> > overwhelms the amount of bandwidth allotted to
> > our server (a few T1s).  It takes a bit longer, but the local ISP
> > hosting the server calls the
> > upstream provider and have the offending networks blocked, returning
> > the
> > bandwidth capacity to normal.
> >
> > There have a couple of other service outages recently, due to the
> > development nature of the server
> > and that often a transport will runaway and consume system resources,
> > bringing the server to a halt. As
> > part of the foundation two new server boxes will be arriving soon, one
> > for the production-only
> > jabber.org server, and one available to the community for server and
> > transport/services development and
> > testing.  With the server developers getting their own domain
> > (jabelin.org) to [ab]use
> > and the added focus on the quality of services available from the
> > foundation, server uptime and administration should improve :-)
> >
> > One last note is that the service was just updated to the latest
> > release last night.  The flash5
> > and HTTP-tunneling socket support is now available directly on
> > jabber.org.  WCS (the Web Client
> > Service) is now configured as well, and will be activated shortly for
> > testing and experimentation.
> >
> > http://jabber.org/?oid=1502
> 
> _______________________________________________
> jdev mailing list
> jdev at jabber.org
> http://mailman.jabber.org/listinfo/jdev
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
URL: <https://www.jabber.org/jdev/attachments/20010606/79c0587f/attachment-0002.pgp>

More information about the JDev mailing list