On 06/23/2014 12:31 PM, Nux! wrote:
Hi,
Today I've been bitten again by the $subject and complaints were sent to my
hoster's abuse email address; apparently someone used my VR in a DDOS attack.
It is my fault as I knew about this issue, but I'd like to throw the blame on
Cloudstack. :)
So, the VR is accepting DNS requests from everybody on the interwebs and this
should be changed, imho.
I see there are already iptables rules concerning port 8080 of the VR and only
the public IP ranges are allowed. Why isn't this the case for port 53 as well?
I see no reason why this shouldn't be the case. DNS is only meant for
the Instances and not for the rest of the internet in this case.
I have placed this script in my VR's rc.local, but it's not kosher at all.
# disallows global DNS traffic and only allows it from the cloud public subnets
for i in `iptables-save |grep 8080|awk '{print $4}'`; do iptables -I INPUT -s
$i -p tcp -m tcp --dport 53 -j ACCEPT; iptables -I INPUT -s $i -p udp -m udp
--dport 53 -j ACCEPT; done
iptables -D INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT
iptables -D INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT
This could be greatly improved and added in the official tree.
Currently I'm getting the subnets by checking which IPs the 8080 rules apply,
how can I retrieve this information in a more elegant way?
Lucian
--
Sent from the Delta quadrant using Borg technology!
Nux!
www.nux.ro
