'blocking'에 해당되는 글 3건

  1. 2012.04.13 Is my Web Application Firewall Blocking WebsiteDefender?
  2. 2009.06.04 [STP] Spanning-tree Protocol (PVST, RSTP, MSTP)
  3. 2009.06.01 Blocking a DNS DDOS using the fail2ban package
2012. 4. 13. 18:58

Is my Web Application Firewall Blocking WebsiteDefender?

Previously we explained why some web hosting servers block the WebsiteDefender Agent, which could cause your WebsiteDefender service to malfunction.

In this article, we will show you exactly how a web application firewall can block communications between the WebsiteDefender Agent and the WebsiteDefender Server.

Many hosting providers or server administrators use web application firewalls, such as ModSecurity, to filter and monitor a website for hacker attacks. Some of the web application firewalls used today have different configured rule sets to filter HTTP software requests and can therefore interfere with the WebsiteDefender Agent.  Below are some examples that show how and why the WebsiteDefender Agent might be blocked by a web application firewall.

The web application firewall might block the communication completely with the WebsiteDefender Agent.



In this example, the WebsiteDefender Agent request to the web server has been blocked by the firewall, based on the predefined rule sets. Any requests sent from the WebsiteDefender Server will not reach the WebsiteDefender Agent. Depending on the firewall configuration, when you run the WebsiteDefender Agent test, you might receive a “404 Not Found” error or “Unreachable” error code.



The web application firewall might alter, modify or strip important and essential components from the WebsiteDefender Agent request.



In this case, the request sent by the WebsiteDefender Scanning Server to the WebsiteDefender Agent will manage to pass through the firewall but the information returned will be invalid.

Therefore, the WebsiteDefender Agent will send an invalid response back to the WebsiteDefender Scanning Server, stating that a previously received communication request was corrupted or not recognized.



The request received by the WebsiteDefender Agent passes the Web Application Firewall check. In this case, the communication request sent by the WebsiteDefender Server to the WebsiteDefender Agent successfully passes through the web application firewall. The WebsiteDefender Agent response successfully reaches the WebsiteDefender Server, meaning that the WebsiteDefender Agent is up and running successfully.



출처 : www.websitedefender.com


Trackback 4 Comment 0
2009. 6. 4. 14:44

[STP] Spanning-tree Protocol (PVST, RSTP, MSTP)

STP

Spanning Tree Protocol은 Digital Equipment Corporation(DEC)에 의해 최초로 개발되었다.
DEC STP Algorism이 IEEE802 협회에 의해 바뀌게 되었고 IEEE802.1d로 발표되었다.
DEC와 IEEE 802.1d Algorism은 같지 않고 호환성도 없다.
Cisco Catalyst1900과 2950은 IEEE820.d STP를 사용한다.

- STP의 목적은 L2환경에서 Loop이 없는 Network을 유지하는 것이다.
- Loop이 없는 Topology는 스위치나 브리지가 Loop를 인식해야하고, 인식했을때 논리적으로 하나이상의 Redundant한 Port를 자동적으로 차단하므로 구현된다.
- STP를 구동하는 스위치나 브리지는 스위치나 브리지의 추가 혹은 Failure등, Network Topology에 변화가 생겼을 때 자동적으로 인식한다.

Spanning Tree Protocol의 절차

- Network 당 하나의 Root Bridge선정
- Root Bridge가 아닌 Bridge 각각에서 하나의 Root Port선정
- 각각의 Segment에서 하나의 Designated Port선정

이러한 세가지 절차를 거친후 Root Port도 아니고 Designated Port도 아닌 Port는 Blocking된다.

Root Port 선출 기준

1. Root Bridge 에 이르는 Path Cost가 낮은 Port.
2. 같다면 Port에 연결된 Bridge의 ID가 낮은 Port.
3. 이것도 같으면 각 Port의 Port ID가 낮은 Port가 선출된다.

Designated Port 선출기준

1. Port Bridge에 이르는 Path Cost가 낮은 Port.
2. 같다면 Port의 해당 Bridge의 ID가 낮은 Port.
3. 이것도 같다면 각 Port의 Port ID가 낮은 Port가 선출된다.

PVST

Spanning Tree Protocol 의 한 타입

스패닝 트리 프로토콜은 브리징 루프를 방지하기 위해 스패닝 트리라는 트리 구조를 만든다. 그런데 전통적으로 사용하는 스패닝 트리는 VLAN 과는 상관없이 물리적 구조(스위치의 트렁크 링크로 연결된)를 바탕으로 하기 때문에 단 하나의 트리만을 만들어 버린다.

이럴 경우 이 물리적 트리구조에 일부분만을 차지하는 VLAN 은 어쩔 수 없이 하나로 이루어진 전체 트리를 바탕으로 운용되고 때에 따라서는 부적절한 구조를 형성할 수도 있다. 이런 형식을 Common Spanning Tree 라 한다.

이를 보완하기 위해 트리를 VLAN 마다 트리를 만들고 독자적으로 스패닝 트리 알고리즘을 수행한다. 이를 PVST(Per VLAN Spanning Tree) 라 한다.

그런데 이 PVST는 CST와 공존할 수 없고 서로의 STP BPDU를 이해할 수가 없다.

그래서 만들어진 것이 PVST+다. 이 PVST+는 CST 에서 받은 정보를 PVST로 보낼 때 VLAN마다 반복해서 보내는 작업을 하거나 터널링을 해서 떨어진 PVST간에 연결을 하게 한다.

1. Common Spanning Tree (CST)는 IEEE 802.1Q의 Spanning Tree Protocol로 모든 VLAN에 대해서 하나의 Spanning Tree를 정의한다. BPDU 정보는 VLAN 1위에서 송수신 된다.
- 모든 스위치가 하나의 루트 브리지를 선출하여 루트 브리지를 기준으로 Forwarding, Blocking State를 결정한다.
- CST advantages

2. BPDU가 적게 발생하여 Bandwidth를 절약한다.

3. Switch에 processing overhead가 적다.
- CST disadvantages

4. 하나의 root bridge 만을 기준으로 하기 때문에, 부적절한 Forwarding Path가 설정될 수 있다.

5. Spanning-tree topology가 모든 스위치에 걸쳐서 형성되어 크기가 커지며 따라서 Convergence Time이 오래 걸릴 수 있고, Topology의 변화에 따는 잦은 Spnning Tree Recalculation이 발생할 수 있다.

6. VLAN이 Partition 될 수 있다.

Per-VLAN Spanning Tree (PVST)는 Cisco-proprietary한 Implementation으로 PVST가 작동하기 위해서는 Inter-switch Link (ISL) encapsulation으로 Trunking 되어 있어야 한다. PVST는 각 VLAN별로 별도의 Spanning Tree가 작동한다.

-Flexible한 Traffic Management를 할 수 있다.
-VLAN(Subnet) Basis로 Forwarding Path를 조절할 수 있다.(Load Balancing을 할 수 있다.)
-간단한 Layer 2 Redundancy를 제공한다.

PVST+는 CST Information이 PVST로 전달되게 하는 시스코 전용의 Implementation이다.

-Cisco PVST+는 PVST Frame을 Multicast Frame으로 Encapsulation하여 CST Network을 통과시킨다.



=====STP (spanning-treee protocol) (802.1d) PVST=====

 (IEEE)
   ==> 1, 시간 (RSTP) 802.1W
   ==> 2, CPU (MST)  802.1S

(CISCO)
   ==> 1. 시간 portfast, uplinkfast, backbonfast   



=====STP 계산법 (listen) 15sec=====

1. Root bridge선출 (vlan 마다)
    (priority(32768) ==> MAC) 낮은값

2. Root port선출 (non-root bridge마다)
    (cost ==> port-id(sender-id)) 낮은값  (100M 19  10M 100)

3. Designated port선출 (segment 마다)
    (cost ==> priority ===> MAC)

 

===== Port status =====

1. Blocking (Max-age) 20sec
2. listen (STP계산) 15sec
3. learn (MAC 학습) 15sec
4. forwarding

 

===== Port role =====

1. designated port (BPDU 송신)
2. root port             (BPDU 수신)
3. blocking port  traffic차단 (BPDU 수신)



===== Root bride 조정 =====

 config)#spanning-tree vlan 1 priority  4096 (default 32768) (4096 단위로 조정 0 ~ 61440)

 config)#spanning-tree vlan 1 root primary
               spanning-tree vlan 1 root secondary

Verify

config)# show spanning-tree vlan x brief

 

===== Root port 조정 ===== (cost, port-priority(sender))

SW1
 config-if)#spanning-tree vlan 1 cost 19
SW2
 config-if)#spanning-tree vlan 1 port-priority 128


Verify

config)# show spanning-tree vlan x brief
config)# show spanning-tree root brief

 

==== RSTP (802.1W) =====

root port
designated port
alternative port (root port), backup port (designated port)
edge port (listen, learn)생략
proposal, agreement
TC 직접 설정

config)#spanning-tree rapid-pvst

 

===== MSTP (802.1S) ======

MST (name, revision, group)
mst config   
config)# spanning-tree mode mst  ==> (RSTP 자동 enable)
config)# spanning-tree mst configuration
config)# name BCMSN
config)# revision 1
config)# instance 1 vlan 1 - 500
config)# instance 2 vlan 501 - 1000
  
ROOT bridge 조정
config)# spanning-tree mst 1 root primary
config)# spanning-tree mst 2 root secondary
     
ROOT port 조정
config)# spanning-tree mst 2 cost 20000
     
Verify
config)# show spanning-tree mst 1
config)# show spanning-tree mst configuration



sw0

>en
#conf t
config#vtp mode server
config#domain switch
config#exit
>sh vtp status
>en
#conf t
config#vlan 10
config-vlan#exit
config#vlan 20
config-vlan#exit
config#vlan 30
config-vlan#exit
#sh vtp status
#conf t
config#int fa0/1
config-if#switchport mode trunk
config-if#exit
config#int fa0/2
config-if#switchport mode trunk
config-if#exit
config#int fa 0/5
config-if#switchport access vlan 10
config-if#switch mode access
config-if#spanning-tree portfast
config-if#exit
config#int fa0/6
config-if#switch access vlan 20
config-if#switch mode access
config-if#spanning-tree portfast
config-if#exit
config#int fa0/7
config-if#sw ac vlan 30
config-if#spa p
config-if#exit
config#exit
#sh spanning-tree
#sh vtp status
#sh vlan
#conf t
config#spanning-tree vlan 10 priority 4096
config#exit
config#sh spanning-tree

sw1

>en
#conf t
config#vtp mode client
config#vtp domain switch
config#exit
#sh vtp status
#conf t
config#int fa0/1
config-if#switchport mode trunk
config-if#exit
config#int fa0/2
config-if#switchport mode trunk
config-if#exit
config#exit
#sh vtp status
#sh spanning-tree
#sh vlan
#conf t
config#int fa0/5
config-if#switchport access vlan 10
config-if#switch mode access
config-if#spanning-tree portfast
config-if#exit
config#int fa0/6
config-if#switch access vlan 20
config-if#switch mode access
config-if#spanning-tree portfast
config-if#exit
config#int fa0/7
config-if#switch access vlan 30
config-if#switch mode access
config-if#spanning-tree portfast
config-if#exit
config#exit
#sh vlan
#conf t
config#spanning-tree vlan 20 priority 4096
config#exit
config#sh spanning-tree

sw2

>en
#conf t
config#vtp mode client
config#vtp domain switch
config#exit
#sh vtp status
#conf t
config#int fa0/1
config-if#switchport mode trunk
config-if#exit
config#int fa0/2
config-if#switchport mode trunk
config-if#exit
config#exit
#sh vtp status
#conf t
config#int fa0/5
config-if#switchport access vlan 10
config-if#switch mode access
config-if#spanning-tree portfast
config-if#exit
config#int fa0/6
config-if#switch access vlan 20
config-if#switch mode access
config-if#spanning-tree portfast
config-if#exit
config#int fa0/7
config-if#switch access vlan 30
config-if#switch mode access
config-if#spanning-tree portfast
config-if#exit
config#exit
#sh vlan
#conf t
config#spanning-tree vlan 30 priority 4096
config#exit
config#sh spanning-tree


Trackback 0 Comment 0
2009. 6. 1. 17:29

Blocking a DNS DDOS using the fail2ban package

Are you tired of getting multi-thousand line emails from the logcheck package that contain multiple reports of denied queries from named? If so this article will show how you can reject these DDOS attempts via the fail2ban package.

These events look something like this:

System Events
=-=-=-=-=-=-=
Jan 21 06:02:13 www named[32410]: client 66.230.128.15#15333: query (cache)
+'./NS/IN' denied

You can get the whole story about this DOS attack at http://isc.sans.org/diary.html?storyid=5713

However, in summary, the source ip address is falsified by a large bot army. Each soldier of the bot army sends one DNS packet per second to your DNS server. Your dns server replies with a fail message to the falsified source address, causing a DOS attack on that source address.

Tired of your DNS server being used as someone's DOS amplifier weapon? Try Debian's fail2ban package. The homepage for fail2ban is www.fail2ban.org

First install the Debian fail2ban package. By default it only watches and bans ssh. That is probably a good idea, further discussion of which is somewhat beyond the scope of this article.

apt-get install fail2ban

Then inspect the contents of /etc/fail2ban/jail.conf
As per the notes at the end of that file, you'll need to modify your bind logging so fail2ban can understand it.

First make the directory for the bind log file.

mkdir /var/log/named
chmod a+w /var/log/named

I'm sure a reader will complain about making a log file a+w, but it is the simplest way to make this demo work. In your spare time, once everything works, find a better way.

Next, edit /etc/bind/named.conf.local and add the following lines

logging {
    channel security_file {
        file "/var/log/named/security.log" versions 3 size 30m;
        severity dynamic;
        print-time yes;
    };
    category security {
        security_file;
    };
};

Restart Bind using /etc/init.d/bind9 restart
Test bind to make sure it's still working and also verify the log file /var/log/named/security.log is filling up with lines like this:

21-Jan-2009 07:19:54.835 client 66.230.160.1#28310: query (cache) './NS/IN' denied

OK, now to set up fail2ban. Edit the /etc/fail2ban/jail.conf file and change from:

[named-refused-udp]

enabled  = false

to:

[named-refused-udp]

enabled  = true

and from:

[named-refused-tcp]

enabled  = false

to:

[named-refused-tcp]

enabled  = true

Then restart fail2ban in the usual manner,

/etc/init.d/fail2ban restart

Now verify that fail2ban is doing something by checking out the log file located at /var/log/fail2ban.log it should contain something like

2009-01-21 07:34:32,800 fail2ban.actions: WARNING [named-refused-udp] Ban 76.9.16.171
2009-01-21 07:34:32,902 fail2ban.actions: WARNING [named-refused-tcp] Ban 76.9.16.171

Verify that fail2ban is modifying the iptables rules

iptables -L

Now verify that fail2ban's iptables rules are actually stopping access

tail -f /var/log/named/security.log

DNS error messages should be several minutes apart rather than multiple per second.

Now for some fine tuning.

First we have to modify logcheck to look at the new location of named error messages. Edit /etc/logcheck/logcheck.logfiles and add this to the end of the file:

/var/log/named/security.log

Next modify logcheck to report what fail2ban is doing. edit the same file, /etc/logcheck/logcheck.logfiles and add this line to the end of the file:

/var/log/fail2ban.log

Now verify you are getting both named and fail2ban messages in your hourly logcheck emails.

It would be a good idea to research, change, and test the [DEFAULT] ignoreip stanza in the /etc/fail2ban/jail.conf file. Maybe the package default should change to ignore all RFC1918 addresses. Probably you should ignore your LAN, just in case. At least ignore the source ip address of the machine that you usually use to SSH into your DNS server.

It would also be a good idea to think about the bantime = 600 setting in the /etc/fail2ban/jail.conf file. Maybe more than ten minutes would be appropriate. Since the DDOS attacks last "days", perhaps "hours" would be most appropriate.

As per above, think of a better way to assign permissions to the logfile directory /var/log/named. Maybe modify /etc/bind/named.conf.local and /etc/logcheck/logcheck.logfiles and /etc/fail2ban/jail.conf to not use that directory... maybe just use a file named /var/log/named.log

Last, but certainly not least, please compliment the maintainer of the debian package Yaroslav Halchenko and also the author of fail2ban, Cyril Jaquier

Thanks, and have a pleasant day.

Vince Mulhollon vince@mulhollon.com aka vlm@debian.org


Trackback 0 Comment 0