Network Threat Manager

ESF provides a set of features to detect and prevent network attacks. The Security section in the Gateway Administration Console shows the Network Threat Manager tab where is it possible to activate and configure these functions.

🚧

The Network Threat Manager tab is not available for the No Network version of ESF.

3328

The following functions are supported:

  • Flooding protection (for both IPv4 and IPv6)
  • Fail2Ban

Flooding protection

The flooding protection function is used to prevent DDos (Distributed Denial-of-Service) attacks using a set of firewall rules. The rules affect the filter and mangle firewall tables.

Flooding protection for IPv4

The following rules are added to the mangle table and they are implemented to block invalid or malicious network packets:

iptables -A prerouting-kura -m conntrack --ctstate INVALID -j DROP
iptables -A prerouting-kura -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
iptables -A prerouting-kura -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
iptables -A prerouting-kura -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
iptables -A prerouting-kura -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A prerouting-kura -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A prerouting-kura -p tcp --tcp-flags FIN,ACK FIN -j DROP
iptables -A prerouting-kura -p tcp --tcp-flags ACK,URG URG -j DROP
iptables -A prerouting-kura -p tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -A prerouting-kura -p tcp --tcp-flags ACK,PSH PSH -j DROP
iptables -A prerouting-kura -p tcp --tcp-flags ALL ALL -j DROP
iptables -A prerouting-kura -p tcp --tcp-flags ALL NONE -j DROP
iptables -A prerouting-kura -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
iptables -A prerouting-kura -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP
iptables -A prerouting-kura -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A prerouting-kura -p icmp -j DROP
iptables -A prerouting-kura -f -j DROP
iptables -A input-kura -p tcp --tcp-flags RST RST -m limit --limit KURA_RST_LIMIT/s --limit-burst KURA_RST_BURST_LIMIT -j ACCEPT
iptables -A input-kura -p tcp --tcp-flags RST RST -j DROP
iptables -A input-kura -p tcp -m conntrack --ctstate NEW -m limit --limit KURA_LIMIT/s --limit-burst KURA_BURST_LIMIT -j ACCEPT",
iptables -A input-kura -p tcp -m conntrack --ctstate NEW -j DROP

The following rules, instead, are added to the filter table and they are intended to limit the number of incoming TCP connections:

iptables -A input-kura -p tcp -m connlimit --connlimit-above KURA_CONN_LIMIT -j REJECT --reject-with tcp-reset

The KURA_CONN_LIMIT, KURA_RST_LIMIT, KURA_RST_BURST_LIMIT, KURA_LIMIT and KURA_BURST_LIMIT are parameters that the user can configure through the Administration Console.

In particular, the following parameters are available:

  • flooding.protection.enabled : enables the application of the firewall rules for flooding protection;
  • flooding.protection.conn.limit : sets the maximum number of parallel connections per IP address; it corresponds to the KURA_CONN_LIMIT parameter.
  • flooding.protection.limit : sets the maximum average number of new TCP connections allowed per second; it corresponds to the KURA_LIMIT parameter.
  • flooding.protection.limit.burst : sets the maximum burst of new TCP connection attempts before the limit is enabled; it corresponds to the KURA_BURST_LIMIT parameter.
  • flooding.protection.rst.limit : sets the maximum average number of TCP RST packets allowed per second; it corresponds to the KURA_RST_LIMIT parameter.
  • flooding.protection.rst.limit.burst : sets the maximum burst of TCP RST packets before the RST limit is enabled; it corresponds to the KURA_RST_BURST_LIMIT parameter.

To further filter the incoming TCP fragmented packets, specific system files are configured.

Flooding Protection for IPv6

The same rules applied to the IPv4 are used for preventing attack on IPv6. In addition, some rules are implemented to limit the rate of incoming ICMPv6 packets and drop specific IPv6 headers. The flooding.protection.enabled.ipv6 enables the protection feature for IPv6 for devices that support it. If a device does not support IPv6, the property has not effect.

The following rules are applied to the mangle table:

ip6tables -A prerouting-kura -m conntrack --ctstate INVALID -j DROP
ip6tables -A prerouting-kura -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
ip6tables -A prerouting-kura -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
ip6tables -A prerouting-kura -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
ip6tables -A prerouting-kura -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
ip6tables -A prerouting-kura -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
ip6tables -A prerouting-kura -p tcp --tcp-flags FIN,ACK FIN -j DROP
ip6tables -A prerouting-kura -p tcp --tcp-flags ACK,URG URG -j DROP
ip6tables -A prerouting-kura -p tcp --tcp-flags ACK,FIN FIN -j DROP
ip6tables -A prerouting-kura -p tcp --tcp-flags ACK,PSH PSH -j DROP
ip6tables -A prerouting-kura -p tcp --tcp-flags ALL ALL -j DROP
ip6tables -A prerouting-kura -p tcp --tcp-flags ALL NONE -j DROP
ip6tables -A prerouting-kura -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
ip6tables -A prerouting-kura -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP
ip6tables -A prerouting-kura -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
ip6tables -A prerouting-kura -p ipv6-icmp -m ipv6-icmp --icmpv6-type 128 -j DROP
ip6tables -A prerouting-kura -p ipv6-icmp -m ipv6-icmp --icmpv6-type 129 -j DROP
ip6tables -A prerouting-kura -m ipv6header --header dst --soft -j DROP
ip6tables -A prerouting-kura -m ipv6header --header hop --soft -j DROP
ip6tables -A prerouting-kura -m ipv6header --header route --soft -j DROP
ip6tables -A prerouting-kura -m ipv6header --header frag --soft -j DROP
ip6tables -A prerouting-kura -m ipv6header --header auth --soft -j DROP
ip6tables -A prerouting-kura -m ipv6header --header esp --soft -j DROP
ip6tables -A prerouting-kura -m ipv6header --header none --soft -j DROP
ip6tables -A prerouting-kura -m rt --rt-type 0 -j DROP
ip6tables -A output-kura -m rt --rt-type 0 -j DROP
ip6tables -A prerouting-kura -p tcp --tcp-flags RST RST -m limit --limit KURA_RST_LIMIT/s --limit-burst KURA_RST_BURST_LIMIT -j ACCEPT
ip6tables -A prerouting-kura -p tcp --tcp-flags RST RST -j DROP
ip6tables -A prerouting-kura -p tcp -m conntrack --ctstate NEW -m limit --limit KURA_LIMIT/s --limit-burst KURA_BURST_LIMIT -j ACCEPT"
ip6tables -A prerouting-kura -p tcp -m conntrack --ctstate NEW -j DROP
ip6tables -A prerouting-kura -p icmpv6 -m limit --limit KURA_ICMPV6_LIMIT/s --limit-burst KURA_ICMPV6_BURST_LIMIT -j ACCEPT
ip6tables -A prerouting-kura -p icmpv6 -j DROP

The KURA_ICMPV6_LIMIT and the KURA_ICMPV6_BURST_LIMIT are parameters used to configure the rate limit for incoming ICMPv6 packets.

  • flooding.protection.icmpv6.limit : sets the maximum average number of ICMPv6 packets allowed per second; it corresponds to the KURA_ICMPV6_LIMIT parameter.
  • flooding.protection.icmpv6.imit.burst : sets the maximum burst of ICMPv6 packets before the RST limit is enabled; it corresponds to the KURA_ICMPV6_BURST_LIMIT parameter.

The rules applied to the filter table are the same of the IPv4 case and the configured parameters are applied to both cases.

🚧

To recover the device state when the IPv6 flooding protection feature is disabled, a reboot is required. So, to disable the feature, set the flooding.protection.enabled.ipv6 property to false and reboot the device.

Fail2Ban

Fail2ban is a tool used for intrusion detection and prevention. It scans system and ESF log files and bans the IP addresses that show some malicious signs (i.e. too many password failures, etc.). Fail2Ban is used to update firewall rules to reject the IP addresses for a specified amount of time.

The Fail2Ban feature can be enable both for ESF and ssh accesses. The fail2ban.kura.enabled parameter enables the monitoring of ESF accesses, while the fail2ban.sshd.enabled one activates the monitoring of accesses via ssh.