iptables클라이언트가 ACK 패킷을 반환하지 않는 불완전한 SYN 패킷으로 서버 연결 제한이 채워지는 것을 방지하기 위한 규칙을 만들려고 했습니다 (SYN 플러드 공격).
[RFC 4987 TCP SYN 플러딩 공격 및 일반적인 완화][1] 및 [Red Hat Enterprise Linux 7 베타를 사용하여 TCP SYN 플러딩 공격 완화][2]를 읽었으며 마지막으로 [여기][3] 지침을 따르려고 했습니다.https://javapipe.com/blog/iptables-ddos-protection/
그러나 내 사이트는 다음 명령을 사용하는 DOS 공격으로 여전히 쉽게 중단됩니다.
hping -S --flood -V -p 443 www.mydomain.com
위에 링크된 Javapipe.com의 튜토리얼 끝에는 SYNPROXY가 활성 상태인지 여부를 알려주는 명령이 언급되어 있습니다.
SYNPROXY가 작동하는지 확인하려면 watch -n1 cat /proc/net/stat/synproxy를 수행하면 됩니다. SYNPROXY를 사용하는 포트에 새 TCP 연결을 설정할 때 값이 변경되면 작동하는 것입니다.
명령은 다음과 같습니다:
watch -n1 cat /proc/net/stat/synproxy
내 서버에서 해당 명령을 사용하고 페이지를 로드하려고 하면 데이터가 변경되지 않고 모두 0입니다.
Every 1.0s: cat /proc/net/stat/synproxy Thu Jul 25 19:57:00 2019
entries syn_received cookie_invalid cookie_valid cookie_retrans conn_reopened
00000000 00000000 00000000 00000000 00000000 00000000
다음은 iptables -L의 출력입니다.
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
INPUT_direct all -- anywhere anywhere
INPUT_ZONES_SOURCE all -- anywhere anywhere
INPUT_ZONES all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
REJECT tcp -- anywhere anywhere #conn src/32 > 80 reject-with tcp-reset
ACCEPT tcp -- anywhere anywhere ctstate NEW limit: avg 20/sec burst 20
DROP tcp -- anywhere anywhere ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp flags:RST/RST limit: avg 2/sec burst 2
DROP tcp -- anywhere anywhere tcp flags:RST/RST
DROP all -- anywhere anywhere ctstate INVALID
SYNPROXY tcp -- anywhere anywhere tcp ctstate INVALID,UNTRACKED SYNPROXY sack-perm timestamp wscale 7 mss 1460
DROP all -- anywhere anywhere ctstate INVALID
DROP all -- anywhere anywhere state INVALID
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
FORWARD_direct all -- anywhere anywhere
FORWARD_IN_ZONES_SOURCE all -- anywhere anywhere
FORWARD_IN_ZONES all -- anywhere anywhere
FORWARD_OUT_ZONES_SOURCE all -- anywhere anywhere
FORWARD_OUT_ZONES all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
OUTPUT_direct all -- anywhere anywhere
Chain FORWARD_IN_ZONES (1 references)
target prot opt source destination
FWDI_public all -- anywhere anywhere [goto]
Chain FORWARD_IN_ZONES_SOURCE (1 references)
target prot opt source destination
Chain FORWARD_OUT_ZONES (1 references)
target prot opt source destination
FWDO_public all -- anywhere anywhere [goto]
Chain FORWARD_OUT_ZONES_SOURCE (1 references)
target prot opt source destination
Chain FORWARD_direct (1 references)
target prot opt source destination
Chain FWDI_public (1 references)
target prot opt source destination
FWDI_public_log all -- anywhere anywhere
FWDI_public_deny all -- anywhere anywhere
FWDI_public_allow all -- anywhere anywhere
REJECT icmp -- anywhere anywhere reject-with icmp-host-prohibited
Chain FWDI_public_allow (1 references)
target prot opt source destination
Chain FWDI_public_deny (1 references)
target prot opt source destination
Chain FWDI_public_log (1 references)
target prot opt source destination
Chain FWDO_public (1 references)
target prot opt source destination
FWDO_public_log all -- anywhere anywhere
FWDO_public_deny all -- anywhere anywhere
FWDO_public_allow all -- anywhere anywhere
Chain FWDO_public_allow (1 references)
target prot opt source destination
Chain FWDO_public_deny (1 references)
target prot opt source destination
Chain FWDO_public_log (1 references)
target prot opt source destination
Chain INPUT_ZONES (1 references)
target prot opt source destination
IN_public all -- anywhere anywhere [goto]
Chain INPUT_ZONES_SOURCE (1 references)
target prot opt source destination
Chain INPUT_direct (1 references)
target prot opt source destination
Chain IN_public (1 references)
target prot opt source destination
IN_public_log all -- anywhere anywhere
IN_public_deny all -- anywhere anywhere
IN_public_allow all -- anywhere anywhere
REJECT icmp -- anywhere anywhere reject-with icmp-host-prohibited
Chain IN_public_allow (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:http ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:https ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp ctstate NEW
Chain IN_public_deny (1 references)
target prot opt source destination
Chain IN_public_log (1 references)
target prot opt source destination
Chain OUTPUT_direct (1 references)
target prot opt source destination
서버는 Centos 7.6, 커널: 3.10.0-862.2.3.el7.x86_64를 실행하는 Digital Ocean이 있는 VPS입니다.
SYNPROXY가 실행되지 않는 이유 또는 SYN 플러딩으로부터 내 서버를 보호하는 이유/방법을 설명하는 데 도움을 줄 수 있는 사람이 있습니까?