[JDEV] Jabber DevZone News - @jabber.org server

Wed May 23 12:39:06 CDT 2001

  I don't know if this is an option, but have you though of upgrading you kernel to 2.4 (I find 2.4.2
to be the stablest) and using iptables (netfilter) as a fire wall against DDos and Various other
attacts. I know compiling a new kernel and having to restart a server is a huge inconvence for
everyone, but with iptables the security has increased ten fold (in my opinion). Even with ipchains,
nmap (port scanner), will show several holes still in the firewall. Here's a configuration that seems
to work good:

# Block NULL, FIN, Xmas style attacks
iptables -N attacks
iptables -A attacks -p tcp --tcp-flags ALL NONE -j DROP
iptables -A attacks -p tcp --tcp-flags ALL FIN -j DROP
iptables -A attacks -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A INPUT -j attacks
iptables -A FORWARD -j attacks

# Prevent Dos Attacks
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
# Furtive port scanner
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
# Prevent Flood Pings
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

# Filter out anyone trying to connect to us
iptables -N block
iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A block -m state --state NEW -i ! eth0 -j ACCEPT

# Connections to accept
iptables -A block -m state --state NEW -i eth0 -p tcp --dport 5222 -j ACCEPT
iptables -A block -m state --state NEW -i eth0 -p icmp --icmp-type echo-request -j ACCEPT

iptables -A block -j DROP
iptables -A INPUT -j block
iptables -A FORWARD -j block

Jabber DevZone wrote:

> @jabber.org server
>
> The following was posted by jer at jabber.org via the Jabber DevZone web site (http://dev.jabber.org/):
>
> For the past few weeks the server hosting jabber.org has been under
> frequent DDoS (Distributed
> Denial of Service) attacks.  The type of attack has been a SYN flood
> to port 5222, originating from
> various networks and most likely compromised hosts.  We're not sure
> who or why, and don't yet have any
> information about the abuse, but it's not uncommon for popular open
> chat systems to be targeted in
> such a way (IRC for instance).
>
> There are two results of the attacks, one is congesting the server on
> port 5222 so that nobody can
> connect.  To combat this, as soon as an attack is recognized we
> immediately apply ipchains filters to
> block network access to the box and drop all packets from the
> offending hosts.  The larger problem is
> that on a few occassions the size of the attack is greater than and
> overwhelms the amount of bandwidth allotted to
> our server (a few T1s).  It takes a bit longer, but the local ISP
> hosting the server calls the
> upstream provider and have the offending networks blocked, returning
> the
> bandwidth capacity to normal.
>
> There have a couple of other service outages recently, due to the
> development nature of the server
> and that often a transport will runaway and consume system resources,
> bringing the server to a halt. As
> part of the foundation two new server boxes will be arriving soon, one
> for the production-only
> jabber.org server, and one available to the community for server and
> transport/services development and
> testing.  With the server developers getting their own domain
> (jabelin.org) to [ab]use
> and the added focus on the quality of services available from the
> foundation, server uptime and administration should improve :-)
>
> One last note is that the service was just updated to the latest
> release last night.  The flash5
> and HTTP-tunneling socket support is now available directly on
> jabber.org.  WCS (the Web Client
> Service) is now configured as well, and will be activated shortly for
> testing and experimentation.
>
> http://jabber.org/?oid=1502