How do I log SYN flood attacks, and other bad actors, exclusively?

Simav · October 17, 2022, 9:26pm

Hi,
New to this forum, but not exactly a newbie. I have browsed/searched our forum topics here for an answer, but with little luck.

Some months ago I purchased a Protectli x86 device to be used with OpenWrt. I have spent many hours, trying different things but I have had no luck with logging such that I am not logging everything all the time.

By design, OpenWrt has a feature to handle SYN floods. But how can I log those SYN floods, even though OpenWrt mitigates them?

I have entered specific instructions in "firewall.user" to log everything. That was easy to do, but the system/kernel logs get too wordy and busy way too quickly with all kinds of other things. The older Cisco router that I have logs the SYN flood attacks from specific addresses but not all the other "good" traffic.

I tried using "hping3" from a different IP to test OpenWrt to see if it would log the SYN flood attempt, but nothing shows up in the system/kernel logs unless I log everything!

I am reluctant to use the Protectli as my main router until I am 100% sure that I have blocked most, if not all of the basic/advanced bad things that hackers attempt on a daily basis. To that end, things like WAN access to ssh/Luci/ping are of course blocked, but I have no way of knowing that I just got lucky or OpenWrt is doing its job, as I seem to lack the knowledge on how to log these specific and other events that I can synthetically create and test.

Thank you for taking the time to read this and if this is an old topic with an answer on this forum please leave a link for me here. Very much appreciated.

efahl · October 19, 2022, 6:08pm

Assuming you're running a recent 22.03 (or SNAPSHOT), with fw4, then there's probably not a lot of history on this.

Would counters on the rules be a sufficient diagnostic? If so, you could hack /usr/share/firewall4/templates/ruleset.uc and change the syn_flood chain's rules to contain counters.

I edited the file down at about line 206 in my version, searched for 'syn_flood' and added the 'counter' values you see in the two locations below:

204     chain syn_flood {
205         limit rate {{ r.rate }}/{{ r.unit }}
206         {%- if (b): %} burst {{ b }} packets{% endif %} counter return comment "!fw4: Accept SYN packets below rate-limit"
207         counter drop comment "!fw4: Drop excess packets"
208     }

Next up, verify that you didn't break anything:

fw4 check

Assuming that went well,

fw4 reload

then check the values of the counters

nft list chain inet fw4 syn_flood

Run your hping on the other machine, then show the chain again. Should show you the number of packets and bytes that got passed through those rules.

$ nft list chain inet fw4 syn_flood
table inet fw4 {
        chain syn_flood {
                limit rate 25/second burst 50 packets counter packets 0 bytes 0 return comment "!fw4: Accept SYN packets below rate-limit"
                counter packets 0 bytes 0 drop comment "!fw4: Drop excess packets"
        }
}

Note that if/when you do sysupgrade, this will all be reverted (i.e., it truly is a hacky hack).

efahl · October 19, 2022, 6:16pm

Cool, seems to work.

ubu$ sudo hping3 -i u1 -S -p 80 10.1.1.2

Kill it after a few seconds, then

router$  nft list chain inet fw4 syn_flood
table inet fw4 {
        chain syn_flood {
                limit rate 25/second burst 50 packets counter packets 270 bytes 10864 return comment "!fw4: Accept SYN packets below rate-limit"
                counter packets 967188 bytes 38687520 drop comment "!fw4: Drop excess packets"
        }
}