Preventing outgoing Portscan/SYN/UDP Floods in the datacenter

Question

We are a VPS hosting company that have servers housed in a datacenter in Germany. Currently we are receiving multiple take-down requests because customers are ports scanning or attacking servers outside our network and we are looking for a way to prevent this, our old DC just blocked the IPs automatically on their end so we could take action but the new DC doesn't do this.

We took a look at the following options:

• Nodewatch, unfortunately that only works with OpenVZ and we use KVM.
• UTM Firewalls might do the job but I can't find what we are looking for in the manuals (and I'm not sure what it's called)
• A Linux firewall distribution, same thing as a hardware firewall. Can't find the right naming.

What is the right way to prevent outgoing attacks since most firewalls only offer protection for incoming attacks?

Answer 1

What is the right way to prevent outgoing attacks since most firewalls only offer protection for incoming attacks?

To throttle or drop traffic burst I've tried different modules in iptables. The best of which was hashlimit module. I use it in FORWARD chain.

For example, to prevent outgoing TCP SYN traffic burst and limit it to 60 request a minutes use:

iptables -I FORWARD -p tcp --syn -s 192.168.1.1/24 -j DROP
iptables -I FORWARD -p tcp --syn -s 192.168.1.1/24 -m state --state NEW -m hashlimit --hashlimit 60/minute --hashlimit-mode srcip --hashlimit-burst 10 --hashlimit-name portscan -j ACCEPT

The order of commands is important. This will slow down the connections outgoing TCP SYN packets. To see how hashlimit operates in action, run:

while sleep 1 ; do cat /proc/net/ipt_hashlimit/tablename; done

The other way is to use tc.

Disclamer: I haven't tested the exact above command and it is just for a sample.