Overview

A distributed denial-of-service (DDoS) attack is one of the most powerful weapons on the internet. When you hear about a website being “brought down by hackers,” it generally means it has become a victim of a DDoS attack. In short, this means that hackers have attempted to make a website or computer unavailable by flooding or crashing the website with too much traffic.

In a DDoS attack, the incoming traffic flooding the victim originates from many different sources. This makes it impossible to stop the attack simply by blocking a single source.

This article provides instructions on how to enable the protective measures in Kerio Control against such an attack. 
 

Prerequisites

• Kerio Control Administrator access
• SSH access to Kerio Control console
  
  

Process

To protect your network from DDoS attacks, please follow the steps below to update the settings in Kerio Control:

1. Log in to the Kerio Control console via SSH.

2. Run the following command:

   mount -o rw,remount /

3. Open the /etc/sysctl.conf file via Nano or Vim:

   • nano /etc/sysctl.conf

   • vi /etc/sysctl.conf
     
     

4. Uncomment each of the following lines by removing # before each line:

   net.ipv4.conf.default.rp_filter=1 Enable Reverse Path Filtering for the default interface 

   net.ipv4.conf.all.rp_filter=1 same as above, applied to all interfaces

   net.ipv4.tcp_syncookies=1 Enables the SYN Cookies mechanism to verify connections

   
   After modification, the file should look like this:
   
   
    

5. Save the file by pressing Ctrl+O.

6. Restart Kerio Control by using the following command:

   /etc/boxinit.d/60winroute restart
   
   
    

7. (Optional) Depending on your network setup/environment, it is possible to improve the security of the firewall further. Follow these steps:

   1. Uncomment the following lines in the /etc/sysctl.conf file:

      net.ipv4.conf.all.accept_redirects=0 Block ICMP redirects

      net.ipv6.conf.all.accept_redirects=0 Block IPv6 ICMP redirects 

      net.ipv4.conf.all.secure_redirects=0 Block secure ICMP redirects

      net.ipv4.conf.all.send_redirects=0 Ensure packet redirect sending is disabled

      net.ipv4.conf.all.accept_source_route=0 Block source-routed packets

      net.ipv6.conf.all.accept_source_route=0 Block IPv6 source-routed packets

      net.ipv4.conf.all.log_martians=1 Ensure suspicious packets are logged 
      
      

   2. Restart Kerio Control using the command in Step 6. 

Back to top

Additional Information

The following steps are workarounds for DDOS protection that can be performed from Kerio Control Webadmin or SSH:

1. Look up the IP location of the attackers to identify where they are, and add the countries into the Geo IP filter list. 

   To find the IP address, look in the Security log, for example:

   [01/Nov/2019 18:54:58] IPS: Port Scan, protocol: TCP, source: 1.1.1.1, destination: x.x.x.x,
   [01/Nov/2019 18:55:20] IPS: Packet drop, severity: Blacklist, Rule ID: 1:2402000 ET DROP Dshield Block Listed Source group 1, proto:TCP, ip/port:1.1.1.1:47834 -> x.x.x.x:37980
   (where x.x.x.x is the attackers' IP address)

2. Disconnect Kerio Control for 20-30 minutes so that attackers will be redirected to a different target.

3. Create an IP address group with the IPV4 network and insert it into the traffic rule to block unwanted traffic.

4. Increase the Connection limits.

5. Decrease the DefaultTcpTimeout variable to reduce the TCP timeout for sessions without a keep-alive:
   - Log in via SSH.
   - Run the following commands:
   /opt/kerio/winroute/tinydbclient "update Firewall set DefaultTcpTimeout=10"
/etc/boxinit.d/60winroute restart

   

   Note: The default TCP timeout value is 40, and it should be modified only as a last resort. If you experience some issues after this modification, please re-set the value to the default (40).

Back to top