GFI Software Aurea SMB Solutions


Home » GFI User Forums » Kerio Control » DDoS Attacks
DDoS Attacks [message #146973] Mon, 04 November 2019 15:52 Go to next message
ian.bugeja is currently offline  ian.bugeja
Messages: 566
Registered: March 2017
Location: Malta
We have had several customers of Kerio Control report a DDoS affecting their networks. This is a widespread attack affecting all businesses and networks on the Internet, not just Kerio customers.

There is no source country where this DDoS is originating from, and there are lots of IP addresses that are being used. We know that this is a botnet and it has infected legitimate servers.

Customers can see in Kerio Control in the logs the following message
Connection limit for destination address 'xxx.xxx.xxx.xxx' from source address 'yyy.yyy.yyy.yyy' reached
Kerio Control.

What can you do to protect your business
Currently the only solution we see is to block these IP addresses (shown above in yyy.yyy.yyy.yyy), ideally using MyKerio such that you can share the definitions between different Kerio Control devices. (In MyKerio go to Shared Definitions - IP Addresses)
Unfortunately, the IP addresses keep on changing and you could ultimately block a required 3rd party website as most of these systems are as mentioned above legitimate systems.

Also, ensure that your systems are up to date to avoid any vulnerabilities being targeted that could result in infiltration to your systems.


GFI is also looking at an easier way of automatically blocking such connections from taking place. Once and if such technique is available this will be made available.


Ian Bugeja
GFI Software
Re: DDoS Attacks [message #146977 is a reply to message #146973] Mon, 04 November 2019 18:50 Go to previous messageGo to next message
robinbateman is currently offline  robinbateman
Messages: 192
Registered: April 2012
Location: Oxford(ish) UK

Hi Ian

I haven't used MyKerio to do this but it sound like an ideal solution in the short term.

I have read the instructions and don't see how to share definition groups across appliances in the way I have my kerio set up. I suspect this is down to the way I use MyKerio

I have an organisation for each of my clients and in each organisation is their client Operator/Control/Connect

Do I need to move all control boxes into one organisation? Is this possible?


Robin Bateman
One Red Mouse
Blog: http://bit.ly/OWjcGL
Re: DDoS Attacks [message #146980 is a reply to message #146977] Tue, 05 November 2019 09:23 Go to previous messageGo to next message
ian.bugeja is currently offline  ian.bugeja
Messages: 566
Registered: March 2017
Location: Malta
Hi Robin
yes you would have to be all in the same organization.

However please see below other suggestions that came from feedback collected so far. All of these seem to alleviate the problem

1) Reduce the Default TCP Timeout from 40minutes to 10 minutes. The connections still come, but they are closed faster.
You can do so by logging into SSH and running
./tinydbclient "update Firewall set DefaultTcpTimeout=10"

2) Block Peer to Peer Traffic. This rule has also helped but it also will affect legitimate peer to peer traffic.

3) Set connection limits to 50. This seems to make the bots simply skip the machine, thus if true would be the ideal setting so far.
/index.php?t=getfile&id=5066&private=0

Hope this helps you and other guys out there.


Regards


Ian Bugeja
GFI Software
Re: DDoS Attacks [message #146983 is a reply to message #146980] Tue, 05 November 2019 11:09 Go to previous messageGo to next message
robinbateman is currently offline  robinbateman
Messages: 192
Registered: April 2012
Location: Oxford(ish) UK

Hi Ian

I just spoke to Marin about this. If I set the first line "Limit Max Connections from 1 source IP address" I get huge problems with LAN users hitting the limit almost immediately. I have found better success with limiting new connections per min @ 650

I will change the timeout as suggested


Robin Bateman
One Red Mouse
Blog: http://bit.ly/OWjcGL
Re: DDoS Attacks [message #146985 is a reply to message #146983] Tue, 05 November 2019 11:42 Go to previous messageGo to next message
robinbateman is currently offline  robinbateman
Messages: 192
Registered: April 2012
Location: Oxford(ish) UK

HI Ian

The SSH Command as above did not work for me when I SSH into the firewall using Telnet. Instead I think this one worked

/opt/kerio/winroute/tinydbclient "update Firewall set DefaultTcpTimeout=10"


Robin Bateman
One Red Mouse
Blog: http://bit.ly/OWjcGL
Re: DDoS Attacks [message #147002 is a reply to message #146985] Thu, 07 November 2019 15:29 Go to previous messageGo to next message
robinbateman is currently offline  robinbateman
Messages: 192
Registered: April 2012
Location: Oxford(ish) UK

Not sure how everyone else is getting on but attacks to our control boxes have abated in the last two days

Robin Bateman
One Red Mouse
Blog: http://bit.ly/OWjcGL
Re: DDoS Attacks [message #148085 is a reply to message #147002] Fri, 08 May 2020 09:28 Go to previous messageGo to next message
weidl
Messages: 25
Registered: December 2016
Hi,
I have big problems with attacks in some installations.

What I tried with no success:
- limiting the inbound connections to 50
- reduce DefaultTcpTimeout to 10
- activated 3-way-handshake check
- activated syncookies
- blocked a lot of IPs in a block rule
- blocked a lot of countries
- limited the TCP keepidle timeout and retries on (Mac) servers (FTP, HTTP, SMTP)

I opened a case with GFI support, but got no answer within 2 weeks!!!
I posted a question in this forum about syncookies with no answer.

There are still hundreds connections from very different IPs.
There are still connections from addresses which are blocked by the block rule.
The blocking by domain names seems not to work.

If I dump traffic from single connections in debug, there is no traffic.
Why are these connections still open and not closed by the Firewall or the Client?

Guenter
Re: DDoS Attacks [message #148137 is a reply to message #146973] Tue, 19 May 2020 09:44 Go to previous messageGo to next message
weidl
Messages: 25
Registered: December 2016
Thanks a lot for nothing.
Within 2 weeks no answer from support at my support call and also no answer here.

But you helped me with an decision: My next Firewall to sell is from another vendor with an existing support.
Thanks for that.
Re: DDoS Attacks [message #148167 is a reply to message #148137] Tue, 26 May 2020 10:01 Go to previous messageGo to next message
ian.bugeja is currently offline  ian.bugeja
Messages: 566
Registered: March 2017
Location: Malta
Hi Weidl

Can you let me know your case number so that I can follow up on why it was not answered?

Kerio Control might still report some connections as active although they have been terminated in some situations based on the type of connection. Do you see any downgrade on performance or is it just list of connections/>


Regards


Ian Bugeja
GFI Software
Re: DDoS Attacks [message #148284 is a reply to message #146973] Mon, 15 June 2020 16:52 Go to previous message
juankax is currently offline  juankax
Messages: 7
Registered: June 2020
activate cloudflare for ddos attacks
Previous Topic: User and Source
Next Topic: winroute.cfg Checksum incorrect
Goto Forum:
  


Current Time: Sat Sep 19 14:54:23 CEST 2020

Total time taken to generate the page: 0.03245 seconds