[pve-devel] DANGEROUS: SYN FLOOD - PVE FIREWALL AND HOST FREEZE

Detlef Bracker bracker at 1awww.com
Thu Jun 4 09:28:44 CEST 2015 

Dear,

and in combination of 4 products with big names and "Security Offering"
the host freeze under garanty!
Everybody can have this!

PVE-Firewall has block yesterday in this time of the attack complete ALL
traffic again, so that nothing was
going on the host! We had 4 weeks as we have the situation, that we must
restart the host, about this
problem! And yes, we have found before the problems in MySQL, but before
we see only small attacks!

About that in an DoS-Attack, the PVE-FIREWALL block from one to other
second ALL traffic, we have
written 4 weeks before a shell script they control the PVE-FIREWALL,
that they block all the traffic and when
it´s so, that no traffic from host going out, then this script stop
automaticly the PVE-FIREWALL and
send us every minute a warning mail! But in an attack stop the
pve-firewall is not a good workarround, but
better as the total host with 500 clients hangs completly and must
reboot to get other stress with long time
scan of filesystem and possible problems about kernel bugs and something
on!

This situation can everybody have from an attack from ONLY ONE
DoS-Attacker!

For a good combination, you need too plesk-servers in 11.5 or 12.0 many
on your host and in plesk 12.x their
is a firewall in, they eqal not filter a DoS/DDoS attack. Next product
is MySQL and about security lecks, they
shut on in new versions the possiblity that everybody from outside can
connect to MySQL! Before
in older version was bind to only local IP! And in same situation, they
dont log in default NOTHING
to syslog or other logs! So to find attacks, you must activate the logs,
but you have not a chance to stop an attack,
with this 3 nice security products! So about this you need the next 4th
product to stop this:

Ok, a very good idea to stop traffic with fail2ban! But in older
versions with Debian Squeeze,
fail2ban cant handle the error log, why they had a bug in the python
scripts about the
date in mysql error log! Only when you fix the python scripts, then you
can handle this DDoS and
can stop with own scripts the DDoS for the server and with blacklists in
the host!

I cant find something in the PVE-FIREWALL, that limit DoS-Attacks with
SYN-FLOOD! With fail2ban on many
other protocols, example apache, we stop the traffic automaticly, but
with MySQL this going all something
in underground, why never see this! Without a DoS, hackers can probe
thousend of hours, a admin never see
this, why in the logs in default, their is nothing logged!

Thats absolute dangerous, why every hoster, he has many containers
running many servers with
MySQL can have with default or standard settings, a FREEZED HOST!

I have something found, that will prevent the DoS/DDoS Attacks, but I am
not sure, how to intigrate
in the ipFilters and thats enough or not:

sudo iptables -N no-syn-flood
sudo iptables -A no-syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
sudo iptables -A no-syn-flood -j DROP
sudo iptables -I INPUT -p tcp --syn -m state --state NEW -j no-syn-flood


Regards

Detlef

Am 04.06.2015 um 01:54 schrieb Detlef Bracker:
> Dear,
>
> is that a good Idea to prevent SYN FLOOD on Proxmox host with uncomment
>
> #net.ipv4.tcp_syncookies=1
>
> Or is their something other to prevent in the PVE-Firewall?
>
> We had in 2 days 2 SYN FLOOD to MySQL-Servers on many Containers with
> diferent destination
> IPs and comes only from one IP! The OVH DDoS Mitigation stop many of
> this traffic but not all!
> Only with blacklisting of the IP we have stop. But how we can stop this
> on other ways?
>
> Regards
>
> Detlef
>
>
>

-- 

ACHTUNG: Ihr Anfragetext befindet sich unter unserem Absender!
P.S. ePrivacy in Europa - lesen Sie mehr - read more
<http://blog.1awww.com/2012/05/30/achtung-internet-seiten-betreiber-eprivacy-richtlinien-umzusetzen/>


Mit freundlichen Gruessen
1awww.com - Internet-Service-Provider

Detlef Bracker
Velilla, Calle Club s/n, E 18690 Almunecar, Tel.: +34.6 343 232 61 *
EU-VAT-ID: ESX4516542D

This email and any files transmitted are confidential and intended only
or the person(s) directly addressed. If you are not the intended
recipient, any use, copying, transmission, distribution, or other forms
of dissemination is strictly prohibited. If you have received this email
in error, please notify the sender immediately and permanently delete
this email with any files that may be attached.

Este correo electrónico y, en su caso, cualquier fichero anexo al mismo,
contiene información de carácter confidencial exclusivamente dirigida a
su destinatario o destinatarios. Queda prohibida su divulgación, copia o
distribución a terceros sin la previa autorización escrita de Detlef
Bracker. En caso de no ser usted la persona a la que fuera dirigido este
mensaje y a pesar de ello está continúa leyéndolo, ponemos en su
conocimiento que está cometiendo un acto ilícito en virtud de la
legislación vigente en la actualidad, por lo que deberá dejarlo de leer
automáticamente.

Detlef Bracker no es responsable de su integridad, exactitud, o de lo
que acontezca cuando el correo electrónico circula por las
infraestructuras de comunicaciones electrónicas públicas. En el caso de
haber recibido este correo electrónico por error, se ruega notificar
inmediatamente esta circunstancia mediante reenvío a la dirección
electrónica del remitente.

El correo electrónico vía Internet no permite asegurar la
confidencialidad de los mensajes que se transmiten ni su integridad o
correcta recepción, por lo que Detlef Bracker no asume ninguna
responsabilidad que pueda derivarse de este hecho.

No imprima este correo si no es necesario. Ahorrar papel protege el
medio ambiente.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.proxmox.com/pipermail/pve-devel/attachments/20150604/465e463e/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 1awww_abs_logo.gif
Type: image/gif
Size: 1457 bytes
Desc: not available
URL: <http://lists.proxmox.com/pipermail/pve-devel/attachments/20150604/465e463e/attachment.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.proxmox.com/pipermail/pve-devel/attachments/20150604/465e463e/attachment.sig>

More information about the pve-devel mailing list