Blocking of domain strings in iptables
Hello everyone I am trying to figure out the way to drop a domain name DNS resolution before it hits application server. I do not want to do domain to IP mapping and block destination IP (and source IP blocking is also not an option). I can see that a string like this: iptables -A INPUT -p udp -m udp --dport 53 -m string --string domain --algo kmp --to 65535 -j DROP this can block domain which includes domain.com/domain.net and everything in that pattern. I tried using hexadecimal string for value like domaincom (hexa equivalent) and firewall doesn't pics that at all. The only other option which I found to be working nicely is u32 based string as something suggested on DNS amplification blog post here - http://dnsamplificationattacks.blogspot.in/2013/12/domain-dnsamplificationattackscc.html A string like this as suggested on above link works exactly for that domain iptables --insert INPUT -p udp --dport 53 -m u32 --u32 0x280xFFDFDFDF=0x17444e53 0x2c0xDFDFDFDF=0x414d504c 0x300xDFDFDFDF=0x49464943 0x340xDFDFDFDF=0x4154494f 0x380xDFDFDFDF=0x4e415454 0x3c0xDFDFDFDF=0x41434b53 0x400xFFDFDFFF=0x02434300 -j DROP -m comment --comment DROP DNS Q dnsamplificationattacks.cc but here I am not sure how to create such string out and script them for automation. Can someone suggest a way out for this within IPTables or may be some other open source firewall? Thanks. -- Anurag Bhatia anuragbhatia.com Linkedin http://in.linkedin.com/in/anuragbhatia21 | Twitterhttps://twitter.com/anurag_bhatia Skype: anuragbhatia.com PGP Key Fingerprint: 3115 677D 2E94 B696 651B 870C C06D D524 245E 58E2
Re: SIP on FTTH systems
On Saturday, February 08, 2014 09:08:43 AM Mikael Abrahamsson wrote: I have never heard anyone refer to SLAAC as IA_NA. Because it's not. I said prefer DHCP_IA_NA to ND/RA. When saying IA_NA and IA_PD, you should take for granted people mean DHCP. Anders asked whether ND/RA for the CPE WAN address + DHCP_IA_PD (commonly written as DHCP-PD) is a valid option, to which you replied DHCP_IA_NA can be used for the CPE WAN address as well, to which I added I prefer (over ND/RA, that is). Again, violent agreement, Mikael. Whether I write DHCP_IA_NA or just IA_NA, DHCP_IA_PD or just DHCP-PD it is all implicitly understood to mean the DHCP kind. Mark. signature.asc Description: This is a digitally signed message part.
Re: Blocking of domain strings in iptables
This is going to be tricky to do, as DNS packets don't necessarily contain entire query values or FQDNs as complete strings due to packet label compression (remember, original DNS only has 512 bytes to work with). You can use those u32 module matches to find some known-bad packets if they're sufficiently unique, but it simply lacks enough logic to fully parse DNS queries. Here's an interesting example to visualize what's happening: http://dnsamplificationattacks.blogspot.com/p/iptables-block-list.html One quick thing that would work would be to match a single label (e.g. google, but not google.com), but this will end up blocking any frames with that substring in it (e.g. you want to block evil.com, but this also blocks evil.example.com). If you find yourself needing to parse and block DNS packets based on their content in a more flexible way, I would look into either making an iptables module that does the DNS parsing ( http://inai.de/documents/Netfilter_Modules.pdf), or using a userspace library like with NFQUEUE (e.g. https://pypi.python.org/pypi/NetfilterQueue) or l7-filter (http://l7-filter.sourceforge.net/). Best of luck and happy hacking! Cheers, jof On Sat, Feb 8, 2014 at 12:08 AM, Anurag Bhatia m...@anuragbhatia.com wrote: Hello everyone I am trying to figure out the way to drop a domain name DNS resolution before it hits application server. I do not want to do domain to IP mapping and block destination IP (and source IP blocking is also not an option). I can see that a string like this: iptables -A INPUT -p udp -m udp --dport 53 -m string --string domain --algo kmp --to 65535 -j DROP this can block domain which includes domain.com/domain.net and everything in that pattern. I tried using hexadecimal string for value like domaincom (hexa equivalent) and firewall doesn't pics that at all. The only other option which I found to be working nicely is u32 based string as something suggested on DNS amplification blog post here - http://dnsamplificationattacks.blogspot.in/2013/12/domain-dnsamplificationattackscc.html A string like this as suggested on above link works exactly for that domain iptables --insert INPUT -p udp --dport 53 -m u32 --u32 0x280xFFDFDFDF=0x17444e53 0x2c0xDFDFDFDF=0x414d504c 0x300xDFDFDFDF=0x49464943 0x340xDFDFDFDF=0x4154494f 0x380xDFDFDFDF=0x4e415454 0x3c0xDFDFDFDF=0x41434b53 0x400xFFDFDFFF=0x02434300 -j DROP -m comment --comment DROP DNS Q dnsamplificationattacks.cc but here I am not sure how to create such string out and script them for automation. Can someone suggest a way out for this within IPTables or may be some other open source firewall? Thanks. -- Anurag Bhatia anuragbhatia.com Linkedin http://in.linkedin.com/in/anuragbhatia21 | Twitterhttps://twitter.com/anurag_bhatia Skype: anuragbhatia.com PGP Key Fingerprint: 3115 677D 2E94 B696 651B 870C C06D D524 245E 58E2
RE: carrier comparison
Hi all, Just wanted to say thanks to all who replied on and off list to my original inquiry. I'd sum up feedback as follows: - Although Cogent has been surprisingly good for some, in general almost everyone agreed that it should never be relied upon as your main Internet provider. As a secondary link, they are a good value. - People had generally good feedback about Level3 - Having one carrier provide service over another carrier’s fiber is generally not a problem. Sometimes it adds complication when things go wrong (and a couple people had some pretty extreme cases to share), but in general most people did not recommend shying away from this kind of relationship. - Time Warner also received positive reviews in general as a carrier I was also surprised how many small ISPs like us are on the NANOG list. I kinda assumed most of you were big operators that dwarf us. It's great to have received perspectives from both large and small operators. Thanks again, everyone. Adam -Original Message- From: Faisal Imtiaz [mailto:fai...@snappytelecom.net] Sent: Friday, February 07, 2014 4:43 PM To: Vlade Ristevski Cc: nanog list Subject: Re: carrier comparison This is exactly what I thought had happenedThe outage that affected you was one our two routers up-stream from your connection to that provider. I am not trying to defend any Carrier, but there is no 'routing protocol' what will react to this kind of an issue. Regards. Faisal Imtiaz Snappy Internet Telecom 7266 SW 48 Street Miami, FL 33155 Tel: 305 663 5518 x 232 Help-desk: (305)663-5518 Option 2 or Email: supp...@snappytelecom.net - Original Message - From: Vlade Ristevski vrist...@ramapo.edu Cc: nanog list nanog@nanog.org Sent: Friday, February 7, 2014 3:57:00 PM Subject: Re: carrier comparison We don't get a default route from them. At the time of the outage my bgp session was up and I had a full routing table from them. I didn't have much time to troubleshoot it in that state since we were down so I had to disable the session ASAP. Once the RFO comes in, I'll be asking a lot more questions about it. My only experience with BGP is as a customer so I'm not too familiar with the intricacies on the provider side. We had an outage in the AM the same day and we failed over just fine. I'm very curious why the same didn't happen in the evening. On 2/7/2014 3:03 PM, Bryan Socha wrote: Did you verify your problem was announcements on the other side of the outage? This sounds to me like you are using a bgp announced default route from cogent which is always sent.I think the problem was you were sending traffic out a path that was broken. Since you mentioned your outbound balancing this would explain some packet loss and not 100% loss. Bryan Socha Network Engineer DigitalOcean -- Vlade Ristevski Network Manager IT Services Ramapo College (201)-684-6854
Re: Blocking of domain strings in iptables
On Sat, Feb 8, 2014 at 3:34 AM, Jonathan Lassoff j...@thejof.com wrote: This is going to be tricky to do, as DNS packets don't necessarily contain entire query values or FQDNs as complete strings due to packet label compression (remember, original DNS only has 512 bytes to work with). Howdy, The DNS query essentially always contains the full string in a sequence. It doesn't *have* to per the protocol but you'll be hard pressed to find a real-world example where it doesn't. The catch is, the dots aren't encoded. The components of the name being queried are separated by a byte indicating the length of the next piece. So, instead of www.google.com the query packet contains www 0x06 google 0x03 com. You can implement this with --hex-string instead of --string but you'll have to convert the entire thing to hex first Regards, Bill Herrin -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
Re: Blocking of domain strings in iptables
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Have you looked at perhaps using DNS RPZ (Response Policy Zones)? https://dnsrpz.info/ - - ferg On 2/8/2014 12:08 AM, Anurag Bhatia wrote: Hello everyone I am trying to figure out the way to drop a domain name DNS resolution before it hits application server. I do not want to do domain to IP mapping and block destination IP (and source IP blocking is also not an option). I can see that a string like this: iptables -A INPUT -p udp -m udp --dport 53 -m string --string domain --algo kmp --to 65535 -j DROP this can block domain which includes domain.com/domain.net and everything in that pattern. I tried using hexadecimal string for value like domaincom (hexa equivalent) and firewall doesn't pics that at all. The only other option which I found to be working nicely is u32 based string as something suggested on DNS amplification blog post here - http://dnsamplificationattacks.blogspot.in/2013/12/domain-dnsamplificationattackscc.html A string like this as suggested on above link works exactly for that domain iptables --insert INPUT -p udp --dport 53 -m u32 --u32 0x280xFFDFDFDF=0x17444e53 0x2c0xDFDFDFDF=0x414d504c 0x300xDFDFDFDF=0x49464943 0x340xDFDFDFDF=0x4154494f 0x380xDFDFDFDF=0x4e415454 0x3c0xDFDFDFDF=0x41434b53 0x400xFFDFDFFF=0x02434300 -j DROP -m comment --comment DROP DNS Q dnsamplificationattacks.cc but here I am not sure how to create such string out and script them for automation. Can someone suggest a way out for this within IPTables or may be some other open source firewall? Thanks. - -- Paul Ferguson VP Threat Intelligence, IID PGP Public Key ID: 0x54DC85B2 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iF4EAREIAAYFAlL2W5YACgkQKJasdVTchbJ+qAD+NP7VDzOK2m416hCvi0Mm3rq+ WA7kTOGgXWQGuz20F/cA/3YOsrrlYIL0plRPRUW1Qex2zZfhG4Z/pO63zA0u8DBE =AfV6 -END PGP SIGNATURE-
Re: Blocking of domain strings in iptables
You could use RPZ but wouldn't something as simple as putting these two entries in a host files meet the mail? Tom On Feb 8, 2014, at 11:30 AM, Paul Ferguson wrote: Signed PGP part Have you looked at perhaps using DNS RPZ (Response Policy Zones)? https://dnsrpz.info/ - ferg On 2/8/2014 12:08 AM, Anurag Bhatia wrote: Hello everyone I am trying to figure out the way to drop a domain name DNS resolution before it hits application server. I do not want to do domain to IP mapping and block destination IP (and source IP blocking is also not an option). I can see that a string like this: iptables -A INPUT -p udp -m udp --dport 53 -m string --string domain --algo kmp --to 65535 -j DROP this can block domain which includes domain.com/domain.net and everything in that pattern. I tried using hexadecimal string for value like domaincom (hexa equivalent) and firewall doesn't pics that at all. The only other option which I found to be working nicely is u32 based string as something suggested on DNS amplification blog post here - http://dnsamplificationattacks.blogspot.in/2013/12/domain-dnsamplificationattackscc.html A string like this as suggested on above link works exactly for that domain iptables --insert INPUT -p udp --dport 53 -m u32 --u32 0x280xFFDFDFDF=0x17444e53 0x2c0xDFDFDFDF=0x414d504c 0x300xDFDFDFDF=0x49464943 0x340xDFDFDFDF=0x4154494f 0x380xDFDFDFDF=0x4e415454 0x3c0xDFDFDFDF=0x41434b53 0x400xFFDFDFFF=0x02434300 -j DROP -m comment --comment DROP DNS Q dnsamplificationattacks.cc but here I am not sure how to create such string out and script them for automation. Can someone suggest a way out for this within IPTables or may be some other open source firewall? Thanks. -- Paul Ferguson VP Threat Intelligence, IID PGP Public Key ID: 0x54DC85B2 signature.asc Description: Message signed with OpenPGP using GPGMail
Re: Blocking of domain strings in iptables
I implemented this easily some time ago due to a situation where product development was unable or unwilling to disable open resolvers. i'll post my ruleset then describe it then describe it since it contains multiple functions. Chain INPUT (policy ACCEPT 68M packets, 4377M bytes) pkts bytes targetprot opt in out source destination 22M 1423M ACCEPTall -- lo * 0.0.0.0/00.0.0.0/0 0 0 REJECTall -- * * 0.0.0.0/00.0.0.0/0recent: CHECK name: blacklist side: source reject-with icmp-admin-prohibited 34M 2463M find_dnsany udp -- * * 0.0.0.0/00.0.0.0/0udp dpt:53 Chain FORWARD (policy ACCEPT 460M packets, 298G bytes) pkts bytes targetprot opt in out source destination 0 0 REJECTall -- * * 0.0.0.0/00.0.0.0/0recent: CHECK name: blacklist side: source reject-with icmp-admin-prohibited 0 0 irc tcp -- * eth0 0.0.0.0/00.0.0.0/0multiport dports 6660:6669,6670 1826M 1144G local_ips all -- * * 0.0.0.0/00.0.0.0/0 35387 2569K find_dnsany udp -- * * 0.0.0.0/00.0.0.0/0udp dpt:53 Chain OUTPUT (policy ACCEPT 39M packets, 316G bytes) pkts bytes targetprot opt in out source destination 0 0 irc tcp -- * eth0 0.0.0.0/00.0.0.0/0multiport dports 6660:6669,6670 22M 1423M ACCEPTall -- * lo 0.0.0.0/00.0.0.0/0 310M 1637G local_ips all -- * * 0.0.0.0/00.0.0.0/0 13M 1056M CONNMARK udp -- * * 0.0.0.0/00.0.0.0/0udp dpt:53 owner UID match 25 CONNMARK set 0x35 13M 1056M find_dnsany udp -- * * 0.0.0.0/00.0.0.0/0udp dpt:53 Chain find_dnsany (3 references) pkts bytes targetprot opt in out source destination 302K 19M limit_dnsany all -- * * 0.0.0.0/00.0.0.0/0u32 0x00x160x3c@0x80xf0x1=0x00x00x180x1=0x1 STRING match |ff0001| ALGO name bm FROM 36 TO 70 /* match ANY? queries */ Chain irc (2 references) pkts bytes targetprot opt in out source destination 0 0 ULOG all -- * * 0.0.0.0/00.0.0.0/0ULOG copy_range 0 nlgroup 30 queue_threshold 1 0 0 LOG all -- * * 0.0.0.0/00.0.0.0/0LOG flags 8 level 4 prefix [IRC] 0 0 REJECTall -- * * 0.0.0.0/00.0.0.0/0reject-with icmp-admin-prohibited Chain limit_dnsany (1 references) pkts bytes targetprot opt in out source destination 827 53727 ACCEPTall -- * * 1.2.3.4 0.0.0.0/0limit: avg 20/min burst 60 0 0 limit_venet all -- * * 1.2.3.4 0.0.0.0/0 4297 302K ACCEPTall -- * * 0.0.0.0/00.0.0.0/0CONNMARK match 0x35 limit: avg 10/min burst 30 22798 1475K ACCEPTall -- * * 0.0.0.0/00.0.0.0/0limit: avg 4/min burst 10 7277 468K LOG all -- * * 0.0.0.0/00.0.0.0/0limit: avg 1/min burst 5 LOG flags 0 level 4 prefix DNSANY: 279K 18M DROP all -- * * 0.0.0.0/00.0.0.0/0 Chain limit_venet (1 references) pkts bytes targetprot opt in out source destination 0 0 LOG all -- * * 0.0.0.0/00.0.0.0/0limit: avg 1/min burst 5 LOG flags 0 level 4 prefix DNSANYint: 0 0 REJECTall -- * * 0.0.0.0/00.0.0.0/0reject-with icmp-admin-prohibited Chain local_ips (2 references) pkts bytes targetprot opt in out source destination 2136M 2782G RETURNall -- * !eth0 0.0.0.0/00.0.0.0/0/* only check outgoing packets */ 0 0 RETURNall -- * * 0.0.0.0/00.0.0.0/0ADDRTYPE match src-type LOCAL /* accept packet generated from any locally bound IP */ 0 0 RETURNall -- * * 0.0.0.0/00.0.0.0/0recent: CHECK name:
Re: Blocking of domain strings in iptables
On Sat, Feb 08, 2014 at 12:34:45AM -0800, Jonathan Lassoff j...@thejof.com wrote a message of 88 lines which said: This is going to be tricky to do, as DNS packets don't necessarily contain entire query values or FQDNs as complete strings due to packet label compression Apprently, the OP wanted to match the *question* in a *query* and these are never compressed (they could, in theory, but are not). You can use those u32 module matches to find some known-bad packets if they're sufficiently unique, but it simply lacks enough logic to fully parse DNS queries. u32's language is not Turing-complete but It is sufficient in the case presented here.
Re: Blocking of domain strings in iptables
On Sat, Feb 08, 2014 at 01:38:13PM +0530, Anurag Bhatia m...@anuragbhatia.com wrote a message of 54 lines which said: but here I am not sure how to create such string out and script them for automation. Use this program: http://www.bortzmeyer.org/files/generate-netfilter-u32-dns-rule.py
Re: Blocking of domain strings in iptables
On 02/08/2014 09:40 AM, William Herrin wrote: On Sat, Feb 8, 2014 at 3:34 AM, Jonathan Lassoff j...@thejof.com wrote: This is going to be tricky to do, as DNS packets don't necessarily contain entire query values or FQDNs as complete strings due to packet label compression (remember, original DNS only has 512 bytes to work with). Howdy, The DNS query essentially always contains the full string in a sequence. It doesn't *have* to per the protocol but you'll be hard pressed to find a real-world example where it doesn't. The catch is, the dots aren't encoded. The components of the name being queried are separated by a byte indicating the length of the next piece. So, instead of www.google.com the query packet contains www 0x06 google 0x03 com. For the completeness of the archives, the length of the first token is also encoded and final terminator is 0. 0x03 www 0x06 google 0x03 com 0x00 -DMM You can implement this with --hex-string instead of --string but you'll have to convert the entire thing to hex first Regards, Bill Herrin signature.asc Description: OpenPGP digital signature
Re: Need trusted NTP Sources
On Fri, Feb 07, 2014 at 01:14:09PM -0500, Jared Mauch wrote: If you want something that is cheap as in you for your home, I can recommend this: ~$350 w/ antenna, etc.. http://www.netburnerstore.com/product_p/pk70ex-ntp.htm You can get the whole thing going quickly. Majdi has also had good luck with this unit (perhaps he wants to chime-in, heh pun unintended) regarding a few other devices. The Netburner NTP sample app works well enough for basic home use, although I get better timing performance out of a fleet of hand modified Soekrii. I've been modifying NET4801s to include internal Motorola Oncore timing receivers (this is a tight fit, but doable, in the factory cases), or to break out their second serial port for connections to external reference clocks. (I have one connected to a TrueTime TL-3 to use WWV as a backup to GPS, but it can also be a travelling GPS NTP server with, say, a Garmin GPS18lvc connected.) You can make your own sub-$150 NTP server -- I'll spare the list the details, but those that are interested should see: http://puck.nether.net/~majdi/ntp/ Feedback is appreciated -- I've only spent about an hour on this doc, and it assumes a lot of familiarity with FreeBSD. I will try to flesh it out more as I have time. Cheers, --msa
Re: GEO location issue with google
Hi, On 07/02/2014 16:20, Praveen Unnikrishnan wrote: We are an ISP based in UK. We have got an ip block from RIPE which is 5.250.176.0/20. There is a geoloc attribute for the inetnum fields, maybe you could try an set it, just in case someone uses it sometines... Regards, S. Vallerot
Re: Need trusted NTP Sources
- Original Message - From: Saku Ytti s...@ytti.fi On (2014-02-06 21:14 -0500), Jay Ashworth wrote: My usual practice is to set up two in house servers, each of which talks to: And then point everyone in house to both of them, assuming they accept multiple server names. Two is worst possible amount of NTP servers to have. Either one fails and your timing is wrong, because you cannot vote false ticker. And chance of either of two failing is higher than one specific of them. Fair point. In practice, it never bit me because nearly everything that wanted NTP would only accept one server name (being windows) and the things that *did* take more than one, I generally pointed to both internals, and something outside the firewall as well. In the architecture I described, though, is it really true that the odds of the common types of failure are higher than with only one? Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
Re: Need trusted NTP Sources
- Original Message - From: Jimmy Hess mysi...@gmail.com Don't forget poor performance due to high latency, or Server X emitting corrupted or inaccurate data My two internal servers were my two uplink firewalls, and were pretty thoroughly monitored. Had NTP gone insane, I've had heard about it. Remember that 3 of the 8 peers on each machine were pool.ntp.org machines, so the cluster, as a cluster, actually had *nine* external peers, each machine having 3 in common, and three which were not (each machine was a DNS resolver, so they didn't share a name cache on *.us.pool.ntp.org Cheers, -- jra Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
Re: Need trusted NTP Sources
Original Message - From: Matthew Huff mh...@ox.com Working in the financial world, the best practices is to have 4 ntp servers (if not using PTP). 1) You need 3 to determine the correct time (and detect bad tickers) 2) If you lose 1 of the 3 above, then you no longer can determine the correct time 3) Therefore with 4, you have redundancy. We have two Symmetricom Stratum 1 time servers synced via GPS with Rubidium oscillators, and two RHEL 6 servers running ntpd for our 4 servers. As I've noted, I had *nine* external peers; 3 shared by both machines (commercial and NIST strat-1's), and 3 each from us.pool, which were generally different servers; I did keep an eye on that. And the NTP servers were monitored. I'm stupid, but I'm not crazy. :-) Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
Re: BCP38 (was: Re: Why won't providers source-filter attacks? Simple.)
- Original Message - From: Roland Dobbins rdobb...@arbor.net On Feb 8, 2014, at 4:25 AM, Chris Grundemann cgrundem...@gmail.com wrote: Documenting those various mechanisms which are actually utilized is the key here. =) Yes, as well as the various limitations and caveats, like the wholesale/retail issue (i.e., customers of my customer). And anyone who has factual data on that topic is invited to contribute it to (stop me if you've heard this one)... http://www.bcp38.info Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
