gandalf/secubox-openwrt
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
605841e443
secubox-openwrt/DOCS/DDOS-PROTECTION.md
CyberMind-FR c69ae43961 feat(interceptor,ddos): Add Insider WAF pillar and DDoS hardening profile 
InterceptoR Insider WAF (6th pillar):
- RPCD: get_insider_waf_status() tracking LAN client threats
- Dashboard: 🔒 Insider WAF card with threat stats
- CrowdSec scenarios for insider threats:
  - C2 beacon, exfiltration, DNS tunneling, lateral movement
  - Cryptominer, IoT botnet, suspicious TLDs, high volume

DDoS Protection Hardening:
- Config Advisor: 8 DDoS checks (SYN cookies, conntrack, RP filter,
  ICMP rate, CrowdSec http-dos, HAProxy maxconn, mitmproxy WAF, Vortex)
- ANSSI rules: New "ddos" category with remediation steps
- Documentation: DOCS/DDOS-PROTECTION.md with full guide

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-12 10:46:16 +01:00

7.8 KiB
Raw Blame History

SecuBox DDoS Protection Guide

SecuBox provides multi-layered DDoS protection suitable for home, SOHO, and SMB deployments. This document describes the protection mechanisms and configuration options.

Protection Layers Overview

Layer Component Attack Types Mitigated
L3 OpenWrt Firewall SYN flood, ICMP flood, IP spoofing
L4 nftables/iptables Connection floods, port scans
L4 CrowdSec Distributed attack detection
L7 HAProxy HTTP flood, slowloris, request bombing
L7 mitmproxy WAF Application-layer floods, bot attacks
DNS Vortex Firewall Botnet C2, DNS amplification
Intel CrowdSec CAPI Shared threat intelligence (50k+ nodes)

Layer 3/4 Protection

SYN Flood Protection

OpenWrt firewall includes SYN cookies and SYN flood protection:

# Check current status
cat /proc/sys/net/ipv4/tcp_syncookies

# Enable via UCI
uci set firewall.@defaults[0].synflood_protect='1'
uci commit firewall
/etc/init.d/firewall restart

Connection Tracking Limits

Increase conntrack table size for high-traffic scenarios:

# Check current limits
cat /proc/sys/net/netfilter/nf_conntrack_max
cat /proc/sys/net/netfilter/nf_conntrack_count

# Increase limit (add to /etc/sysctl.conf)
echo "net.netfilter.nf_conntrack_max=131072" >> /etc/sysctl.conf
sysctl -p

Anti-Spoofing (Reverse Path Filter)

# Enable RP filter
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

# Persist in /etc/sysctl.conf
echo "net.ipv4.conf.all.rp_filter=1" >> /etc/sysctl.conf

ICMP Rate Limiting

# Limit ICMP responses (prevent ping flood amplification)
echo 1000 > /proc/sys/net/ipv4/icmp_ratelimit
echo 50 > /proc/sys/net/ipv4/icmp_msgs_per_sec

Drop Invalid Packets

uci set firewall.@defaults[0].drop_invalid='1'
uci commit firewall
/etc/init.d/firewall restart

CrowdSec Protection

CrowdSec provides behavior-based detection and collaborative threat intelligence.

Install DDoS Collections

# HTTP flood detection
cscli collections install crowdsecurity/http-dos

# Base HTTP attack detection
cscli collections install crowdsecurity/base-http-scenarios

# Nginx/HAProxy specific
cscli collections install crowdsecurity/nginx
cscli collections install crowdsecurity/haproxy

# Restart to apply
/etc/init.d/crowdsec restart

CrowdSec Scenarios for DDoS

Scenario Description Ban Duration
crowdsecurity/http-dos-swithcing-ua Rapid user-agent switching 4h
crowdsecurity/http-generic-bf Generic HTTP bruteforce 4h
crowdsecurity/http-slow-bf Slowloris-style attacks 4h
crowdsecurity/http-crawl-non_statics Aggressive crawling 4h

View Active Protections

# List installed scenarios
cscli scenarios list

# View active decisions (bans)
cscli decisions list

# View real-time metrics
cscli metrics

HAProxy Rate Limiting

HAProxy provides connection and request rate limiting for published services.

Global Connection Limits

Add to /etc/haproxy/haproxy.cfg:

global
    maxconn 4096

defaults
    maxconn 2000
    timeout connect 5s
    timeout client 30s
    timeout server 30s

Per-Backend Rate Limiting

frontend https_in
    bind *:443 ssl crt /etc/haproxy/certs/

    # Rate limit: 100 requests/10s per IP
    stick-table type ip size 100k expire 30s store http_req_rate(10s)
    http-request track-sc0 src
    http-request deny deny_status 429 if { sc_http_req_rate(0) gt 100 }

    # Slow down aggressive clients
    http-request tarpit if { sc_http_req_rate(0) gt 50 }

Connection Queue (Absorb Spikes)

backend myapp
    server app1 192.168.255.1:8080 maxconn 100 maxqueue 500

mitmproxy L7 WAF

mitmproxy inspects HTTP/HTTPS traffic and detects application-layer attacks.

Flood Detection

The secubox_analytics.py addon detects:

  • Request rate spikes per IP
  • Abnormal request patterns
  • Bot signatures
  • Automated scanning tools

Enable WAF

# Start mitmproxy container
/etc/init.d/mitmproxy start

# Check status
mitmproxyctl status

View Detected Threats

# Recent threats
tail -f /srv/mitmproxy/threats.log

# Threat statistics
mitmproxyctl stats

Vortex DNS Firewall

Vortex blocks known botnet C2 domains and malware distribution sites at the DNS level.

Enable Protection

# Update threat intelligence feeds
vortex-firewall intel update

# Start protection
vortex-firewall start

# Check stats
vortex-firewall stats

Blocked Categories

  • Malware distribution domains
  • Botnet C2 servers (Mirai, Gafgyt, etc.)
  • Phishing domains
  • Cryptominer pools

InterceptoR Insider WAF

The InterceptoR Insider WAF detects DDoS participation from compromised LAN devices:

  • C2 beacon detection - Identifies infected devices calling home
  • DNS tunneling - Detects data exfiltration via DNS
  • IoT botnet patterns - Mirai, Gafgyt, Mozi signatures
  • Cryptominer activity - Mining pool connections

Check Insider Threats

# View InterceptoR status
ubus call luci.interceptor status

# Check for insider threats in logs
grep "insider" /srv/mitmproxy/threats.log

Config Advisor DDoS Profile

Run the DDoS-specific compliance check:

# Run all checks including DDoS
config-advisorctl check

# Run DDoS checks only
config-advisorctl check --category ddos

# Auto-remediate DDoS issues
config-advisorctl remediate --category ddos

DDoS Check Rules

Rule ID Check Severity
DDOS-001 SYN cookies enabled High
DDOS-002 Connection tracking limit Medium
DDOS-003 CrowdSec http-dos installed High
DDOS-004 ICMP rate limiting Medium
DDOS-005 Reverse path filtering High
DDOS-006 HAProxy connection limits Medium
DDOS-007 mitmproxy WAF active Medium
DDOS-008 Vortex DNS firewall Medium

Limitations

SecuBox is designed for home/SMB scale. It cannot:

  • Absorb volumetric attacks larger than your WAN bandwidth
  • Provide Anycast/CDN distribution
  • Act as a scrubbing service

For Serious DDoS Protection

Consider adding upstream protection:

  1. Cloudflare - Free tier includes basic DDoS protection
  2. Cloudflare Spectrum - TCP/UDP proxy for non-HTTP services
  3. AWS Shield - If hosting on AWS
  4. OVH Anti-DDoS - If using OVH hosting

Hybrid Setup

Internet → Cloudflare (L3/L4/L7 scrubbing) → SecuBox (L7 WAF + insider detection)

Quick Hardening Checklist

# 1. Enable firewall protections
uci set firewall.@defaults[0].synflood_protect='1'
uci set firewall.@defaults[0].drop_invalid='1'
uci commit firewall

# 2. Install CrowdSec DDoS collection
cscli collections install crowdsecurity/http-dos

# 3. Enable kernel protections
cat >> /etc/sysctl.conf << 'EOF'
net.ipv4.tcp_syncookies=1
net.ipv4.conf.all.rp_filter=1
net.ipv4.icmp_ratelimit=1000
net.netfilter.nf_conntrack_max=131072
EOF
sysctl -p

# 4. Start Vortex DNS firewall
vortex-firewall intel update
vortex-firewall start

# 5. Verify with Config Advisor
config-advisorctl check --category ddos

Monitoring During Attack

# Real-time connection count
watch -n 1 'cat /proc/sys/net/netfilter/nf_conntrack_count'

# CrowdSec activity
watch -n 5 'cscli metrics'

# Active bans
cscli decisions list

# HAProxy stats (if enabled)
echo "show stat" | socat stdio /var/run/haproxy.sock

# mitmproxy threats
tail -f /srv/mitmproxy/threats.log

Related Documentation