prevent Internet attacks

Q: We experience extremely high bandwidth usage on the WAN interface of mbox, which is causing congestion on my Internet link, however the LAN interface usage is actually not such, with minimum users connected. What could be the cause of this? Is mbox generating traffic to send out?

Below are some show outputs. vlan10 is the LAN, and eth0 is the WAN.

HSG-DEMO# show security hotspot

Authentication service: running

---------------------------------

HotSpot service: running

---------------------------------

LAN TUN Server IP Client-Net Client-DHCP DHCP Issued Clients

-------------------------------------------------------------------------------------------------------------

vlan10 tun0 172.16.20.1 172.16.20.0/255.255.255.0 172.16.20.5/255.255.255.0 0 0

HSG-DEMO# show interface stats

Interface Inbound(bps) Outbound(bps) In_Drops(#) Out_Drops(#) Colli(#)

------------------------------------------------------------------------------

eth0 70283528 89524024 0 0 0

eth1 179496 1756752 0 0 0

eth2 0 0 0 0 0

eth4 0 0 0 0 0

eth5 0 0 0 0 0

lo 13472 13472 0 0 0

tun0 35900 17300 0 0 0

vlan10 35920 17360 0 0 0

A: mbox doesn't originate such massive data by itself. The only data mbox generates/originates is the monitoring data generated by the mfusion agent within mbox. The mfusion agent monitors the box utilization and communicates with mfusion, and it consumes no more than 2kbps bandwidth usage.

Usually, the WAN Inbound and LAN Outbound (vice versa) usage should be consistent. When there's a such huge discrepancy between LAN and WAN, it implies an external attack against mbox itself, typically DDoS attack or DNS based attack.

For the case of DoS/DDoS attack, the attacker will flood huge traffic to the box, across your Internet link, in order to cause link congestion. In this case, you will see huge Inbound utilization on WAN/eth0, but little Outbound usage. There's really nothing you can do here, except to make sure there's no unneeded firewall-input or firewall-access rules on mbox which can potentially allow the attacks to pass through the box.

For the case of DNS attacks, which is very common when mbox is facing Internet directly, hackers will use mbox as a DNS relay to launch DNS attacks to other third-party DNS servers. Because mbox functions as a DNS server itself, so the hackers will use mbox WAN/public IP as their DNS server, and send excessive DNS queries to mbox, then mbox will relay the queries to the real DNS servers, to flood third-party DNS servers. At the same time, it also consumes lots of local Internet bandwidth and causes local Internet congestion and mbox unable to answer DNS queries for Internal clients. In this case, you will see high usage on both Inbound and Outbound of WAN/eth0 interface.

Another form of attacks could be http/https based attacks. Because mbox also runs a web server to deliver login portal to end users, so http/https services are enabled. Hackers can send excessive http/https to mbox in order to cause resource starvation attacks (please see this link to restrict HSG admin access).

To determine the exact attack types, the easiest method is to use tcpdump, to check the detail packets arriving on WAN/eth0 interfaces.

eg. to detect if it's due to http attacks,

HSG-DEMO# tcpdum interface eth0 port 80

OR, to check if it's DNS attacks

HSG-DEMO# tcpdum interface eth0 port 53

Prevention

The only way to prevent those attacks is to make sure your firewall rules are locked down to only permit legitimate accesses only.

Below is a set of sample rules when mbox is running as a HSG. Make sure no other extra rules, or if there's any, make the rules are as specific as possible to narrow to permit specific hosts access.

DO NOT permit firewall-input access from any hosts, always make sure the sources are the allowed source hosts. (change the LAN source networks to match to your actual configs.)

!

firewall-dnat 10 redirect all udp dport 53 rdport 53 src 10.0.0.0/8 remark "rewrite DNS from LAN only"

firewall-dnat 12 redirect all udp dport 53 rdport 53 src 192.168.0.0/16 remark "rewrite DNS from LAN only"

!

firewall-input 10 permit all tcp dport 80 src 10.0.0.0/8 remark "portal access from LAN"

firewall-input 11 permit all tcp dport 80 src 192.168.0.0/16 remark "portal access from LAN"

firewall-input 21 permit all udp dport 53 src 10.0.0.0/8 remark "allow DNS from LAN only"

firewall-input 22 permit all udp dport 53 src 192.168.0.0/16 remark "allow DNS from LAN only"

firewall-input 31 permit all tcp dport 22 src 10.0.0.0/8 remark "allow SSH from LAN only"

firewall-input 32 permit all tcp dport 22 src 192.168.0.0/16 remark "allow SSH from LAN only"

!

firewall-access 10 permit outbound eth0 remark "permit outbound access only"

!

firewall-snat 10 overload outbound eth0 remark "hide private address for outbound access"

!