Welcome to the Dash Forum!

Please sign up to discuss the most innovative cryptocurrency!

Ongoing DDoS attack on masternode network

Discussion in 'Official Announcements' started by UdjinM6, Mar 7, 2017.

  1. Figlmüller

    Figlmüller Member

    Joined:
    Sep 2, 2014
    Messages:
    85
    Likes Received:
    45
    Trophy Points:
    58
    Dashninja is also affected by the attack and may not display your MN status at all. Currently, all their nodes are "not responding".
     
  2. tibolt

    tibolt New Member

    Joined:
    Dec 8, 2014
    Messages:
    5
    Likes Received:
    3
    Trophy Points:
    3
    yes its possible. i found this link seems usefull for hardening https://javapipe.com/iptables-ddos-protection
     
  3. tungfa

    tungfa Administrator
    Dash Core Team Foundation Member Masternode Owner/Operator Moderator

    Joined:
    Apr 9, 2014
    Messages:
    8,964
    Likes Received:
    6,737
    Trophy Points:
    1,283
    Wallet sais
    [​IMG]
     
  4. Sapereaude

    Sapereaude Well-known Member
    Foundation Member

    Joined:
    Apr 30, 2014
    Messages:
    191
    Likes Received:
    235
    Trophy Points:
    203
    For those less technologically savvey there are step by step instructions below for Ubuntu 16.04. If you followed TAO's set up guide this will work for you.

    **************
    Enter root and enter the following commands

    ******* First Remove ufw
    sudo ufw disable
    sudo apt-get -y remove ufw
    sudo apt-get -y purge ufw

    ****** Now install persistant ip tables and say yes when the purple screen appears
    apt-get install -y iptables-persistent
    invoke-rc.d netfilter-persistent save
    service netfilter-persistent stop
    service netfilter-persistent start

    ***** Now remove the old iptables file and paste in the new rules
    rm /etc/iptables/rules.v4
    joe /etc/iptables/rules.v4

    ************** Now paste in these rules and save, Note- change port 22 if you moved ssh to another port.
    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :LOGNDROP - [0:0]
    :OUTPUT ACCEPT [0:0]
    #
    -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -i lo -j ACCEPT
    -A INPUT -m conntrack --ctstate INVALID -j DROP
    -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
    -A INPUT -p tcp -j REJECT --reject-with tcp-reset
    -A INPUT -j REJECT --reject-with icmp-proto-unreachable
    -A INPUT -p tcp -m tcp --dport 9999 -j ACCEPT
    # some tcp ddos
    -A INPUT -i eth0 -p tcp -f -m tcp -j DROP
    -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK -j DROP
    -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
    -A INPUT -i eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
    -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
    -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
    -A INPUT -i eth0 -p tcp -m tcp --dport 0 -j DROP
    #
    -A INPUT -i eth0 -p tcp -m tcp --dport 9998 -j REJECT --reject-with tcp-reset
    -A INPUT -i eth0 -p tcp -m tcp --dport 9999 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 8 --connlimit-mask 24 --connlimit-saddr -j DROP
    -A INPUT -i eth0 -p tcp -m tcp --dport 9999 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 2 --connlimit-mask 32 --connlimit-saddr -j DROP
    -A INPUT -i eth0 -p tcp -m tcp --dport 9999 -m conntrack --ctstate NEW -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource
    -A INPUT -i eth0 -p tcp -m tcp --dport 9999 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 3 --name DEFAULT --mask 255.255.255.255 --rsource -j DROP
    #
    -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource
    -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 3 --name DEFAULT --mask 255.255.255.255 --rsource -j DROP
    #
    -A INPUT -i eth0 -p tcp -m tcp --dport 9999 -j ACCEPT
    #
    -A FORWARD -j REJECT --reject-with icmp-host-prohibited
    #
    -A INPUT -j LOGNDROP
    -A LOGNDROP -p tcp -m limit --limit 32/min -j LOG --log-prefix "Denied TCP: " --log-level 7
    -A LOGNDROP -p udp -m limit --limit 32/min -j LOG --log-prefix "Denied UDP: " --log-level 7
    -A LOGNDROP -p icmp -m limit --limit 32/min -j LOG --log-prefix "Denied ICMP: " --log-level 7
    -A LOGNDROP -j DROP
    COMMIT
    #Remember to leave an extra space at the bottom

    ******* and save, then to check it is working
    iptables -L

    Viola :D

    Edit- Credit to chaeplin for the far superior rules
     
    #34 Sapereaude, Mar 8, 2017
    Last edited: Mar 9, 2017
    • Like Like x 4
    • Winner Winner x 3
  5. nightowl

    nightowl Member

    Joined:
    Dec 30, 2015
    Messages:
    67
    Likes Received:
    105
    Trophy Points:
    73
    HI Guys

    Attached a very nice firewall script that will help you out. It already blocks a few bad behaving IP addresses (I got those bad behaving ip's from Dash's debug log). It limits connections to your SSH and Dash ports (allows only 2 per second). It looks out for bad SYN packets (only some of them, not all).

    Copy the file to your server, save in root directly "dashfirewall.sh" (remove the txt at the end, I was forced to add the .txt at the end because the forum won't allow me to upload files withtout an extension)

    The execute

    chmod a+x dashfirewall.sh

    Then run it with

    ./dashfirewall.sh

    If you're on Ubuntu/Debain, you can also add add "/root/dashfirewall.sh" to /etc/rc.local before "exit 0" to ensure the firewall runs when your server starts.

    Hope this helps!
     

    Attached Files:

    • Like Like x 3
    • Winner Winner x 1
  6. Sapereaude

    Sapereaude Well-known Member
    Foundation Member

    Joined:
    Apr 30, 2014
    Messages:
    191
    Likes Received:
    235
    Trophy Points:
    203
    nightowl beat you to it by a few minutes :p
     
  7. chaeplin

    chaeplin Active Member
    Core Developer

    Joined:
    Mar 29, 2014
    Messages:
    749
    Likes Received:
    356
    Trophy Points:
    133
    here new rule
    - limit concurrent connection 2 per ip, 8 per c class
    - limit 3 syn per ip with in 30 sec
    - limit some tcp ddos
    - limit ssh conn

    Code:
    # /etc/default/iptables
    ## Firewall configuration written by system-config-firewall
    ## Manual customization of this file is not recommended.
    *filter
    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    #
    #-A INPUT -p icmp -j ACCEPT
    -A INPUT -i lo -j ACCEPT
    # allow established
    -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    # allow some ip always
    #-A INPUT -m state --state NEW -m tcp -p tcp -s white_ip_or_my_ip -j ACCEPT
    # some tcp ddos
    -A INPUT -i eth0 -p tcp -f -m tcp -j DROP
    -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK -j DROP
    -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
    -A INPUT -i eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
    -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
    -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
    -A INPUT -i eth0 -p tcp -m tcp --dport 0 -j DROP
    # deny connection to rpc port
    -A INPUT -i eth0 -p tcp -m tcp --dport 9998 -j DROP
    # drop udp to p2p 9999
    -A INPUT -i eth0 -p udp -m udp --dport 9999 -j DROP
    # limit concurrent connection 2 per ip, 8 per c class
    -A INPUT -i eth0 -p tcp -m tcp --dport 9999 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 8 --connlimit-mask 24 --connlimit-saddr -j DROP
    -A INPUT -i eth0 -p tcp -m tcp --dport 9999 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 2 --connlimit-mask 32 --connlimit-saddr -j DROP
    # limit syn to 3 / 30 sec / p2p 9999
    -A INPUT -i eth0 -p tcp -m tcp --dport 9999 -m conntrack --ctstate NEW -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource
    -A INPUT -i eth0 -p tcp -m tcp --dport 9999 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 3 --name DEFAULT --mask 255.255.255.255 --rsource -j DROP
    # limit syn to 3 / 30 sec / ssh 22
    -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource
    -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 3 --name DEFAULT --mask 255.255.255.255 --rsource -j DROP
    # allow
    -A INPUT -i eth0 -p tcp -m tcp --dport 9999 -j ACCEPT
    #
    -A INPUT -i eth0 -p tcp -j ACCEPT
    # output allow
    -A OUTPUT -o eth0 -j ACCEPT
    # deny forward
    -A FORWARD -j REJECT --reject-with icmp-host-prohibited
    #
    COMMIT
    #
    

    if you have --mask error, you are using old kernel.
    change
    Code:
    -A INPUT -i eth0 -p tcp -m tcp --dport 9999 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 3 --name DEFAULT --mask 255.255.255.255 --rsource -j DROP
    #
    -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 3 --name DEFAULT --mask 255.255.255.255 --rsource -j DROP
    
    to
    Code:
    -A INPUT -i eth0 -p tcp -m tcp --dport 9999 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 3 --name DEFAULT --rsource -j DROP
    #
    -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 3 --name DEFAULT --rsource -j DROP
    
     
    #37 chaeplin, Mar 8, 2017
    Last edited: Mar 9, 2017
    • Winner Winner x 3
    • Like Like x 2
    • Useful Useful x 1
  8. nightowl

    nightowl Member

    Joined:
    Dec 30, 2015
    Messages:
    67
    Likes Received:
    105
    Trophy Points:
    73
    @Sapereaude yea I saw that. You actually posted as I was writing the reply.

    For those of you who are not technically inclined, take note that my firewall script also filters out a few ip addresses that takes part in the DDOS, which should help keep your masternode ports open for real Dash connections. The attacker will probably change IP's during the course of the day. I will update a list of blocked IP's later tonight and post an updated version.
     
    • Like Like x 2
  9. Dash4Ever

    Dash4Ever Active Member

    Joined:
    Sep 24, 2015
    Messages:
    106
    Likes Received:
    105
    Trophy Points:
    93
    Dash Address:
    XybaxnhtFBih2g4M2F71rWKBt5USzo8R
    Was affected by the attack, woke up this morning with a email from my VPS provider that my VPS was temporary suspended.
    So bought another one, so far so good!

    Specs:

    2048MB Memory
    70GB SSD Space
    4 Core Processor
    Unmetered Network
    3 IPv4 Addresses
    3 IPv6 Addresses *

    Pretty fair price 13.99 USD paid with dash debit ofc :)
     
    • Like Like x 3
    • Winner Winner x 1
  10. tibolt

    tibolt New Member

    Joined:
    Dec 8, 2014
    Messages:
    5
    Likes Received:
    3
    Trophy Points:
    3
    Dash4Ever which VPS provider is this? pricing is better than vultr.
     
  11. Dash4Ever

    Dash4Ever Active Member

    Joined:
    Sep 24, 2015
    Messages:
    106
    Likes Received:
    105
    Trophy Points:
    93
    Dash Address:
    XybaxnhtFBih2g4M2F71rWKBt5USzo8R
    It was https://www.vpscheap.net/
    Never had any issue with them under my 3 years of masternoding, and quick and fast support.
     
  12. Dash4Ever

    Dash4Ever Active Member

    Joined:
    Sep 24, 2015
    Messages:
    106
    Likes Received:
    105
    Trophy Points:
    93
    Dash Address:
    XybaxnhtFBih2g4M2F71rWKBt5USzo8R
    I'm a little curious, did they handpicked some IP addresses to attack? or all 4176 ip?
    Some serious amount of computer power there.

    In any case this demonstrates the strength of the Dash network :) they failade hard. ;)
     
    • Like Like x 2
  13. emmo

    emmo New Member

    Joined:
    May 23, 2014
    Messages:
    37
    Likes Received:
    11
    Trophy Points:
    8
    invoke-rc.d: unknown initscript, /etc/init.d/netfilter-persistent not found.
     
  14. David

    David Well-known Member
    Dash Support Group

    Joined:
    Jun 21, 2014
    Messages:
    618
    Likes Received:
    628
    Trophy Points:
    163
    Does Vultr's DDOS protection ($10 extra per month) help with these kind of DDOS attacks?
     
  15. AndyDark

    AndyDark Well-known Member

    Joined:
    Sep 10, 2014
    Messages:
    353
    Likes Received:
    705
    Trophy Points:
    163
    I would guess yes
     
  16. AndyDark

    AndyDark Well-known Member

    Joined:
    Sep 10, 2014
    Messages:
    353
    Likes Received:
    705
    Trophy Points:
    163
    The attack was against all MNs as far as we know, from 2,000 individual IPs mostly in Asia, i.e. a botnet
     
    • Informative Informative x 2
    • Like Like x 1
  17. RichardAO

    RichardAO New Member

    Joined:
    Jan 17, 2017
    Messages:
    34
    Likes Received:
    8
    Trophy Points:
    8
    Dash Address:
    XmTSEYFTG5dF7N68mEZwtpVUQPAPQ
    Would it be helpful to report the IP hosts regarding their customers being used as ddos bots?
     
  18. demo

    demo Well-known Member

    Joined:
    Apr 23, 2016
    Messages:
    3,114
    Likes Received:
    263
    Trophy Points:
    153
    Dash Address:
    XnpT2YQaYpyh7F9twM6EtDMn1TCDCEEgNX
  19. edificio

    edificio New Member

    Joined:
    Jan 30, 2017
    Messages:
    28
    Likes Received:
    8
    Trophy Points:
    3
    What exactly happens when a server is DDoS'ed? Does it just crash and restart? If that's the case, if i have my VPS set up with auto restart of dashd upon crash with dashcentral will the problem automatically solve itself if i get DDoS'ed?
     
  20. crowning

    crowning Well-known Member

    Joined:
    May 29, 2014
    Messages:
    1,428
    Likes Received:
    2,005
    Trophy Points:
    183
    It won't be able to answer any request from other peers/masternodes, so after a while it'll disappear form the masternode list due inactivity.

    A possible crash is just the extra bonus you might get.
     
    • Funny Funny x 1
  21. fuzzyduck

    fuzzyduck Active Member

    Joined:
    Feb 19, 2015
    Messages:
    134
    Likes Received:
    113
    Trophy Points:
    93
    be careful when copy pasting iptables scripts. You might end up locking yourself out if you got ssh on another port like i do. So look through the script and look for port 22 and change it to your own.
     
    • Informative Informative x 1
  22. qwizzie

    qwizzie Well-known Member

    Joined:
    Aug 6, 2014
    Messages:
    1,546
    Likes Received:
    726
    Trophy Points:
    183
    this DDoS attack seem to focus on just port 9999, maybe if we all choose different ports instead of the default port this type of attack could be mitigated in the future ?
     
  23. edificio

    edificio New Member

    Joined:
    Jan 30, 2017
    Messages:
    28
    Likes Received:
    8
    Trophy Points:
    3
    Ah i see. Is there a way to make it reboot automatically if all system resources are suddenly being used up?

    Is it likely that the attacker would immediately start DDoS'ing the server again after that reboot? Of course ufw or iptables is the better option - But it would be nice to know the server would just reboot and start dashd again, should an attack slip through
     
  24. halso

    halso Active Member

    Joined:
    Apr 27, 2016
    Messages:
    440
    Likes Received:
    236
    Trophy Points:
    113
    I just watched a youtube video published on 6 March where Fluffypony from Monereo talks to Tone Vays about a DDoS attack on DASH.
     
    • Like Like x 1
  25. qwizzie

    qwizzie Well-known Member

    Joined:
    Aug 6, 2014
    Messages:
    1,546
    Likes Received:
    726
    Trophy Points:
    183
    i hope this does not mean we end up having to thank fluffypony for accelerating our hardware upgrade process ;)
     
    • Like Like x 3
    • Funny Funny x 2
  26. halso

    halso Active Member

    Joined:
    Apr 27, 2016
    Messages:
    440
    Likes Received:
    236
    Trophy Points:
    113
    I think its great. The fluffster has in a way joined the dash development team by helping us test the network.

    Good work fluffy.
     
    • Like Like x 1
    • Funny Funny x 1
  27. lynx

    lynx Active Member

    Joined:
    Dec 11, 2015
    Messages:
    364
    Likes Received:
    250
    Trophy Points:
    133
    This wouldn't help in the slightest, since every node (and hence everyone) would still have a list of all masternodes and ports.
     
    • Agree Agree x 2
  28. ichigo13

    ichigo13 Member
    Masternode Owner/Operator

    Joined:
    Jul 6, 2014
    Messages:
    42
    Likes Received:
    30
    Trophy Points:
    58
    What should I see when I execute the iptables command below? I saved the rules you posted above.
    iptables -L
     
  29. Figlmüller

    Figlmüller Member

    Joined:
    Sep 2, 2014
    Messages:
    85
    Likes Received:
    45
    Trophy Points:
    58
    No, rebooting will make it even worse because you will lose all existing, valid masternode connections. When rebooting, you will get, as before, immediately spammed with invalid connection attempts or garbage data up to the connection limit of the dashd, thus preventing connections from legitimate nodes.
    The attack will usually not stop if the server turns out to be unreachable.

    So limit the rate of connection attempts using a firewall and also limit the amount of new connections per IP and subnet as mentioned in the thread. One may also think about proper kernel configuration, such as usage of syn cookies, enabling of some checks, etc. This will squash a lot of invalid TCP connections, allowing the masternode to "breathe". A way larger attack (this current one only caused peak traffic at around 0.15 Mb/s at our nodes) will still either fill up your connection queue in the daemon or exhaust the server resources, even if packets get dropped at the local firewall. Thus, a DDoS mitigation service, as offered by many server providers, may help by blocking attacks before those packets reach your host (in addition to security measures on your server).
     
    • Informative Informative x 3
    • Like Like x 1
  30. Figlmüller

    Figlmüller Member

    Joined:
    Sep 2, 2014
    Messages:
    85
    Likes Received:
    45
    Trophy Points:
    58
    The default behaviour for the INPUT chain is ACCEPT, which, at the end is redundantly repeated by the rule -A INPUT -i eth0 -p tcp -j ACCEPT

    Basic invalid TCP packets are blocked, but you can still reach any other socket listening to the interface eth0 on any port. You can also flood any port other than 9999, which may cause a ton of half open connections on the host.

    Also, I think this part, causing a jump to LOGNDROP will never be reached:
    -A INPUT -j LOGNDROP
    Why? Because A INPUT -i eth0 -p tcp -j ACCEPT at the end accepts any TCP packet on eth0 not matched by any rules above, and thus leaving the chain (if matched) and proceeding to the other tables (nat, etc.).

    I would like to suggest, that you test your configuration before you simply trust a copy&paste solution.
     
    • Like Like x 4
    • Informative Informative x 1