5

I am fairly new to network security, and I just learned about the Fail2Ban framework you can use for automated exploit detection/prevention. It says that you can protect yourself from DOS attacks by setting up a rule that will automatically block their IP by adding it to IPTables after a configured number of attempts in a configured amount of time. My question is, if all you are doing is rejecting their requests, then they still have access to try to send information on that port. Can they not still overload your server with requests?

I've done some research on this, and the only potential reason I could find is that with a DOS attack, they are restricted by their upload bandwidth which is almost guaranteed to be smaller than your download bandwidth, so even if they are trying to hit you as hard as they can with requests, if you block their IP and aren't doing any processing on the information then they are really throwing pebbles at a brick wall there. Is this correct? What other reasons would this you be protected from DOS with this method?

ximaera
  • 3,395
  • 8
  • 23
Jon Ferguson
  • 53
  • 4
  • 2
    DoS attacks aren't all based on bandwidth, you could perform a DoS attack by making a request that requires a large amount of processing. Fail2Ban would mitigate this sort of DoS by preventing such repeated requests from reaching the application doing the processing. – AndrolGenhald Jan 30 '18 at 18:39
  • What's the reason of explicitly excluding DDoS from your question? With this, the question actually becomes purely theoretical, and Fail2Ban just isn't there to solve theoretical issues. See my answer below. – ximaera Jan 30 '18 at 22:50
  • @ximaera, just because you have trouble telling DoS and DDoS attacks apart doesn't mean they're the same thing. – Mark Jan 30 '18 at 22:54
  • @Mark when was the last time you've seen a _DoS attack in real life? – ximaera Jan 30 '18 at 22:59
  • Just because you block the traffic, doesn't mean it isn't there. An attacker can still flood you with traffic which blocks legit connections. The firewall just means nothing on the inside of the firewall will every see the traffic. – cybernard Jan 30 '18 at 23:14
  • @ximaera, yesterday. It probably wasn't intentional -- I think they were trying to clone the site instead of knock it offline -- but hitting a low-powered webserver with enough traffic certainly acts as a denial of service attack. – Mark Jan 30 '18 at 23:31
  • @Mark you must be kidding. Take, I don't know, [RFC 4732](https://tools.ietf.org/html/rfc4732): *a Denial-of-Service (DoS) attack is an attack in which one or more machines target a victim **and attempt to prevent** the victim from doing useful work*. Take [US-CERT](https://tinyurl.com/ST04-015), [CERT/CC](https://tinyurl.com/certcc-dos) or a [vendor's site](https://www.symantec.com/security_response/glossary/define.jsp?letter=d&word=dos-denial-of-service-attack): as broad as those definitions are, each of them implies an *intentional* attempt. Yours is just an occasional operations failure. – ximaera Jan 30 '18 at 23:47
  • @Mark RFC 4732 even explicitly points out the difference between *"a sufficiently subtle DoS attack and a flash crowd (where unexpected heavy but non-malicious traffic has the same effect as a DoS attack)"*. The latter is essentially your case. – ximaera Jan 30 '18 at 23:51

3 Answers3

3

My question is, if all you are doing is rejecting their requests, then they still have access to try to send information on that port. Can they not still overload your server with requests?

Yes, a subset of attackers can. If their bandwidth is greater than yours, or if they find a way to use your bandwidth faster than theirs to offset the difference, you are starved of bandwidth and legitimate traffic cannot get through.

This is actually true at any time attacker_effective_bandwidth + legitimate_bandwidth > server_bandwidth, so it isn't solely dependent on the attacker's resources, but also on the degree to which you over-provision.

Note also that fail2ban is focused on access attempts and exploits that you log or monitor. Some denial of service attacks rely on communications that may not be logged (ICMP echo requests, for example), and might not trigger fail2ban.

if you block their IP and aren't doing any processing on the information then they are really throwing pebbles at a brick wall there. Is this correct?

It is only correct if the resource you are preserving is CPU, and if fail2ban will observe /trigger based on all traffic that causes CPU usage. Dropping packets does take a measurable amount of CPU, but it is much smaller than trying to do anything else with them.

What other reasons would this you be protected from DOS with this method?

I don't understand this question, but I think that fail2ban is one tool you might use, and a reasonable one. However, you should consider adding other tools if the cost of your site going down is greater than the cost of acquiring and maintaining the tools required to prevent it.

Slartibartfast
  • 266
  • 1
  • 4
0

To answer your question, yes blocking the IP of an attacker DoS'ing your server is an effective mitigation. This is for two basic reasons:

Reason #1: Hypothetically, if the attacker is going with an basic flood based attack with the intention being to overwhelm the server with bandwidth (say uploading files?) blocking their IP will significantly reduce the bandwidth of their attack to the point it should not have any impact on your server (as long as your server isn't a hamster running on a wheel powering a Raspberry Pi).

It should be noted, #1 is a rare attack strategy for a DoS attack since realistically, a single attacking node will not have the bandwidth capabilities to crash a server by flooding it with requests. The more common case is

Reason #2: Application level DoS attacks are much more effective. For example, lets say your website has a login page that conducts server side cryptographic hashing of the supplied password. A smart attacker could attempt to crash the server by focusing their DoS attack on that login request, making the server compute hundreds or thousands of simultaneous logins when the typical load is much lighter. In this case, the Fail2Ban framework you described should work perfectly as it would filter away the attackers fake login requests.

The entire mitigation tactic can be circumvented by frequently rotating a spoofed IP address at the attacker's note but that becomes an odd DDoS/DoS hybrid and you specifically asked about old fashion DoS. Therefore, the answer stands. Simply blocking the attacking IP should be an adequate defense.

dFrancisco
  • 2,691
  • 1
  • 13
  • 26
  • Application-level _DoS is now completely hypothetical. It's too simple to mitigate one, why would anyone even try that? I don't think anyone had seen anything like that in the wild since circa 2011. – ximaera Jan 30 '18 at 22:46
  • Also, when (for some unclear reason) one wants to distinguish a single-sourced DoS attack from a distributed one, it's important to define "source". Is it a source *IP address* or a *machine*? If it's an IP address, then it's possible to spoof a single-IP-sourced traffic from *a number* of nodes (say, thousands), thus utilizing a bandwidth greatly exceeding capabilities of a lone handling server. (continued) – ximaera Jan 31 '18 at 02:05
  • ...If it's a machine, should it be a physical machine, or a virtual machine counts? Do `chroot` or LXC count then? What if there are two (three, ten, twenty, a hundred) virtual machines under a single supervisor, and what if they occasionally migrate to another physical server (which happens frequently in a cloud)? What if there are multiple IP addresses assigned to a node, from different IP prefixes, and how it's then different from a DDoS attack from a victim's point of view? An academic approach must take all of this in mind, while a practical one barely should. – ximaera Jan 31 '18 at 02:22
0

What's probably most important here is that in regard to the mitigation, it's almost useless to tell apart DoS and DDoS attacks these days. No real world denial-of-service attack happens from a single fixed IP source anymore.

The only obvious exception is when an attacker generates a specially crafted packet to exploit a vulnerability with DoS potential (e.g. a null pointer dereference somewhere in a packet handling code; here's an example of such vulnerability). But blocking a source IP address which runs an exploit isn't really a good way to mitigate that; patching a vulnerable system is.

In theory, it would be easier to handle a simple DoS attack than a distributed one. However, as those are too easy to mitigate, they are mostly extinct nowadays, and the tool you're asking about (Fail2Ban) isn't there to help against extinct attacks, it's written with real world application in mind.

Taking this into account, blocking an IP address (either with Fail2Ban or manually) only makes sense if two conditions are met at the same time:

  1. The DDoS attack which is ongoing affects only the performance of the server itself (or anything behind it, like a database server behind a Web application), but not the network transport in front of it;
  2. It can be verified somehow that all the source IP addresses involved in attack are not spoofed. E.g. a DDoS attack targets a handshake-based network service (where you can negotiate some secret towards a client and verify that the client has actually received the secret), and passes the basic handshake successfully. I can come up with another example, but the description above pretty much sums up the most frequent scenario.

Regarding a typical HTTPS server, you can use IP range blocking against, for example, TCP connection flood, SSL/TLS handshake flood, POST flood, Slowloris, and so on (it's rather hard to classify Layer 7 attacks beyond simple floods), which all in most cases satisfy both requirements.

Note that though, say, a sufficiently large POST flood could in fact affect the network transport in front of your server, IP blocking can still help you with that, because it prevents underlying TCP connections from being established, and a malicious bot won't be able to subsequently send a large POST body towards your server. This effectively limits the remaining malicious incoming traffic to a low rate SYN flood which is in most cases easy to handle.

Moreover, the main effect which an HTTP-based flood will cause on your network transport is due to outbound traffic generated by your server in response (which in today's HTTP may be about 11-12 times more than the inbound one), and blocking the IP sources of an HTTP flood eliminates this as well due to the reasons outlined above.

At the same time IP blocking is mostly useless against attacks like ICMP flood, SYN flood, UDP flood, and others which do not satisfy at least the requirement #2; and against amplification attacks which are, under most conditions, so powerful in terms of inbound traffic that they do not satisfy the requirement #1.

Note that the fact that a source IP address in a, say, SYN flood can't be verified doesn't necessarily mean it is spoofed. However, blocking a potentially spoofed IP address range may result in your service being unreachable for legitimate users. In fact, it may be an attacker's intent to trick you into starting to automatically (e.g. via the said Fail2Ban tool) block source IP addresses of a packet-based flood while there are only few sources present in the traffic, and then to spoof important IP address ranges, such as the IP ranges of largest ISPs in your country, or even the whole global IPv4 address range of ~4 billion addresses which, at an arbitrary flood rate of 100 Mbit per second, could all be enumerated in roughly an hour — I've actually seen that in my life a few times.

ximaera
  • 3,395
  • 8
  • 23