One beautiful spring evening, when I didn’t feel like going home, and the irrepressible desire to live and learn was itching and burning like a red-hot iron, the idea arose to pick up a tempting stray feature on the firewall called “IP DOS policy«.
After foreplay and familiarization with the manual, I set it up in the mode Pass and Logto look at the exhaust and the dubious usefulness of this setting in general.
After a couple of days (so that the statistics were collected, of course, and not because I forgot) I looked at the logs and, dancing in place, clapped my hands - there were no records. It would seem that there is nothing simpler - turn on the policy to block all flooding, scanning, installing half open sessions with a ban for an hour and sleep peacefully with the knowledge that the border is locked. But the 34th year of life overcame youthful maximalism and somewhere in the back of the brain a thin voice sounded: “Let's lift our eyelids and see whose addresses our beloved firewall recognized as malicious flooders? Well, it's okay, bullshit."
We begin to analyze the received data from the list of anomalies. I run addresses through a simple script Powershell and eyes stumble upon familiar letters google.
I rub my eyes, blink for about five minutes to make sure that it didn’t seem to me - indeed, in the list of those whom the firewall considered a malicious flooder, the type of attack is - udp flood, addresses owned by the corporation of goodness.
I scratch my head, simultaneously setting up packet capture on the external interface for further analysis. Iridescent thoughts flash through my head: “How is it, something infected in the Google scope? And I discovered this? Yes, this is, this is - awards, honors and the red carpet, and your own casino with blackjack and, well, you understand ... "
Parsing the resulting file Wiresharkth
Yes, indeed from the address from the scope Google bug UDP packets from port 443 to a random port on my device.
But, wait a minute ... Here the protocol changes from UDP on GQUIC.
Semyon Semenych ...
The report immediately comes to mind. high load Alexander Tobol «UDP против TCP or the future of the network stack" ().
On the one hand, a slight disappointment sets in - neither you, master, laurels, nor honors. On the other hand, the problem is clear, it remains to understand where and how much to dig.
A couple of minutes of communication with the Good Corporation - and everything falls into place. In an attempt to improve the speed of content delivery, the company Google back in 2012 announced a protocol HERE C, which allows you to remove most of the shortcomings of TCP (yes, yes, yes, in these articles - и we are talking about a completely revolutionary approach, but, to be honest, I want photos with cats to load faster, and not all these revolutions of your consciousness and progress). As further research has shown, many organizations are now moving to this type of content delivery.
The problem in my and, I think, not only in my case turned out to be that as a result there are a lot of packets and the firewall perceives them as a flood.
There were few solutions:
1. Add to exclusion list for DoS Policy on the firewall a scope of addresses Google. At the mere thought of the range of possible addresses, the eye began to twitch nervously - the idea was postponed as crazy.
2. Increase the threshold for udp flood policy - also not comme il faut, but suddenly someone really malicious slips in.
3. Deny calls from the internal network via UDP on 443 port out.
After reading additionally about implementation and integration HERE C в Google Chrome was taken as a guide to action last option. The fact is that, beloved by everyone everywhere and mercilessly (I don’t understand why, it’s better to have an impudent redhead Firefox-ovsky muzzle will receive for the torn gigabytes of RAM), Google Chrome initially tries to establish a connection using its hard-won HERE C, but if the miracle does not happen, then it falls back to the checked methods like TLS, though ashamed of this wildest.
Create an entry on the firewall for the service HERE C:
We set up a new rule and place it somewhere higher in the chain.
After the inclusion of the rule in the list of anomalies, it's quiet and smooth, except for the really malicious violators.
Thank you all for your attention.
Resources used:
1.
2.
3.
4.
Source: habr.com