Windows firewall

[MrSpartan]

Hey there,

I am wondering how to set up windows firewall on my dedicated machine safely, without locking me out essentially. A how-to guide would be appreciated.

[Edge100x]

In Windows 2008 R2, this is one way to turn on the firewall and then use it just for simple blocks of individual IPs/ports:

1. Click "Start" and type in "Windows Firewall".
2. Click "Windows Firewall with Advanced Security".
3. Click "Windows Firewall Properties" in the middle section.
4. Click the "Public Profile" tab.
5. Choose "On" from the "Firewall state" menu.
6. Choose "Allow" from the "Inbound connections" menu.
7. Click "OK".
8. Open a command prompt window by clicking "Start", entering "cmd", and clicking "cmd.exe".
9. Type this command to clear out existing firewall entries:
   

   Code: Select all

   netsh advfirewall firewall delete rule name=all

10. Type a command like this to block a certain IP:
    

    Code: Select all

    netsh advfirewall firewall add rule name="block 62.131.74.12" dir=in remoteip=62.131.74.12 action=block

    Or one like this to block a single attacking TCP port:
    

    Code: Select all

    netsh advfirewall firewall add rule name="block from port 1234" dir=in protocol=tcp remoteport=1234 action=block

    For more firewall options/examples, type:
    

    Code: Select all

    netsh advfirewall firewall add rule

[MrSpartan]

Looking to expand this for the sake of other user's benefit as well.

Basically my servers were being hitting by a ddos again, but the attack was not even that big. However, the problem lay in the fact I could/cannot remote log into the dedicated machine to manually block IP's that I caught using Wireshark when the entire dedi is under an attack. If specific servers are being attacked, it is still possible for me to log into the dedi and mitigate the attack, but only temporarily. Needless to say manually adding IP's is a laborious task, and not necessarily effective all the time. So my question is this. Is there a way to setup some filtering system, perhaps through windows firewall or some other similar program, that automatically blocks UDP packets that range over a certain value? I say UDP here, because it's the most common form of attack we receive. We do of course get some other protocols like QUAKE3 and so on, but UDP is the most common by far. If this even possible, is there someone or somewhere that I can seek guidance from on how to do this? It would be greatly appreciated if so.

Thank you.

[Edge100x]

Can you post a sample of the malicious server traffic -- text lines as output by "windump"? It's interesting that you wouldn't be able to log in while the attack is in progress, and that makes me wonder whether you need to restrict RDP.

The Windows firewall does not allow blocking by length, and 3rd party firewalls are also not very good on Windows. Your best bet may be to continue blocking swaths of IP addresses. One 3rd party program designed for blocking lists of IPs is PeerBlock, and this might make it easier for you.

[MrSpartan]

Guess I would need to wait for a ddos to occur to get your sample, not to mention I'm unsure how I would get a windump when I wouldn't be able to connect remotely to the dedi?

If you like, I can post some screenshots of an earlier saved file I got from Wireshark, which was occuring during a dos on a single server?

[Edge100x]

You could start the dump to a text file before the attack begins, then copy and paste the part of the text file with the attack traffic after the attack has ended and you've been able to log back in.

Wireshark output is less useful to me because it will not show us as much information in as condensed a form, but you can post it if you wish.

[MrSpartan]

Trying to get a log file from windump for you, but can't seem to figure out how to do so. I installed both parts needed (WinPcap and WinDump) but not sure what to do from there. Any command for windump that I put in the cmd line just isn't recognised for it. Also tried changed the cd to it, but wouldn't recognise it. If I click WinDump.exe, it will bring up a long list of packets being monitored, but can't access them unless I can save them. Any idea what I'm not doing right?

Thanks.

[MrSpartan]

A few pictures from wireshark, all from the same capture:

http://s134.photobucket.com/albums/q91/ ... t=dos1.png
http://s134.photobucket.com/albums/q91/ ... t=dos2.png
http://s134.photobucket.com/albums/q91/ ... t=dos3.png

Also, regardless of whether or not I manage to pull up something from WinDump, what can I do to get back onto the dedi during an attack? I just assumed the ddos would lag out the dedi so nobody would be able to connect anyway?

[Edge100x]

If your attack is from a static group of IPs and is UDP, that's great. Peerblock should work well in that case, if you can feed it your list of the attackers. If you don't have clients connecting from overseas, you could also put in large swaths of IPs to block whole countries using that software.

windump.exe is a command-line program, so you'll need to open up a command prompt window using Start->Run->cmd.exe (or the equivalent). "cd" to its folder and run it with "windump.exe -n", then hit control-C when you're done collecting data. To have it run continuously and output basic information to a text file, you can redirect it like this:

Code: Select all

windump.exe -n > output.txt

If your servers are busy or you're being attacked, however, this text file could fill up with data very quickly, so you may have to stop it and re-start it frequently (until you get the information you need).

[MrSpartan]

How do I feed peerblock the list of attackers?

The servers allow connection globally, so unfortunately can't do that.

Servers are being dossed still, so I'll have to wait until it stops to get back on the dedi since I can't logon. Is there any other way to log into the dedi, or gain access to it?

[Edge100x]

You should be able to create a list of custom IPs in Peerblock -- it's been awhile since I've experimented with it, but it has a GUI designed around this task.

Unless you've set up another method of access, RDP would be only way into a Windows machine. It's a bit strange that you wouldn't be able to get in while a UDP-only attack is in progress unless it's > 1 Gbps, though. Do you have multiple servers set up to be high-priority that might be depriving the terminal services of resources?

[MrSpartan]

As far as I know, everything should just be default I guess. I've not tampered with the priorities for the servers. The only thing that might cause some excess usage is the mysql, which we use to run tcadmin and some other database stuff. I doubt however that that would cause so much resource usage.

[MrSpartan]

Ok so this guy is still ddosing the servers and I still can't get a connection through remote desktop. Is there any cmd line, software program or web server option that I can use to execute something on the dedi? I'm thinking of simply blocking all UDP connections so the dos stops and I'll just leave it stopped for a while.

[Edge100x]

After you're able to get a connection again, you can add a firewall rule, or turn on packet capturing so that you can learn more about what's being attacked after the next one (if it's a single IP or port, we could have InterNAP completely block it for you). If it's occurring right now, you may need to wait for it to stop first.