Use ufw to block users from accessing my server via a specific vpn

Question

The last couple of days I've been having some weird small DDoS attacks on different VPS's I have online.

The first one I detected using netstat and I noticed a bunch of IPs that were from a different region (resulting in Singapore) so I used ufw deny from x.y.0.0/16 to block the entire subnet as it was varying on the last 2 numbers. That worked.

Now today I am having the same issue on a completely different VPS just that this time besides the IP there are also some addresses that say for example miami-1.octovpn.net (that's a real value in this case). I blocked the IP range in that case, but I am not sure how to block a wildcard domain from accessing the site using ufw.

I thought of something like:

ufw deny from *.octovpn.net

But the command returned ERROR: Bad source address.

Any ideas?

score 3 · Accepted Answer · answered Jun 24 '20 at 08:05

You have not been under attack from us, however if you look at the packets you received it was SYN_RECV. These packets can easily be spoofed.

You are being used as the reflector to attack us, not other way around.

There is no true way to stop this once you are being used as a reflector, due to how TCP works. What you can do is block our ranges - however, the attackers will still use you as a reflector to attack other services.

You can read more about it here: https://octovpn.com/tcpamp

We had to make this page as we saw a huge number of increase of attacks that were originating from "TCP-AMP" where remote TCP Services are being used as reflectors. Server administrators thought we are attacking them, but it's the opposite.

Oh, nice of you to join @OctoVPN and thanks for the answer :) — Mihail Minkov, Jun 24 '20 at 17:53

Olaf Dietsche · Answer 2 · 2020-03-31T20:34:55.587

0

Maybe

nslookup miami-1.octovpn.net

giving

Name: miami-1.octovpn.net
Address: 45.77.95.134

With this address, do a

whois 45.77.95.134

which results in

NetRange: 45.76.0.0 - 45.77.255.255
CIDR: 45.76.0.0/15

Now you can use the familiar

ufw deny from 45.76.0.0/15

The risk you run, is blocking more than necessary, because the owner of this IP range is not octovpn.net

Update: I missed the second part of the whois answer, which shows a subset of the IP range

NetRange: 45.77.94.0 - 45.77.95.255
CIDR: 45.77.94.0/23

This allows to narrow the blocked range to

ufw deny from 45.77.94.0/23

edited Mar 31 '20 at 20:34

answered Mar 31 '20 at 19:58

Olaf Dietsche

275
1
7

Ok, that seem to have worked, but for some reason I still get connections to tcp6. What should be the way to block those? – Mihail Minkov Mar 31 '20 at 20:33
Or perhaps I could disable ip6 temporarily? – Mihail Minkov Mar 31 '20 at 20:37
I can't say, because `miami-1.octovpn.net` doesn't seem to have an IPv6 address. Maybe this is an unrelated case and/or another domain. – Olaf Dietsche Mar 31 '20 at 20:40
If disabling IPv6 doesn't harm accessibility to your servers, this may be an option. – Olaf Dietsche Mar 31 '20 at 20:41
It appears like `tcp6 0 0 myserver:https miami-1.octovpn.n:16850 SYN_RECV`. At the moment only tcp6 connections appear active for those. I am going to turn IPv6 off to check if it fixes this. – Mihail Minkov Mar 31 '20 at 20:45
What address is shown when you use numeric option, e.g. `ss -n` or `netstat -n` – Olaf Dietsche Mar 31 '20 at 20:48
I see just IPv4 addresses which is weird, because it's supposed to be tcp6 connection. What I tried was `ufw deny from 45.77.94.0/23 /tcp6` but it said invalid number of arguments. – Mihail Minkov Mar 31 '20 at 21:12
In `ss -n` the peer addresses appear as `*`. – Mihail Minkov Mar 31 '20 at 21:14
Is there a way to do the same deny instructions for tcp6? – Mihail Minkov Mar 31 '20 at 21:15

Use ufw to block users from accessing my server via a specific vpn

2 Answers2