Tom,
It is now nearly two month later and I can safely conclude that blocking
the DNS cache queries works for our servers. I takes a lot of load from
our DNS servers.
Because the shorewall rule to block this attack is so effective and
because I think we are not the only ones that are severely attacked
would it be an idea to make this rule a documented and maintained part
of Shorewall? If so a below a start of documenting this rule. Perhaps
other people can help and make it a well documented part of Shorewall.
1. The problem to solve is to block attackers who compromise DNS
servers by sending recursive queries to DNS servers. The attack can
be identified by analysing DNS queries. All recursive queries from
unauthorised sources are suspect.
2. Identification is done by analysing UDP traffic on port 53 where
three rules must be applied: (1) the in flag field (bit 16-31) bit 1
must be 0 (query) and (2) bit 8 must be 1 (recursion desired) and
(3) the source is an untrusted host. Also see figure.
3. The shorewall rule
IPTABLES(DROP) wan1:!$TRUSTEDHOSTS $FW udp 53 ; -m string
--algo bm --hex-string "|01000001|"
is proven effective. In this example "wan1" is the internet zone,
"$FW" is the compromised DNS server and "$TRUSTEDHOSTS" are the
host(s) that are allowed to recursively question the DNS server. The
rule must be applied before other rules that applied to UDP/53 traffic.
4. Part of the rule is --hex-string "|01000001|". This works but is
most likely not precise enough. There is no guarantee that only the
queries with recursion desired flags are blocked. There must be a
way to block the packets more precisely. Perhaps with the iptables
options "-m u32 --u32"? I'm not capable of writing such a rule.
Ruud Baart schreef op 9-7-2014 0:59:
I think it works.
In /etc/shorewal/params I defined all trusted networks. In
/etc/shorewall/rules
?SECTION NEW
IPTABLES(DROP) wan1:!$TRUSTEDHOSTS $FW udp 53
; -m string --algo bm --hex-string "|01000001|"
dropNotSyn wan1 $FW tcp
DNS_DDoS wan1 $FW udp domain
For now, I think this is easy to maintain and effective.
iptables -nvL
904 80243 ~excl0 udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:53 STRING match "|01000001|" ALGO
name bm TO 65535
135 9213 DNS_DDoS udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:53
Thank you for your support.
Tom Eastep schreef op 8-7-2014 23:33:
On 7/8/2014 2:19 PM, Ruud Baart wrote:
I think I found part of the solution.
In /etc/shorewall/rules:
IPTABLES(DROP) wan1 $FW udp 53 ; -m string --algo bm --hex-string
"|01000001|"
does not work. But
iptables -I INPUT 1 -p udp --dport 53 -m string --algo bm
--hex-string "|01000001|" -j DROP
works.
I assume the place of the rule in the iptables rule set is important. In
the last case it is part of the chain INPUT and in the first case it is
part of the chain wa1-fw (of course this is specific for this server)
I would like the get it working in shorewall. Easier to maintain and
easier to make an exception for the internal systems. Is there a way to
get the rule on the correct position or chain?
Are there UDP 53 rules before that one in the rules file?
-Tom
--
Regards,
Ruud Baart
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
