A distributed denial-of-service (DDoS) attack is one of the most powerful weapons on the internet. When you hear about a website being “brought down by hackers,” it generally means it has become a victim of a DDoS attack. In short, this means that hackers have attempted to make a website or computer unavailable by flooding or crashing the website with too much traffic.
In a DDoS attack, the incoming traffic flooding the victim originates from many different sources. This makes it impossible to stop the attack simply by blocking a single source.
This article provides instructions on how to enable the protective measures in Kerio Control against such an attack.
To protect your network from DDoS attacks, please follow the steps below to update the settings in Kerio Control:
Log in to the Kerio Control console via SSH.
Run the following command:
mount -o rw,remount /
/etc/sysctl.conffile via Nano or Vim:
Uncomment each of the following lines by removing
#before each line:
net.ipv4.conf.default.rp_filter=1Enable Reverse Path Filtering for the default interface
net.ipv4.conf.all.rp_filter=1same as above, applied to all interfaces
net.ipv4.tcp_syncookies=1Enables the SYN Cookies mechanism to verify connections
After modification, the file should look like this:
Save the file by pressing Ctrl+O.
Restart Kerio Control by using the following command:
(Optional) Depending on your network setup/environment, it is possible to improve the security of the firewall further. Follow these steps:
Uncomment the following lines in the
net.ipv4.conf.all.accept_redirects=0Block ICMP redirects
net.ipv6.conf.all.accept_redirects=0Block IPv6 ICMP redirects
net.ipv4.conf.all.secure_redirects=0Block secure ICMP redirects
net.ipv4.conf.all.send_redirects=0Ensure packet redirect sending is disabled
net.ipv4.conf.all.accept_source_route=0Block source-routed packets
net.ipv6.conf.all.accept_source_route=0Block IPv6 source-routed packets
net.ipv4.conf.all.log_martians=1Ensure suspicious packets are logged
Restart Kerio Control using the command in Step 6.
The following steps are workarounds for DDOS protection that can be performed from Kerio Control Webadmin or SSH:
Look up the IP location of the attackers to identify where they are, and add the countries into the Geo IP filter list.
To find the IP address, look in the Security log, for example:[01/Nov/2019 18:54:58] IPS: Port Scan, protocol: TCP, source: 22.214.171.124, destination: x.x.x.x,(where x.x.x.x is the attackers' IP address)
[01/Nov/2019 18:55:20] IPS: Packet drop, severity: Blacklist, Rule ID: 1:2402000 ET DROP Dshield Block Listed Source group 1, proto:TCP, ip/port:126.96.36.199:47834 -> x.x.x.x:37980
Disconnect Kerio Control for 20-30 minutes so that attackers will be redirected to a different target.
Create an IP address group with the IPV4 network and insert it into the traffic rule to block unwanted traffic.
Increase the Connection limits.
- Decrease the
DefaultTcpTimeoutvariable to reduce the TCP timeout for sessions without a keep-alive:
- Log in via SSH.
- Run the following commands:
/opt/kerio/winroute/tinydbclient "update Firewall set DefaultTcpTimeout=10"
Note: The default TCP timeout value is
40, and it should be modified only as a last resort. If you experience some issues after this modification, please re-set the value to the default (