Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


    Cloudron Forum

    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular

    adguard on upcoming Cloudron v6 DDoS reflection/amplification

    AdGuard Home
    12
    30
    1526
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • luckow
      luckow translator last edited by

      I've installed adguard on the upcoming Cloudron v6. It is installed on a public available VPS. I know the "normal" intended use is for local networks. But because it's possible, I've clicked on install the app πŸ™‚

      I've added the public ip of the Cloudron instance as DNS in my local home router in order to use the adguard functions in my entire local network. BTW: It works perfect.

      One week later I got an email from the german Federal Office for Information Security (BSI)

      Dear Sir or Madam,
      
      open DNS resolvers are abused for conducting DDoS reflection / amplification attacks against third parties on a daily basis. [...]
      

      The moment I checked the dashboard of adguard, I realized that DDoS had already happened.

      e6742fd0-d0f9-4422-ba58-2a25424f255a-image.png

      All top clients in the figure above have made a DNS query for the same domain.

      So my question is: is there any chance to configure the Cloudron firewall/ proxy / whatever to use adguard in the way I want to use it (as a openDNS) without having a tool for attackers out in the wild?

      If not, I like to see a big red warning sign: do not use adguard on a public infrastructure without having a firewall rule in front of the Cloudron instance. IMHO we as Cloudron users have to be responsible not to have "weapons" for attackers out in the wild.

      Pronouns: he/him | Primary language: German

      mehdi 1 Reply Last reply Reply Quote 5
      • mehdi
        mehdi App Dev @luckow last edited by

        @luckow 100% agree. There should be a port-level firewall config, that defaults to restricting access to local IPs only (RFC1918).

        BrutalBirdie 1 Reply Last reply Reply Quote 2
        • BrutalBirdie
          BrutalBirdie Staff @mehdi last edited by

          But I would like to keep that feature 😱
          My own Adguard which I can use even while being on the go via mobile data.

          Like my work? Consider donating a beer 🍻 Cheers!

          humptydumpty BrutalBirdie 2 Replies Last reply Reply Quote 1
          • humptydumpty
            humptydumpty @BrutalBirdie last edited by

            @brutalbirdie Wouldn't a raspberry pi with PiVPN and PiHole installed do the same thing for you?

            D 1 Reply Last reply Reply Quote 0
            • imc67
              imc67 translator last edited by

              That’s why I suggested many many times to have Pi-Hole (preferred) together with a WireGuard VPN server. This app only on a VPS is dangerous!!!

              1 Reply Last reply Reply Quote 2
              • BrutalBirdie
                BrutalBirdie Staff @BrutalBirdie last edited by

                This could be usefull.

                https://wiki.opennic.org/opennic/tier2security

                Like my work? Consider donating a beer 🍻 Cheers!

                1 Reply Last reply Reply Quote 0
                • luckow
                  luckow translator last edited by

                  A background article on the DDoS problem can be found on the BSI website itself.

                  https://www.bsi.bund.de/EN/Topics/IT-Crisis-Management/CERT-Bund/CERT-Reports/HOWTOs/DNS-Open-Resolver/DNS-Open-Resolver_node.html

                  I have no idea what happens if we follow the

                  Solution
                  Disable recursion or limit recursion to trusted clients in the DNS server's configuration.

                  But maybe it's a/the solution πŸ˜‰

                  Pronouns: he/him | Primary language: German

                  mehdi 1 Reply Last reply Reply Quote 1
                  • mehdi
                    mehdi App Dev @luckow last edited by

                    @luckow said in adguard on upcoming Cloudron v6 DDoS reflection/amplification:

                    I have no idea what happens if we follow the
                    Solution
                    Disable recursion or limit recursion to trusted clients in the DNS server's configuration.
                    But maybe it's a/the solution

                    It is not a solution. It means the DNS server of the app would be forbidden to ask an upstream DNS server when it does not know a domain, which would basically make it useless πŸ™‚

                    luckow 1 Reply Last reply Reply Quote 2
                    • luckow
                      luckow translator @mehdi last edited by

                      @mehdi thanks for the clarification πŸ™‚ In that case there is no easy solution for that problem. IMHO we only have a chance to use adguard on cloudron in a public infrastructure, if we only allow the use of adguard from inside the openvpn-app. That is my understanding of @imc67 pi-hole / wireguard vpn solution.

                      Pronouns: he/him | Primary language: German

                      1 Reply Last reply Reply Quote 0
                      • girish
                        girish Staff last edited by

                        I agree we should have a big warning with information highlighting security issues and how to go about handling them. I will update the https://docs.cloudron.io/apps/adguard-home/#security section in the docs.

                        doodlemania2 1 Reply Last reply Reply Quote 3
                        • D
                          dylightful @humptydumpty last edited by

                          @humptydumpty No, Pihole is installed locally on the pi attached to the local VPN adapter (wg0 if you're using wireguard). PiVPN internally handles DNS queries and is not publicly resolvable from the public IP/

                          Unless you install Pihole on your public facing adapter instead of your VPN adapter. Then you're in abit of trouble.....

                          1 Reply Last reply Reply Quote 1
                          • D
                            dylightful last edited by

                            I though ADGuard had an inbuilt feature to allow only whitelisted IP's through?

                            girish 1 Reply Last reply Reply Quote 0
                            • doodlemania2
                              doodlemania2 App Dev @girish last edited by

                              @girish I can help with this doc when you're read sir - I've got a PiHole on the public internet and simply block all requests at the router except requests from my IP address. If I'm not mistaken, we'll have some sort of control in 6 to whitelist/blacklist access by IP address to an app?

                              1 Reply Last reply Reply Quote 2
                              • girish
                                girish Staff @dylightful last edited by

                                @dylightful said in adguard on upcoming Cloudron v6 DDoS reflection/amplification:

                                I though ADGuard had an inbuilt feature to allow only whitelisted IP's through?

                                Indeed, I will put this in the docs and the POSTINSTALL.

                                robi 1 Reply Last reply Reply Quote 1
                                • robi
                                  robi @girish last edited by

                                  @girish couldn't it just be limited to the VPN interface which you get once connected? That way it remains private and there's no issue with dynamic IPs from home.

                                  Life of Advanced Technology

                                  girish 1 Reply Last reply Reply Quote 1
                                  • girish
                                    girish Staff @robi last edited by

                                    @robi If I understand correctly, you are suggesting that we restrict the app to only private IPs by default. Maybe the IP blocks in https://en.wikipedia.org/wiki/Reserved_IP_addresses ? Thing is I would say the most common deployment of Cloudron is on a VPS and with that as the default a big chunk of people won't be able to use the app out of the box.

                                    I think a good solution is to add a app level firewall to Cloudron. I think it's something we can easily add for next release.

                                    robi 1 Reply Last reply Reply Quote 1
                                    • robi
                                      robi @girish last edited by

                                      @girish
                                      Not what I said, but in effect yes.

                                      What I am suggesting is to limit it to an actual interface not an IP. Anything flowing through a VPN interface for example which is a higher abstraction.

                                      Since private networks use RFC1918 addressing that's what ends up flowing through those interfaces. Hence the effect.

                                      Having a by default secure install is the only option IMO.
                                      Anyone installing it will need to configure it properly, be it for VPN access and network interfaces, or by going lower into the networking stack and using IP:port settings.

                                      It's also a question of liability for you, allowing deployment for DDoS or not.

                                      Subsequent modification is the users responsibility.

                                      Even if you had an app level firewall, how will it dynamically configure itself for a new client IP every hour? (there are ways but beyond the scope of this discussion)

                                      Life of Advanced Technology

                                      1 Reply Last reply Reply Quote 1
                                      • girish
                                        girish Staff last edited by girish

                                        I am reading up on what the upstream project recommends because IMO it's actually fairly easy to do an IP based rate limit in the app itself. There are several issues around this:

                                        • DNS amplification prevention
                                        • Automatically block IP when it reaches a configurable requests limit
                                        • Provide a smarter way to detect & block DNS amplification- Looks like they might add a setting for this
                                        • Allow the use of IP blocklists to reject DNS requests from the listed IPs
                                        D 1 Reply Last reply Reply Quote 1
                                        • D
                                          dylightful @girish last edited by

                                          @girish
                                          Playing around with ADGuard today. The inbuilt IP limiter works great and correctly blocks amp attacks.

                                          Only issue i found was the ability to use DDNS hostnames as a whitelist for dynamic IP nets. CIDR works just aswell i guess...

                                          robi 1 Reply Last reply Reply Quote 1
                                          • robi
                                            robi @dylightful last edited by

                                            @dylightful said in adguard on upcoming Cloudron v6 DDoS reflection/amplification:

                                            Playing around with ADGuard today. The inbuilt IP limiter works great and correctly blocks amp attacks.

                                            Do you mean the requests per second limit?
                                            Which setting blocks amp attacks?

                                            Only issue i found was the ability to use DDNS hostnames as a whitelist for dynamic IP nets. CIDR works just aswell i guess...

                                            I had an issue with this too, as I couldn't come up with a CIDR address that would exclude some of the abusing IPs without blocking my own (same network provider).

                                            Life of Advanced Technology

                                            doodlemania2 1 Reply Last reply Reply Quote 0
                                            • doodlemania2
                                              doodlemania2 App Dev @robi last edited by

                                              @robi you might have to put it behind a firewall then and only allow internal - you could then have your servers vpn in to your box to query it (I do that for one of my friends).
                                              There's another thread about making apps accessible only from OpenVPN - that would be a neat use case.

                                              D 1 Reply Last reply Reply Quote 1
                                              • D
                                                drpaneas @doodlemania2 last edited by

                                                Would that be OK to configure the firewall on the machine where cloudron is running? In the documentation says to not touch iptables/ufw and similar stuff, so I guess it's not a good idea. Yet, since this is a very serious matter of having AdGuard running wild out there, I would propose to have the app configure the firewall itself -- instead of relying to 3rd party firewalls -- and make this configurable (enable/disable).

                                                Upon installation, it could ask you what you would like to do:

                                                1. Block port 53 - allow internal traffic only for AdGuard (recommended)
                                                2. Do not configure firewall.

                                                WDYT?

                                                nebulon 1 Reply Last reply Reply Quote 0
                                                • nebulon
                                                  nebulon Staff @drpaneas last edited by

                                                  @drpaneas did you see the docs at https://docs.cloudron.io/apps/adguard-home/#securing-installation already?

                                                  D 1 Reply Last reply Reply Quote 0
                                                  • D
                                                    drpaneas @nebulon last edited by

                                                    @nebulon yes of course I've read those. My proposal is to have cloudron blocking the port 53 during the installation automatically -- instead of asking the user to do it manually in the docs. In that way we make AdGuard installation more secure by default, instead of relying to the end user to take care of it.

                                                    1 Reply Last reply Reply Quote 0
                                                    • iamthefij
                                                      iamthefij App Dev last edited by

                                                      This was something that came up early on when we were discussing AdGuardHome and PiHole. Most folks recommend only exposing something like this via a VPN without binding to 53 on your public network interface. A VPN still allows people to use it from anywhere but adds a layer of authentication.

                                                      The way things are now, it's very likely that folks misconfigure their DNS server. Part of Cloudron's draw is that users don't have to think so hard about "doing the right thing". The best way to do that would be to not bind only to a VPN interface and support the VPN setting the DNS server as the default.

                                                      A setting to "do the wrong thing" could be there for folks that really know what they are doing, but maybe a little more difficult to get to so someone who enables it will also know how to manage their firewalls. Either through their VPS provider or on the machine.

                                                      Personally, I host mine at home and access over a VPN.

                                                      1 Reply Last reply Reply Quote 0
                                                      • girish
                                                        girish Staff last edited by

                                                        One idea might be to fix the package to block all clients by default. I think we just need to put some wildcard to deny all the IP addresses. Would that make things better? This way user has a UI to manually white list their client IP addresses.

                                                        robi 1 Reply Last reply Reply Quote 0
                                                        • robi
                                                          robi @girish last edited by

                                                          @girish that doesn't work for most clients as they have dynamic IPs.

                                                          Unless there's an auth of some sort, port knocking or VPN access to it.

                                                          Let's go Wireguard. 🏁

                                                          Life of Advanced Technology

                                                          girish 1 Reply Last reply Reply Quote 2
                                                          • girish
                                                            girish Staff @robi last edited by

                                                            @robi sure. The goal was only to make the user a bit more aware of the security settings. It doesn't solve anything else, as you say.

                                                            mehdi 1 Reply Last reply Reply Quote 0
                                                            • mehdi
                                                              mehdi App Dev @girish last edited by

                                                              @girish I think a reasonable default would be to blacklist all non-local IPs (RFC 1918) by default. That way, connecting from VPNs should work, connecting from LAN should work, but connecting from public internet would require manual white-listing.

                                                              iamthefij 1 Reply Last reply Reply Quote 4
                                                              • iamthefij
                                                                iamthefij App Dev @mehdi last edited by

                                                                @mehdi I agree with this. However, it would also be important to have the ability to give the container a static internal IP and allow the configuration of the VPN app to set that container as the default DNS server.

                                                                1 Reply Last reply Reply Quote 0
                                                                • First post
                                                                  Last post
                                                                Powered by NodeBB