1

Most references I've read about mitigating DDOS involve edge routers.

However, is there anything you can do to mitigate your LAN clients from unknowlingly participating in a DDOS ?

Like blocking broadcast packets ? This is presuming you don't have clients applications that legitimately use broadcast packets.

Or using a DNS server that can block host resolution for outgoing traffic using public block lists ?

Castaglia
  • 3,349
  • 3
  • 21
  • 42
  • Some of the mitigations depend on how your network is configured and what kind of attack you want to protect against. Are you using NAT? Does the attack use IP spoofing? Is it a direct attack or a reflection attack? – kasperd Apr 03 '17 at 12:46
  • kasperd - Thanks for the questions. Yes, NAT is being used. The router in this example doesn't provide any open services to the Internet. As such, the firewall includes such rules as "iptables -I INPUT -i wanface -m state --state NEW -j DROP and iptables -I FORWARD -i wanface -m state --state NEW -j DROP". As for the type of DDOS, that would depend on the malware involved. I presume both direct and reflection are possible. –  Apr 03 '17 at 12:51

5 Answers5

1

This isn't exactly an answer to your question, but I point out the errors in your solutions in your question.

DDoS doesn't involve broadcast packets, since there is only one target for their attack.

DNS server host resolution blocking is useless too, DDoS attacks can use also IP addresses.

Furthermore, DDoS attacks are made against well-known services, so you would have to block that service's domain from being resolved at the DNS server, which would block using that service at all.

Also, you cannot know beforehand which domain is going to be a DDoS target. Therefore you would need to block resolution of all domains.

Tero Kilkanen
  • 36,796
  • 3
  • 41
  • 63
  • Tero, Thanks for the detailed response. I should have elaborated on the use of broadcast packets to refer to clients affected / infected by malware to create a steady stream of undesired traffic to a specific destination. So other than anti-malware protection on the client, there's nothing else to be done to prevent a LAN client being involved ? –  Apr 03 '17 at 12:35
1

Edge routers are usually (AFAIK) used as a solution to protecting incoming DDOS attacks.

To prevent internal clients "unknowingly participating" in an outbound attack, - I'd consider what ways a DDOS might "involve" your clients.

For example, holes in WordPress are often used; so if your clients are webservers running WordPress, keep them patched (and/or a WAF in front of them). Make sure your security policies are sensible, maintained and enforced - I've seen way too many boxes compromised and silently used as parts of DDOS attacks. File integrity monitoring is sensible, and regular (even better automated!) monitoring of system user accounts etc.

If your clients are desktop/laptops, then antivirus and sane (local) firewall rules are an obvious start, plus blocking anything insane things at your core switching layer (broadcast is often necessary for a wide variety of things and likely even part of a DDOS - they're usually targeted ["uni"cast], but does your network really need to pass UDP traffic > port 1000? Or ICMP packets with a large payload or at a rate > 10 a second per port?) will help.

User training and restriction is sensible too - who's got access to these devices? Are they allowed to install whatever they want from wherever they want?

Finally, just a little sane monitoring of network throughput. We use Zabbix, but there's a ton of choices out there. I've caught more than one outbound DDOS attempt due to a sudden unexplained spike in the network I/O... A little care in setting up alerts when things go way outside what you deem "normal" for a prolonged period of time is seldom a bad idea.

wally
  • 168
  • 5
  • Wally - Thanks for you input. In this example, the clients are desktops and IoT devices. While client side anti-malware, firewall protection and HIPS is configured, I wasn't sure if something couldn't be done to improve mitigation at the router. Is it reasonable for a LAN client to pass UDP traffic above port 1000 ? What is a reasonable amount for rate limiting ICMP ? For example, "iptables -t mangle -A PREROUTING -p icmp -m limit --limit X/second --limit-burst X -j ACCEPT iptables -t mangle -A PREROUTING -p icmp -j DROP". Would using SNORT on the router be overkill ? –  Apr 03 '17 at 13:04
  • @uihdff What's your network stack look like? Linux based router? I've worked with iptables (and ipchains before that) a fair amount in the past, and Cisco for the past 5 years. – wally Apr 03 '17 at 16:11
  • Using an Asus RT-AC88U with Asuswrt-Merlin 380.65 firmware using kernel 2.6.36 and iptables 1.4.14. IPv4 traffic is allowed, but IPv6 traffic is temporarily blocked to prevent IPv6 leaks. –  Apr 03 '17 at 23:26
0

Make sure your computer are uptodate and are using an antivirus.

Most botnet attack come from virus/malware installed that the remote user control to start an attack, thus the enduser almost never know he's participating in an attack.

wally
  • 168
  • 5
yagmoth555
  • 16,758
  • 4
  • 29
  • 50
  • Thanks yagmoth555. Not knowing is the problem. Perhaps an IDS like SNORT is the answer for monitoring network behavior ? –  Apr 03 '17 at 13:10
  • 1
    @uihdff in a big network you just can't. some I know use network tool like orion, to monitor the bandwidth usage versus the destination and the source. You can detect and cut what you dont want, but it's a full time job. http://www.solarwinds.com/orion – yagmoth555 Apr 03 '17 at 13:23
  • Yagmoth555 - Thanks for the link. I'll check it out. –  Apr 03 '17 at 13:28
0

First and foremost make sure you don't let packets with spoofed source addresses leave your network. If the attacker can send spoofed packets they can cover their tracks better and can perform "reflected" attacks.

Peter Green
  • 4,211
  • 12
  • 30
  • Peter Green - Thanks for your input. I've setup iptables connection tracking with inbound traffic accepted if it's RELATED or ESTABLISHED. Only internal clients (FORWARD chain) and the router (OUTPUT chain) can generate NEW outbound traffic. –  Apr 03 '17 at 13:07
0

The usual method to prevent your LAN clients from misbehaving is to deny them direct unrestricted internet access.

You provide local substitutes for commonly required access to online services (i.e. provide DNS with your own a caching name server, a local NTP time source, a mail relay etc. etc.) which you can easily monitor and configure with reasonable (per user) usage policies. Provide access to the greater internet only through a HTTP proxy server and require authentication for that.

If direct internet access is still needed, whitelist only specific connections.

HBruijn
  • 77,029
  • 24
  • 135
  • 201
  • Thanks for the suggestions. Unbound is setup as the client's DNS server. The router doesn't have a realtime clock so clients have to connect to NTP pool servers. However, bidirectional port 123 access is restricted with iptables, ipset and the local country NTP pool. I tried locking down outbound port access to 80, 123 and 443, but some legitimate applications like Steam use port ranges above 1,000. –  Apr 03 '17 at 13:25
  • 1
    Like many organisations [Steam publishes the port numbers and IP ranges that they operate from](https://support.steampowered.com/kb_article.php?ref=8571-GLVN-8711) so if your users have a valid business reason to play games you can open up the specific port-ranges to Steam's ip-address ranges only and after that you still need to ensure that the P2P port numbers are open to the internet at large. – HBruijn Apr 04 '17 at 07:23
  • This isn't for a business, but for home use. –  Apr 04 '17 at 11:56