GFI Software Aurea SMB Solutions


Home » GFI User Forums » Kerio Control » DDoS Attacks
DDoS Attacks [message #146973] Mon, 04 November 2019 15:52 Go to next message
ian.bugeja is currently offline  ian.bugeja
Messages: 337
Registered: March 2017
Location: Malta
We have had several customers of Kerio Control report a DDoS affecting their networks. This is a widespread attack affecting all businesses and networks on the Internet, not just Kerio customers.

There is no source country where this DDoS is originating from, and there are lots of IP addresses that are being used. We know that this is a botnet and it has infected legitimate servers.

Customers can see in Kerio Control in the logs the following message
Connection limit for destination address 'xxx.xxx.xxx.xxx' from source address 'yyy.yyy.yyy.yyy' reached
Kerio Control.

What can you do to protect your business
Currently the only solution we see is to block these IP addresses (shown above in yyy.yyy.yyy.yyy), ideally using MyKerio such that you can share the definitions between different Kerio Control devices. (In MyKerio go to Shared Definitions - IP Addresses)
Unfortunately, the IP addresses keep on changing and you could ultimately block a required 3rd party website as most of these systems are as mentioned above legitimate systems.

Also, ensure that your systems are up to date to avoid any vulnerabilities being targeted that could result in infiltration to your systems.


GFI is also looking at an easier way of automatically blocking such connections from taking place. Once and if such technique is available this will be made available.


Ian Bugeja
GFI Software
Re: DDoS Attacks [message #146977 is a reply to message #146973] Mon, 04 November 2019 18:50 Go to previous messageGo to next message
robinbateman is currently offline  robinbateman
Messages: 172
Registered: April 2012
Location: Oxford(ish) UK

Hi Ian

I haven't used MyKerio to do this but it sound like an ideal solution in the short term.

I have read the instructions and don't see how to share definition groups across appliances in the way I have my kerio set up. I suspect this is down to the way I use MyKerio

I have an organisation for each of my clients and in each organisation is their client Operator/Control/Connect

Do I need to move all control boxes into one organisation? Is this possible?


Robin Bateman
One Red Mouse
Blog: http://bit.ly/OWjcGL
Re: DDoS Attacks [message #146980 is a reply to message #146977] Tue, 05 November 2019 09:23 Go to previous messageGo to next message
ian.bugeja is currently offline  ian.bugeja
Messages: 337
Registered: March 2017
Location: Malta
Hi Robin
yes you would have to be all in the same organization.

However please see below other suggestions that came from feedback collected so far. All of these seem to alleviate the problem

1) Reduce the Default TCP Timeout from 40minutes to 10 minutes. The connections still come, but they are closed faster.
You can do so by logging into SSH and running
./tinydbclient "update Firewall set DefaultTcpTimeout=10"

2) Block Peer to Peer Traffic. This rule has also helped but it also will affect legitimate peer to peer traffic.

3) Set connection limits to 50. This seems to make the bots simply skip the machine, thus if true would be the ideal setting so far.
/index.php?t=getfile&id=5066&private=0

Hope this helps you and other guys out there.


Regards


Ian Bugeja
GFI Software
Re: DDoS Attacks [message #146983 is a reply to message #146980] Tue, 05 November 2019 11:09 Go to previous messageGo to next message
robinbateman is currently offline  robinbateman
Messages: 172
Registered: April 2012
Location: Oxford(ish) UK

Hi Ian

I just spoke to Marin about this. If I set the first line "Limit Max Connections from 1 source IP address" I get huge problems with LAN users hitting the limit almost immediately. I have found better success with limiting new connections per min @ 650

I will change the timeout as suggested


Robin Bateman
One Red Mouse
Blog: http://bit.ly/OWjcGL
Re: DDoS Attacks [message #146985 is a reply to message #146983] Tue, 05 November 2019 11:42 Go to previous messageGo to next message
robinbateman is currently offline  robinbateman
Messages: 172
Registered: April 2012
Location: Oxford(ish) UK

HI Ian

The SSH Command as above did not work for me when I SSH into the firewall using Telnet. Instead I think this one worked

/opt/kerio/winroute/tinydbclient "update Firewall set DefaultTcpTimeout=10"


Robin Bateman
One Red Mouse
Blog: http://bit.ly/OWjcGL
Re: DDoS Attacks [message #147002 is a reply to message #146985] Thu, 07 November 2019 15:29 Go to previous message
robinbateman is currently offline  robinbateman
Messages: 172
Registered: April 2012
Location: Oxford(ish) UK

Not sure how everyone else is getting on but attacks to our control boxes have abated in the last two days

Robin Bateman
One Red Mouse
Blog: http://bit.ly/OWjcGL
Previous Topic: DDOS (maybe) over port 80
Next Topic: Allow to open specified URL group after quota exceed
Goto Forum:
  


Current Time: Wed Nov 20 05:51:41 CET 2019

Total time taken to generate the page: 0.04459 seconds