Page 1 of 2 12 LastLast
Results 1 to 10 of 11
  1. #1
    Untangler
    Join Date
    Mar 2008
    Location
    Waterloo, Canada
    Posts
    98

    Default Assistance with stopping Denial of Service attack on a locally hosted website

    Hi Team,

    Our small office runs a website for a few clients to login and retrieve data. I have an event Alert threshold setup to let me know if more than 20 sessions connect to my site over 60 seconds I will receive an email. Over the past few days I have received many many emails each minute to let me know of someone accessing our site.

    I've spoken to Untangle support in hopes of setting up a firewall rule to block access from outside our network similar to the alert these emails are sending me. Turns out that I can setup a trigger for an outside event like this to link to my Firewall. Has anyone else had similar issues with an outside intruder continuously accessing an internal resource and if so how did you configure Untangle to alert you and block the intruder for a period of time.

    The solution I've been told to use is Shield which will scan for events against the IP address I put in as my Destination Address. But I have no idea when Shield will kick in and block and for how long? Can anyone provide any information on how Shield will protect my local webserver?

    Thanks in advance for any assistance you can provide me.

  2. #2
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,606

    Default

    Shield rate-limits new session connections. There is no time-out on either side.
    http://wiki.untangle.com/index.php/Shield

    Note that it does not scan bypassed sessions.
    Last edited by Jim.Alles; 07-24-2020 at 05:22 PM.
    greavette likes this.

  3. #3
    Untangler
    Join Date
    Mar 2008
    Location
    Waterloo, Canada
    Posts
    98

    Default

    Thank you @Jim.Alles for your reply.

    What do you mean by saying there is no time-out on either side? Is Shield the right tool for me to use to limit outside connections to my internally hosted VM running my website?

    Are there other tools I can employ through Untangle to assist with blocking or temporarily stopping this attack from an outside IP?
    I have a portforward rule on Untangle to allow access to my local website. Does this mean I'm bypassing and therefore Shield will not work?

    Thank you

  4. #4
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,606

    Default

    Quote Originally Posted by greavette View Post
    What do you mean by saying there is no time-out on either side?
    ...if more than 20 sessions connect to my site over 60 seconds

    ...block the intruder for a period of time.

    ...when Shield will kick in and block and for how long
    There is precious little documentation for Shield, and I haven't looked at the source code. But it doesn't work in the way you have described. Rate limiting means that if there are a whole bunch of sessions being created all at once, Shield will limit the number of new sessions.

    Code:
    The shield monitors the session creation rate of the clients creating sessions. 
    Each time a session is processed by Untangle the shield calculates the current session 
    creation rate of the client initiating the session. 
    If the session creation rate of the client reaches a level that the shield considers too 
    aggressive the session creation rate of that client is limited to that level.
    Viewing #reports?cat=shield&rep=blocked-session-events can give you some insight as to how it works. The existing sessions continue to work, so some traffic gets through.

    I would evaluate exactly what kind of traffic that is causing this issue real-time, with filtering the sessions viewer, or even a tool like Wireshark.

    Is it one IP address? someone's domain? Where are the entities that are supposed to be accessing the web server, and how many are there?

    I could see blocking by country code, or limiting to clients from an access list.
    Last edited by Jim.Alles; 07-25-2020 at 06:55 AM.
    greavette likes this.
    If you think I got Grumpy

  5. #5
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,606

    Default

    Quote Originally Posted by greavette View Post
    I have a portforward rule on Untangle to allow access to my local website. Does this mean I'm bypassing and therefore Shield will not work?
    No, but sometimes the separate step of bypassing the web server traffic is recommended, just not in your case.

  6. #6
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,263

    Default

    I do not recommend bypassing incoming web traffic... I do recommend using a policy rule to shove incoming TCP 80 and 443 traffic into a dedicated policy. This way you can limit the number of apps in play on ingress web traffic. Never forget that all traffic transiting Untangle is subject to all racks! This can create not only unnecessary load on Untangle, but also hard to troubleshoot issues.

    Now, back to the original question. If you have an Alert rule that does what you want, you now need to largely duplicate that alert rule as a trigger rule. Now you have a trigger rule that fires under the same conditions. Except you want your action type to be Tag Host, Target: cClientAddr, Tag Name: DOSer, and set your tag lifetime to whatever duration in sections you want the tag to last.

    Once that's done, in the firewall module that's processing your ingress web traffic, make a new firewall rule. This is the easy part! Condition Tagged is DOSer, action type BLOCK.

    Now whenever an IP address comes to your web server, and the alert fires the host that did the alerting is also tagged, and once tagged the firewall module starts saying... HEH... nope.

    You've already made a working alert, which honestly that's the hard part! You just need a matching trigger to tag hosts, and then tell the firewall to tell those hosts to take a hike!
    Last edited by sky-knight; 07-25-2020 at 07:32 AM.
    Jim.Alles and greavette like this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  7. #7
    Untangler
    Join Date
    Mar 2008
    Location
    Waterloo, Canada
    Posts
    98

    Default

    Hello sky-knight,

    Thanks very much for your input on my post.

    Could you confirm please the bit about creating a trigger rule that fires under the same condition as my alert rule and then in the firewall rule module add in the with the condition tag from my trigger rule. I spoke to Untangle support as we were going down this road but I was told "If traffic doesn't have an entry in the Hosts or Devices table, it won't be able to be tagged" for the firewall rule to see the tag and block the cClientAddr. Seems the Hosts or Devices table will only report on a tag that is for an IP on my network already and not a remote address.

    Just curious if you have set up what you've described and if so could you share a bit more detail on how you got it work?

    The only other options I was given by Untangle Support was to use:

    -GeoIP Blocking (This isn't possible because the addresses are from your country)
    -Shield

    GeoIP doesn't work in my case because the IP(s) that are hitting us are in Canada where we are so I can't block by country. So Shield it seems was my only option.

    Any advice you may have would be greatly appreciated.

    Thank you.

  8. #8
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,263

    Default

    Hmm...

    Yeah I could have sworn external devices appear in the host list, but I just tried on my Untangle and you're right the only things in my host list come from a non-WAN interface.

    Well scratch that, Support is correct it won't work. So you're left hardening your web app so that it can do this itself. I don't know what you're using for a web server, but if it's Linux fail2ban is pretty easy to use.

    If you're using IIS: https://www.iis.net/downloads/micros...p-restrictions
    Last edited by sky-knight; 07-25-2020 at 12:39 PM.
    greavette likes this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  9. #9
    Untangler
    Join Date
    Mar 2008
    Location
    Waterloo, Canada
    Posts
    98

    Default

    Thanks for the confirmation! I'm very surprised that Untangle doesn't allow for tagging on external host/client. Support suggested I make a suggestion for a feature request. Perhaps in time Untangle will be able to support these type of actions.

    Yes unfortunately our vendor requires us to use IIS for this web page. it's IIS version 10 which I believe affords me some ability to restrict IP's that don't behave. Thanks for the link..I'll check this out!

    Cheers!

  10. #10
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,263

    Default

    Oh, derp yeah I should have looked closer. This stuff is built into IIS 10 https://docs.microsoft.com/en-us/iis...micipsecurity/
    greavette likes this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2