L3 Hardening: Gen.2 GWx

The GWx concept, originally introduced to come up w/ a solution against regularly occuring DDoS attacks, has recently undergone a massive consolidation process which has proven to work very well.

Gen.1 Refresher

As a short refresher, the Gen.1 GWx concept introduced in mid 2017 worked by deploying at least 4 systems that divided the attack flow amongst them by using round robin DNS, which enabled pre-filtering traffic at 4 locations. But since then, the attack bandwidth of distributed reflected DoS attacks steadily increased, for the first time mostly paralyzing all 4 Gen.1 GWx systems.

Gen.2: Implementation

So, it was time to overhaul and come up w/ a new and more efficient concept: Gen.2 GWx. Generally, the idea of dividing the attack traffic into multiple smaller flows is still the foundation of the whole concept, so that introducing even more distribution by adding multiple IP addresses each having it’s own route in a different country was the next thing that came into mind. If you have 4x GWx, you could easily assign 8 IPs to each of them resulting in 32 IPs for the whole grid. This also takes into account the fact that those shady “DDoS Stresser” sites have their own business model, namely restricting their skript-kid “customers” to a limited number of IP addresses to attack.

Gen.2: Hardening & Stealthiness

When it comes to hardening the GWx systems, an extended packetfilter ruleset had to be implemented, mainly blocking (as in silently dropping) a lot more of INVALID traffic, packets w/ weird flags and so on. Also, it became a priority to protect 2nd layer upstream traffic which is not directly attackeable and is kept as secret as the backend IP addresses at the 3rd layer. Additionally, the DNS configuration returns only a small portion of valid IP addresses which is randomly cycling (w/o the help of lavalamps). The network security monitoring of netflow and syslog containing packet filter information remains highly relevant enabling us to classify attacks and subsequentially adjust mitigation concepts

In combination w/ the provider’s own DDoS mitigation, this concept seems to be highly efficient, remains self-hosted thus under full control, can be easily expanded and comes at a fraction of the costs for the shady krautflaire approach. However, let’s keep in mind that the base for many of the rDDoS attacks are old, unpatched and badly maintained systems as well as upstream providers that let invalid traffic pass.

Smartphone Hardening: Motorola

Installing the LineageOS distribution on a Nexus 6 as a base for hardening has become very easy and takes only a few minutes w/ adb and fastboot (part of the android-sdk) already installed on your POSIX machine.

  • Enable USB Debugging in the phone settings
  • Connect device and check by running adb devices -l
  • Reboot into bootloader: adb reboot bootloader
  • Again, check connectivity: fastboot devices -l
  • Unlock the bootloader:
fastboot oem unlock
(bootloader) slot-count: not found
(bootloader) slot-suffixes: not found
(bootloader) slot-suffixes: not found
(bootloader) Please select 'YES' on screen if you want to continue...
(bootloader) Unlocking bootloader...
(bootloader) Unlock completed! Wait to reboot
  • Flash recovery:
fastboot flash recovery twrp-3.3.1-0-shamu.img
 (bootloader) slot-count: not found                 
 (bootloader) slot-suffixes: not found                                  
 (bootloader) slot-suffixes: not found                        
 (bootloader) has-slot:recovery: not found
 target reported max download size of 536870912 bytes
 sending 'recovery' (11887 KB)…                                  
 OKAY [  0.393s]                                                   
 writing 'recovery'…                                             
 OKAY [  0.171s]                            
 finished. total time: 0.564s 
  • Select Recovery Mode and reboot into TWRP
  • Backup existing ROM (system partition) onto USB-OTG
  • Install LOS: Wipe/Factory Reset, then install – e.g. using adb sideload – a) LOS b) OpenGapps c) addonsu

Note about encryption: When running LOS 15.1 and TWRP 3.2.3, encrypting the device results in a completely unstable O/S. When running LOS 16.0 and TWRP 3.3.1, encrypting the device works, resulting in a usable O/S. However, TWRP is still not accepting the FDE password thus unable to mount /data.

So, after having flashed the device, now is the time for further hardening of the device by installing a local firewall ruleset like AFWall+, VPN software like WireGuard, Firefox Klar/Focus, K-9 Mail, OpenKeychain, SnoopSnitch etc. and creating a backup using TWRP.

Also, sort of circumventing the previously mentioned encryption problem would be easily possible and can be achieved by first creating a fresh TWRP backup and subsequentially encrypting the device. Think of this becoming handy right before travelling abroad, but remember that afterwards you should a) WIPE the device using TWRP (w/o unlocking data) and then b) reflash the last backup to be able to create fresh backups from time to time.