Jump to content

IPS Leaking backend IP's


OctoDev

Recommended Posts

1 minute ago, aaabe4d31bb said:

@Charles you are in the lucky position to be able to block at AWS router level using their firewall. Many providers do not have a firewall, so instead you will have to block using iptables, which makes the whole thing useless as the packet already arrived at your server...

As a large forum owner myself, being forced to go through the Spaghetti code to find one of the many IP leaks was the hard thing I had to learn.

If you have a very big forum and suffer from ddos attacks, you need to get a host that have dedicated anti ddos protection at layer 4. Simple as that. 

Relying on iptables in that case, is not reasonable. 

Link to comment
Share on other sites

  • Replies 86
  • Created
  • Last Reply
  • Management
Just now, Jimmy Gavekort said:

Most providers don't, they resell and are not able to configure it. You can't expect everyone to host from Amazon :) 

If I was worried about attacks I would sort of insist my provider had some sort of security in place. Being wide-open would be awful.

We just started using Amazon a couple months ago. Our old provider had firewalls too. They aren't exactly a new concept :) 

Link to comment
Share on other sites

1 minute ago, Jimmy Gavekort said:

Most providers don't, they resell and are not able to configure it. You can't expect everyone to host from Amazon :) 

I actually rent from 'soyoustart.com' which is OVH.. No firewall to block/open/whatever at network/router level.

OVH have a good anti ddos system controlled by them. And if I'm not mistaken, you can buy a dedicated router for ddos. 

Link to comment
Share on other sites

1 minute ago, Charles said:

If I was worried about attacks I would sort of insist my provider had some sort of security in place. Being wide-open would be awful.

We just started using Amazon a couple months ago. Our old provider had firewalls too. They aren't exactly a new concept :) 

Yeah, but we are getting away from the point. You can't just tell your customers to buy better hosting :)

We expect help, with what we got and can afford. A option to add a proxy service, would do this. 

Just now, RevengeFNF said:

OVH have a good anti ddos system controlled by them. And if I'm not mistaken, you can buy a dedicated router for ddos. 

They have good, but can be taken down by specific type of attacks :)

 

Link to comment
Share on other sites

Jimmy, server config is not my forte -- but could you block the outgoing requests from your server instead? Nip it in the bud. All of that functionality would be affected, but that would seem to achieve your goal. I assume IPS can handle failed requests without falling apart.

Link to comment
Share on other sites

My dream

HAVecgy.png

<3

 

1 minute ago, Ryan H. said:

Jimmy, server config is not my forte -- but could you block the outgoing requests from your server instead? Nip it in the bud. All of that functionality would be affected, but that would seem to achieve your goal. I assume IPS can handle failed requests without falling apart.

Blocking outgoing connections would end up blocking all images, or basically everything from working from what I know lol, without outgoing your server can't send data to Cloudflare, or the visitor.

Link to comment
Share on other sites

2 minutes ago, RevengeFNF said:

If you have so many attacks,  its because your forum is big and you make a lot of profit. That kind of attacks cost money. An attack of 100Gbps is not free, unless you own a very big botnet. 

But like i said, i think you can buy a dedicated router from them. 

Again, it's not about what provider or what you can do. It's what we want to use CloudFlare, or reverse proxies to do all this for us. :) (Which works, for massive forums already).

I am for sure wording a lot wrong here, and cause miss understanding. I don't expect CloudFlare, to protect me self against hacking in any kind. Talking about preventing attacks, preventing.. If they are stuck with your CloudFlare IP, then they can't ddos you Layer-4 wise or attempt to 'root' you via your origin IP.

Link to comment
Share on other sites

7 minutes ago, Jimmy Gavekort said:

Yeah, but we are getting away from the point. You can't just tell your customers to buy better hosting :)

I hate to go there, but yes, they can. Just because one can only afford bottom-barrel shared hosting with only PHP 5.3 available does not mean the script is supported therein, for example. The larger one's site, the more one is going to have to put in for hosting. Simple fact.

Link to comment
Share on other sites

Ok well I am done discussing. @Lindy said they will put it to consideration, i hope so at least. A option like

HAVecgy.png

Would do the job for me.

 

I am stuck to what I've been saying the entire time, not everyone can afford expensive hosts - firewalls or whatever. I know many IPS users that use shared web hosting, and CloudFlare. That's their only solution.

Link to comment
Share on other sites

4 minutes ago, Jimmy Gavekort said:

Blocking outgoing connections would end up blocking all images, or basically everything from working from what I know lol, without outgoing your server can't send data to Cloudflare, or the visitor.

Well, yeah -- you would allow known traffic sources through. Tracking those down could be a bear, but if it's that vs a completely broken site..?. Since you're behind cloudflare, though, you would only have that (plus misc other services--email, whatever) to worry about. Right? Visitors aren't connecting directly, or they'd have the IP.

CloudFlare has a large range of IPs, I'm sure, so easier said than done.

Link to comment
Share on other sites

1 minute ago, Ryan H. said:

Well, yeah -- you would allow known traffic sources through. Tracking those down could be a bear, but if it's that vs a completely broken site..?. Since you're behind cloudflare, though, you would only have that (plus misc other services--email, whatever) to worry about. Right? Visitors aren't connecting directly, or they'd have the IP.

CloudFlare has a large range of IPs, I'm sure, so easier said than done.

It's possible to only allow cloudflare to access your site, that's what I've been doing with iptables but iptables won't stop attacks. You'd have to do it at a router/network level.

Link to comment
Share on other sites

22 minutes ago, Jimmy Gavekort said:

I am stuck to what I've been saying the entire time, not everyone can afford expensive hosts - firewalls or whatever. I know many IPS users that use shared web hosting, and CloudFlare. That's their only solution.

I feel like I have to note that's not what people have been saying at all. Not an expensive host, a good host. Not having a firewall when you are a target is unimaginable. Even a 10$/month VPS on a good host not overselling will have a firewall. Considering you are ponying out 200 a month for cloudflare's pseudo-anti-dos, it's literally peanuts in comparison for real security.

Link to comment
Share on other sites

34 minutes ago, Jimmy Gavekort said:

Ok well I am done discussing. @Lindy said they will put it to consideration, i hope so at least. A option like

HAVecgy.png

Would do the job for me.

 

I am stuck to what I've been saying the entire time, not everyone can afford expensive hosts - firewalls or whatever. I know many IPS users that use shared web hosting, and CloudFlare. That's their only solution.

like

P-p.png

I may be able to upload it to the marketplace, but I'm not sure. If I can't, it's a fairly straight forward plugin, which just hooks \IPS\Http\Request\Curl::__construct and runs curl_setopt($this->curl, CURLOPT_PROXY, \IPS\Settings::i()->curlProxy_url); after calling the parent (there's a bit more to my plugin than that, but that's all you need to get started).

Link to comment
Share on other sites

44 minutes ago, Jimmy Gavekort said:

It's possible to only allow cloudflare to access your site, that's what I've been doing with iptables but iptables won't stop attacks. You'd have to do it at a router/network level.

I'm saying do it the other way around, only allow your server to access cloudflare.

Link to comment
Share on other sites

  • Management

I'm going to mark this as 'not planned' to avoid confusion... but I have raised this internally and what we will be willing to do: 

Posting_2016-02-16_16-57-08.png

- Ensure that setting honors remote avatars, etc. if it doesn't already.

As far as external gateways/proxies - we're not interested in that, I'm afraid. An enterprising marketplace author may be able to sell an add-on for such purposes, but we wouldn't be eager to create, maintain or support it. 

So, what you need to do is either: 

- Disable remote images

- Procure hosting with proper edge protection and capacity that can incorporate ACLs to block traffic that doesn't come from your traffic scrubbing service (Incapsula, Cloudflare, etc.) to your origin(s).

 

Link to comment
Share on other sites

1 hour ago, Lindy said:

I'm going to mark this as 'not planned' to avoid confusion... but I have raised this internally and what we will be willing to do: 

Posting_2016-02-16_16-57-08.png

- Ensure that setting honors remote avatars, etc. if it doesn't already.

As far as external gateways/proxies - we're not interested in that, I'm afraid. An enterprising marketplace author may be able to sell an add-on for such purposes, but we wouldn't be eager to create, maintain or support it. 

So, what you need to do is either: 

- Disable remote images

- Procure hosting with proper edge protection and capacity that can incorporate ACLs to block traffic that doesn't come from your traffic scrubbing service (Incapsula, Cloudflare, etc.) to your origin(s).

 

disabling allow remote images will also not le the users post images in posts? 

1 hour ago, Colonel_mortis said:

like

 

I may be able to upload it to the marketplace, but I'm not sure. If I can't, it's a fairly straight forward plugin, which just hooks \IPS\Http\Request\Curl::__construct and runs curl_setopt($this->curl, CURLOPT_PROXY, \IPS\Settings::i()->curlProxy_url); after calling the parent (there's a bit more to my plugin than that, but that's all you need to get started).

cool, moderator from https://linustechtips.com:D

Link to comment
Share on other sites

  • 3 months later...

This is not a responsibility for IPS. You can configure a proxy yourself at the machine level by using iptables and routing tables. (e.g. have a GRE tunnel to a protected host to/from your origin and tunnel outgoing port 80, 443 and SMTP connections through this GRE tunnel). This is difficult and these setups prove tricky, but quite frankly if you are skimping on proper DDoS protection this is your responsibility.

CloudFlare's free (and even Pro) packages are not catch-all solutions to DDoS attacks, and you need some protection for outgoing traffic too, even just to disguise or hide the origin IP. The easiest way if you don't have experience with this would just to have a DDoS protected origin in the first place.

Link to comment
Share on other sites

One of my sites is currently hosted on a (very expensive) DDoS protected network with 24/7 monitoring and I can tell you from first hand experience that every DDoS provider has a finite protection capacity and without a doubt the single biggest problem is having your public IP exposed, regardless of whether you have DDoS protection or not. Firewalls have finite resources, its simply a case of having a botnet large enough to exhaust it. Nobody is suggesting that this is a DDoS mitigation solution, but at the end of the day an attacker simply cannot target you with network-level attacks if they don't know your true IP address. That's a fact. They are consequently limited to layer 7 attacks, which can be mitigated at the application level.

Link to comment
Share on other sites

Totally agree with @Callum MacGregor!

Blocking outgoing connections using ACLs is NOT suitable because too complicated. And even access to IPS network could not be configured using them because of too wide range: 52.0.0.0/8, 54.0.0.0/8 and 50.28.0.0/16 which 'can change at anytime'. Every plugin could have arbitrary resources to access and so on. It is not suitable.

Security through obscurity is the first step to protection definitely. The only real solution is using proxy for outgoing connections is too expensive. Especially for small communities or/and which are run as a hobby. And we want from IPS the most simple thing: disable avatar uploading from URL and allow auto-embedding images per whiltelist only. I don't understand why developers argue instead of making it.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.

×
×
  • Create New...