I think I've been DoS'd. And it's still happening. It looks like DrDoS. I
think I'm on some kind of IP database that's used in an attack and also the
target/victim (me) of an attack.
My guess is some kind of (successful) syn/icmp flood at first.
After work I came home and tried to use the net. Couldn't get any network
traffic happening. I initially did:
1) checked pppd/pppoe, route, ifconfig, ppp0
2) checked ADSL modem sync lights
3) pppstats -w1 ppp0
I found out I was getting traffic afterall:
IN PACK VJCOMP VJUNC VJERR | OUT PACK VJCOMP VJUNC
NON-VJ
556007269 1347 0 0 0 |593208127 1414 0 0
1414
3684 0 0 0 0 | 5504 0 0 0
0
5402 0 0 0 0 | 4344 0 0 0
0
4300 0 0 0 0 | 4706 0 0 0
0
..... etc.
I checked Ipchains and did a tcpdump -i ppp0, and found a lot of connections
from 65.59/16:http. When I blocked this IP, I started getting connections
from 143.215/16 hitting random ports. I:
1.a. removed port 80 in /etc/services
b. shutdown httpd
2.a. removed domain ports in /etc/services
b. shutdown named
I was still getting traffic, tcpdump scrolling hundreds of lines per second.
I started blocking 143.215/16, and eventually blocking all incoming
"input -s 0/0 -j DENY" only to see my system still replying to http/icmp
requests to unknown/random systems. Some IPs were in sequence, like a sweep.
So I blocked with "output -s 0/0 -j DENY":
19:12:45.607963 202.7.95.227.4892 > 61.68.139.186.http: F
3839664545:3839664545(0) ack 2344186948 win 5808 <nop,nop,timestamp 2157559
690243585> (DF)
19:12:45.607963 202.7.95.227.4893 > 61.68.139.187.http: F
3852336317:3852336317(0) ack 2326422643 win 5808 <nop,nop,timestamp 2157559
690244698> (DF)
19:12:45.607963 202.7.95.227.4894 > 61.68.139.188.http: F
3853584723:3853584723(0) ack 2342238360 win 5808 <nop,nop,timestamp 2157559
690243015> (DF)
19:12:45.607963 202.7.95.227.4895 > 61.68.139.189.http: F
3839112485:3839112485(0) ack 2329792563 win 5808 <nop,nop,timestamp 2157559
689883382> (DF)
...
After a while, tcpdump gave continuous lines of:
"#O#O#O#O#O#O#O#O#O#O#O#O#O#O#O#O#O#O#O#O#O#O#O#O#O#O#O#O#O#O#O#O
#O#O#O#O#O#O#O#O#O#O#O#O#O#O#O#O#O#O#O#O#O#O#O#O#O#O#O#O#O#O#O#O
#O#O#O#O#O#O#O#O#O#O#O#O#O#O#O#O#O#O#O#O#O#O#O#O#O#O#O#O#O#O#O#O
#O#O#O#O#O#O#O#O#O#O#O#O#O#O#O#O#O#O#O#O#O#O#O#O#O#O#O#O#O#O...."
and
"Acct_out_packets Acct_out_packets Acct_out_packets Acct_out_packets
Acct_out_packets Acct_out_packets Acct_out_packets Acct_out_packets
Acct_out_packets Acct_out_packets Acct_out_packets Acct_out_packets
Acct_out_packets Acct_out_packets Acct_out_packets Acct_out_...."
and
"Term_action Term_action Term_action Term_action Term_action Term_action
Term_action Term_action Term_action Term_action Term_action Term_action
Term_action Term_action Term_action Term_action Term_action Term_action
Term_action Term_action Term_action Term_action Term_action Term_...."
My connection was still crippled, so I resorted to:
ipchains -F
ipchains -P input DENY
ipchains -P forward DENY
ipchains -P output DENY
and then the modem lights stopped after a 5 - 10 second delay - phew !
I started getting some strange and interesting domain requests. eg:
21:21:38.117963 202.7.95.227.1180 > 61.8.0.113.domain: 36220+ A?
mail1.3lefties.com. (36) (DF)
21:21:39.137963 202.7.95.227.1025 > 63.175.90.3.domain: 54436 A?
mail1.3lefties.com. (36) (DF)
21:21:40.137963 202.7.95.227.1025 > 212.100.224.171.domain: 59986 A?
preschool.shacknet.nu. (39) (DF)
21:21:50.147963 202.7.95.227.1182 > 210.23.129.35.domain: 36222+ A?
mail1.3lefties.com.orin.home. (46) (DF)
21:22:05.177963 202.7.95.227.1025 > 64.46.12.16.domain: 47021 [1au] A?
www1.fscking.com. OPT UDPsize=2048 (45) (DF)
21:22:07.197963 202.7.95.227.1025 > 63.162.108.6.domain: 27540 [1au] A?
www1.fscking.com. OPT UDPsize=2048 (45) (DF)
21:22:42.257963 202.7.95.227.1189 > 61.8.0.113.domain: 36225+ A?
www1.fscking.com.orin.home. (44) (DF)
21:22:51.277963 202.7.95.227.1190 > 61.8.0.113.domain: 36228+ A?
2krad.busitec.jp.orin.home. (44) (DF)
21:28:05.787963 202.7.95.227.1239 > 61.8.0.113.domain: 36250+ A?
the.city.ro. (29) (DF)
21:28:08.797963 202.7.95.227.1240 > 210.23.129.35.domain: 36250+ A?
the.city.ro. (29) (DF)
21:28:41.867963 202.7.95.227.1245 > 61.8.0.113.domain: 36252+ A? x.x.ro.
(24) (DF)
21:28:44.877963 202.7.95.227.1246 > 210.23.129.35.domain: 36252+ A? x.x.ro.
(24) (DF)
21:28:59.907963 202.7.95.227.1248 > 61.8.0.113.domain: 36253+ A?
x.x.ro.fnet.home. (34) (DF)
21:32:30.377963 202.7.95.227.1287 > 210.23.129.35.domain: 36264+ A? c.c.ro.
(24) (DF)
21:32:31.017963 202.7.95.227 > 129.125.6.242: icmp: echo reply (DF)
21:32:36.387963 202.7.95.227.1287 > 61.8.0.113.domain: 36265+ A?
c.c.ro.fnet.home. (34) (DF)
22:40:45.427963 202.7.95.227 > 198.41.0.4: icmp: echo request (DF)
22:40:46.097963 202.7.95.227.1513 > 193.0.14.129.domain: 40393 A?
2krad.busitec.jp. (34) (DF)
22:40:46.427963 202.7.95.227 > 198.41.0.4: icmp: echo request (DF)
22:40:47.427963 202.7.95.227 > 198.41.0.4: icmp: echo request (DF)
a couple of more interesting ones:
22:40:59.547963 202.7.95.227.1513 > 192.31.80.30.domain: 32778 [1au] A?
ns.hjs.net. OPT UDPsize=2048 (39) (DF)
22:40:59.547963 202.7.95.227.1513 > 192.31.80.30.domain: 16389 [1au] A?
ns2.hjs.net. OPT UDPsize=2048 (40) (DF)
22:40:59.887963 192.31.80.30.domain > 202.7.95.227.1513: 32778 FormErr-%
[0q][|domain]
22:40:59.887963 202.7.95.227.1513 > 192.31.80.30.domain: 30970 A?
ns.hjs.net. (28) (DF)
22:40:59.907963 192.31.80.30.domain > 202.7.95.227.1513: 16389 FormErr-%
[0q][|domain]
22:40:59.907963 202.7.95.227.1513 > 192.31.80.30.domain: 48253 A?
ns2.hjs.net. (29) (DF)
22:41:00.217963 192.31.80.30.domain > 202.7.95.227.1513: 30970- 0/2/2 (102)
22:41:00.217963 202.7.95.227.1513 > 216.156.140.131.domain: 13357 [1au] A?
ns.hjs.net. OPT UDPsize=2048 (39) (DF)
22:41:00.537963 202.7.95.227.1513 > 216.156.140.131.domain: 44937 A?
ns2.hjs.net. (29) (DF)
22:41:00.797963 216.156.140.131.domain > 202.7.95.227.1513: 48816* 1/2/2 A
216.156.140.131 (125)
22:41:00.807963 202.7.95.227.1513 > 216.156.140.131.domain: 59740 A?
the.city.ro. (29) (DF)
22:41:00.827963 216.156.140.131.domain > 202.7.95.227.1513: 44937* 1/2/2 A
216.156.140.132 (126)
22:41:01.097963 216.156.140.131.domain > 202.7.95.227.1513: 59740* 1/2/2 A
66.70.11.90 (129)
22:41:01.097963 202.7.95.227.2521 > 66.70.11.90.ircd: S 78673694:78673694(0)
win 5808 <mss 1452,sackOK,timestamp 3407108 0,nop,wscale 0> (DF)
22:41:01.347963 192.168.0.3 > 64.58.77.85: icmp: echo request
22:41:01.427963 202.7.95.227 > 198.41.0.4: icmp: echo request (DF)
and a lot of others. I wasn't making the requests ... I feared that I had
been back doored and my box was making outbound connections on its own.
After 12 hrs blocking everything and sleeping on my problem, I allowed my
firewall to return to normal rules. Traffic was down/cut/minimal, and the
Internet was accessible. I managed to leave the system on for 4 or 5 hrs
before I started being attacked again.
I checked /var/log/security* and found a lot of "FAIL"'ed attempts at telnet
& ftp from unknown/foreign IPs within the last 2 weeks. I also found the
usual CodeRed attempts in httpaccess logs.
1st question:
Does blocking the incoming connection with my firewall actually stop me from
paying for downstream data ? I would think not because the firewall has to
receive the packet before denying it ...
I think there's an icmp RFC on this, but haven't taken a look at it.
2nd question:
Is this just what everybody with a business plan / permanent connection & IP
have to put up with ?
I did a SLUG archive search and did some reading including followups:
"blocking icmp"
block AND icmp
"denial of service" AND attack
"denial of service"
"acct_out_packets"
"term_action"
Didn't get a lot of useful hits, but took a few things into consideration
eg. firewalling, block IPs at the upstream, everybody gets taxed for twit
traffic, nothing can be done in general etc.
I'm no security expert, but I'm currently in the process of migrating from
ipchains to iptables, and taking system security more seriously (yes, dumb
me). I'm really pissed off now ...
I found out that on the 23 Nov I had used +1400mb over my average daily
usage - the result of 1 day undetected DoS. My parents couldn't use the net,
dad said "it's those flicking modem lights" but was too dumb to DO anything
eg. unplug the modem even.
I rung PacificNet's tech support whom told me I'll have to pay for the
traffic - fair 'enuff.
I know that blocking all icmp is silly or doesn't work.
Remaining questions:
Is there anything else that I can do apart from early detection or
unplugging the modem to prevent paying excess in the case of a Denial of
Service or syn/ack,icmp flood ? Auto-blocking tools, slowing down
connections ? Should I make a complaint to the source ISP ? Would PacificNet
be willing to block a whole network just for one customer ([me]; doubt it) ?
--
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug
