Commit Graph

34 Commits

Author SHA1 Message Date
Daniel Micay
b928b197b0 nftables: add comments explaining adding to connlimit sets 2024-04-11 15:59:07 -04:00
Daniel Micay
edbf50a3da nftables: rename tcp service chains 2024-04-11 11:59:27 -04:00
Daniel Micay
3d886dea43 nftables: split out TCP service chain 2024-04-11 11:49:22 -04:00
Daniel Micay
b152574da8 nftables: avoid unnecessary connection marking 2024-04-11 11:38:43 -04:00
Daniel Micay
832a430954 nftables: handle non-TCP case in input-new chain 2024-04-11 10:34:10 -04:00
Daniel Micay
8f047de0c3 nftables: explain synproxy untracked/invalid cases 2024-04-11 10:19:39 -04:00
Daniel Micay
26a58b2492 nftables: explain synproxy bypass rate limit 2024-04-11 09:56:30 -04:00
Daniel Micay
ecd14bddff nftables: explain ordering of strong host model check 2024-04-11 09:51:10 -04:00
Daniel Micay
b21ea0a23f raise synproxy bypass burst to 128 packets from 5
Our network servers are spiking over the default burst limit of 5
packets during regular usage. It's unclear high this should be but 5
packets is definitely too low.
2024-04-10 15:08:45 -04:00
Daniel Micay
b38736ca74 enable nftables-based DDoS protection for all TCP services
Now that the usage of synproxy is gated behind a SYN packet rate limit,
we can expand this to all our TCP services to have always enabled DDoS
protection instead of needing to deploy a stricter set of rules when the
servers are under attack. This is far better because there isn't always
a system administrator available to handle an ongoing attack.

We already used per-IP connection limits in nginx across the board but
those limits are applied far too late after a TLS connection has been
established and headers are sent rather than before. Using IPv6 /64
blocks means this is much more aggressive for IPv6, but many clients
will fall back to IPv4 due to the happy eyeballs approach. The nginx
limits are still useful due to HTTP/2 multiplexing and we'll need to
think over how to address IPv6 there.
2024-04-10 14:48:10 -04:00
Daniel Micay
14c0128910 add rate limited synproxy bypass 2024-04-10 12:15:19 -04:00
Daniel Micay
ef63ff82d2 use consistent name for main connlimit
This will be extended to other services when under attack, which can be
automated in the future.
2024-04-09 20:29:11 -04:00
Daniel Micay
a6b9fa782b reorganize nftables rules 2024-04-05 19:14:05 -04:00
Daniel Micay
cf274f34d7 simplify synproxy-based connection limit rules 2024-04-05 13:36:09 -04:00
Daniel Micay
c1756f5809 add synproxy/connlimit for ACME/redirect use of HTTP
This makes it easier to maintain and deploy more aggressive DDoS
mitigation when our main HTTPS services are under attack.

Network servers use HTTP for connectivity checks which do not use
keepalive and should also be a good use case for
2024-04-04 12:46:38 -04:00
Daniel Micay
39b7e1f479 add counter to connection limit reject rules 2024-03-30 02:12:18 -04:00
Daniel Micay
280eb51c8d rename loopback chains for clarity 2024-03-30 02:12:00 -04:00
Daniel Micay
9b40bb90b8 split out input chain for loopback 2024-03-30 02:12:00 -04:00
Daniel Micay
8c929f02ac enforce IPv6 SSH connection limit for /48 blocks
Since our primary servers using SSH to mirror their TLS certificates to
replicas are now allowlisted, we can use a stricter block size than we
could with the PerSourceMaxStartups approach in sshd.
2024-03-28 11:38:06 -04:00
Daniel Micay
cd59960e7b move IP-based SSH connection limits to nftables
We use synproxy for establishing all new connections to the SSH port and
enforce a connection limit between synproxy and the standard network
stack. Once the connection limit is reached, it's also enforced for new
connections at the synproxy layer. This avoids creating conntrack and
connection limit set entries until connections are already established
to avoid packets with spoofed source addresses exhausting these limited
size tables. Primary servers using SSH to mirror TLS certificates to
their replicas are allowlisted.
2024-03-28 11:38:03 -04:00
Daniel Micay
16ef317460 nftables: rename output-reject to graceful-reject 2024-03-27 12:31:09 -04:00
Daniel Micay
14e9cd5b76 use standard style for nftables sets 2024-03-24 16:23:54 -04:00
Daniel Micay
7b64ffd4cd simplify nftables based on strong host model 2024-03-24 15:22:00 -04:00
Daniel Micay
59984a477c enforce strong host model via nftables 2024-03-24 14:36:24 -04:00
Daniel Micay
ec2cbbdb4e enforce strict reverse path filtering via nftables 2024-03-23 13:35:49 -04:00
Daniel Micay
07dca7919d reorder network allowlists for consistency 2022-08-10 11:13:31 -04:00
Daniel Micay
984d0f200f nftables: implement loopback access control 2022-07-25 20:47:29 -04:00
Daniel Micay
ad6e998ec2 nftables: filter input service traffic by dst addr 2022-07-21 19:32:43 -04:00
Daniel Micay
fdf21af1ae nftables: use notrack accept instead of notrack 2022-07-21 17:31:16 -04:00
Daniel Micay
f7da683012 nftables: simplify ICMP handling 2022-07-18 22:14:35 -04:00
Daniel Micay
32074453eb nftables: use numeric port format 2022-06-30 07:02:34 -04:00
Daniel Micay
01f9274fc4 nftables: implement output filtering for loopback 2022-06-30 06:41:52 -04:00
Daniel Micay
e0ab41c4f4 nftables: friendlier output traffic filtering 2022-06-29 21:27:01 -04:00
Daniel Micay
3ca0c347c6 add baseline nftables configurations 2022-06-29 10:53:07 -04:00