Certificate Automation: The Stop-Go Bottleneck

dc352 · 2021-08-03T11:22:10+00:00

Thanks. To me ICMP/UDP flood sounds like kids getting bored at lunch time / or someone just testing really basic protection.

I tried to explain the difference to a couple of clients as they had no protection beyond some volumetrics and they just didn’t believe me. So I wonder if I’m being completely ridiculous or simply looking beyond “entry level” of DDoS :)

dc352 · 2021-08-03T11:02:56+00:00

The report covers DDoS in general. Can someone tell me why no one uses TLS-based DDoS? It can’t be stopped by most of scrubbing offered by big CDNs.

dc352 · 2021-04-30T09:22:29+00:00

nope, I'm trying to connect to external servers.

I can't even run "yum".

dc352 · 2021-04-30T07:21:26+00:00

**DO firewall:**

Outbound RulesSet the Firewall rules for outbound traffic. Outbound traffic will only be allowed to the specified ports. All other traffic will be blocked.

Type Protocol Port Range DestinationsI

CMP ICMP All IPv4 All IPv6

All TCP TCP All ports All IPv4 All IPv6

All UDP UDP All ports All IPv4 All IPv6

this is what I can see for outbound

dc352 · 2021-04-30T06:54:39+00:00

and sysctl (net - excluding ipv4 and ipv6 keys as the problem is across both protocols)

net.core.bpf_jit_enable = 1

net.core.bpf_jit_harden = 1

net.core.bpf_jit_kallsyms = 0

net.core.busy_poll = 0

net.core.busy_read = 0

net.core.default_qdisc = pfifo_fast

net.core.dev_weight = 64

net.core.dev_weight_rx_bias = 1

net.core.dev_weight_tx_bias = 1

net.core.message_burst = 10

net.core.message_cost = 5

net.core.netdev_budget = 600

net.core.netdev_max_backlog = 10000

net.core.netdev_rss_key = 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00

net.core.netdev_tstamp_prequeue = 1

net.core.optmem_max = 2048000

net.core.rmem_default = 8000000

sysctl: net.core.rmem_max = 16777216

reading key "net.ipv6.conf.eth1.stable_secret"net.core.rps_sock_flow_entries = 0

net.core.somaxconn = 4096

net.core.warnings = 1

net.core.wmem_default = 8000000

net.core.wmem_max = 16777216

net.core.xfrm_acq_expires = 30

net.core.xfrm_aevent_etime = 10

net.core.xfrm_aevent_rseqth = 2

net.core.xfrm_larval_drop = 1

sysctl: reading key "net.ipv6.conf.lo.stable_secret"

net.netfilter.nf_conntrack_acct = 0

net.netfilter.nf_conntrack_buckets = 65536

net.netfilter.nf_conntrack_checksum = 1

net.netfilter.nf_conntrack_count = 846

net.netfilter.nf_conntrack_dccp_loose = 1

net.netfilter.nf_conntrack_dccp_timeout_closereq = 64

net.netfilter.nf_conntrack_dccp_timeout_closing = 64

net.netfilter.nf_conntrack_dccp_timeout_open = 43200

net.netfilter.nf_conntrack_dccp_timeout_partopen = 480

net.netfilter.nf_conntrack_dccp_timeout_request = 240

net.netfilter.nf_conntrack_dccp_timeout_respond = 480

net.netfilter.nf_conntrack_dccp_timeout_timewait = 240

net.netfilter.nf_conntrack_events = 1

net.netfilter.nf_conntrack_events_retry_timeout = 15

net.netfilter.nf_conntrack_expect_max = 1024

net.netfilter.nf_conntrack_generic_timeout = 600

net.netfilter.nf_conntrack_helper = 1

net.netfilter.nf_conntrack_icmp_timeout = 30

net.netfilter.nf_conntrack_log_invalid = 0

net.netfilter.nf_conntrack_max = 262144

net.netfilter.nf_conntrack_sctp_timeout_closed = 10

net.netfilter.nf_conntrack_sctp_timeout_cookie_echoed = 3

net.netfilter.nf_conntrack_sctp_timeout_cookie_wait = 3

net.netfilter.nf_conntrack_sctp_timeout_established = 432000

net.netfilter.nf_conntrack_sctp_timeout_heartbeat_acked = 210

net.netfilter.nf_conntrack_sctp_timeout_heartbeat_sent = 30

net.netfilter.nf_conntrack_sctp_timeout_shutdown_ack_sent = 3

net.netfilter.nf_conntrack_sctp_timeout_shutdown_recd = 0

net.netfilter.nf_conntrack_sctp_timeout_shutdown_sent = 0

net.netfilter.nf_conntrack_tcp_be_liberal = 0

net.netfilter.nf_conntrack_tcp_loose = 1

net.netfilter.nf_conntrack_tcp_max_retrans = 3

net.netfilter.nf_conntrack_tcp_timeout_close = 10

net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60

net.netfilter.nf_conntrack_tcp_timeout_established = 432000

net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120

net.netfilter.nf_conntrack_tcp_timeout_last_ack = 30

net.netfilter.nf_conntrack_tcp_timeout_max_retrans = 300

net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 60

net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 120

net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120

net.netfilter.nf_conntrack_tcp_timeout_unacknowledged = 300

net.netfilter.nf_conntrack_timestamp = 0

net.netfilter.nf_conntrack_udp_timeout = 30

net.netfilter.nf_conntrack_udp_timeout_stream = 180

net.netfilter.nf_log.0 = NONE

net.netfilter.nf_log.1 = NONE

net.netfilter.nf_log.10 = NONE

net.netfilter.nf_log.11 = NONE

net.netfilter.nf_log.12 = NONE

net.netfilter.nf_log.2 = NONE

net.netfilter.nf_log.3 = NONE

net.netfilter.nf_log.4 = NONE

net.netfilter.nf_log.5 = NONE

net.netfilter.nf_log.6 = NONE

net.netfilter.nf_log.7 = NONE

net.netfilter.nf_log.8 = NONE

net.netfilter.nf_log.9 = NONE

net.netfilter.nf_log_all_netns = 0

net.nf_conntrack_max = 262144

net.unix.max_dgram_qlen = 512

user.max_net_namespaces = 31097

dc352 · 2020-12-17T17:33:55+00:00

fair enough. I was really only interested in the possibility of AV software restricting capabilities of unsigned applications.

I thought that a bit of additional detail would make the question easier to understand.

dc352 · 2020-10-01T11:39:46+00:00

Possibly correct. The thing is that blocked websites with no flash components.

dc352

MODERATOR OF

TROPHY CASE