=^.^=

More Fun with DNS Amplification Attacks: pkts.asia and babywow.co.uk

karma

I recently intercepted some DNS amplification attacks using the domains pkts.asia and babywow.co.uk involving a server which has recursion disabled but is, for some reason, returning the list of root name servers. I suppose that will be the topic of my next article :p

Big thanks to this really sweet site http://dnsamplificationattacks.blogspot.ca/ for providing a list of iptables rules which cover these attacks at https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt.

You can find more information on these two specific domains at:
http://dnsamplificationattacks.blogspot.ca/2013/10/domain-pktsasia.html
http://dnsamplificationattacks.blogspot.ca/2013/10/domain-babywowcouk.html

I found that I had to drop the --start and --stop flags to get these rules to work. I'm not sure if I'm not taking into account an offset or perhaps I'm seeing a different strain of the attack but the start and stop positions appear to be different when we crack open the packets:

pkts.asia
00163ebb000300163ecd000208004500
00476dd90000f8114fa44c670d3c0000
0000fd5900350033000095b201000001
00000000000104706b74730461736961
0000ff00010000292328000000000000
0000000000

The string we are blocking for appears to be between 36 and 40 rather than 40 and 51.

babywow.co.uk
00163ebb000300163ecd000208004500
004b9e0c0000f8110d4dd0729b500000
0000a216003500370000c1ff01000001
0000000000010762616279776f770263
6f02756b0000ff000100002923280000
000000000000000000

The string we are blocking for appears to be between 36 and 44 rather than 40 to 55.

You should note that not using --start and --stop will make netfilter inspect the whole packet which will have a (probably negligible) performance hit.

ClearOS seems to have trouble with the comment formatting so I've made a couple of minor edits to the list which will drop these rules into FORWARD on your router:

#!/bin/bash
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|1b323031336e69616e636875616e7169736966756661627577616e67076164736634327703636f6d|' -j DROP # -m comment "DROP DNS Q 2013nianchuanqisifufabuwang.adsf42w.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|03697363036f72670000ff00|' -j DROP # -m comment "DROP DNS Q ANY isc.org"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|077375636b64646702636300|' -j DROP # -m comment "DROP DNS Q suckddq.cc"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|076e61706966756e03636f6d|' -j DROP # -m comment "DROP DNS Q napifun.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0768616b34756d7a036e6574|' -j DROP # -m comment "DROP DNS Q hak4umz.net"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|06616e6f6e736303636f6d00|' -j DROP # -m comment "DROP DNS Q anonsc.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0331783102637a0000ff0001|' -j DROP # -m comment "DROP DNS Q ANY 1x1.cz"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|056266686d6d03636f6d000010000100|' -j DROP # -m comment "DROP DNS Q TXT bfhmm.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|03697363036f72670000ff00|' -j DROP # -m comment "DROP DNS Q ANY isc.org dns.id"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|076564656c696f6e02737500|' -j DROP # -m comment "DROP DNS Q edelion.su"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0432736f65027275|' -j DROP # -m comment "DROP DNS Q 2soe.ru"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0472697065036e657400|' -j DROP # -m comment "DROP DNS Q ripe.net"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0968697a62756c6c6168026d6500|' -j DROP # -m comment "DROP DNS Q hizbullah.me"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|11657667656e69792d6d61726368656e6b6f02636300|' -j DROP # -m comment "DROP DNS Q evgeniy-marchenko.cc"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|057372766974036f726700|' -j DROP # -m comment "DROP DNS Q srvit.org"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0B7061636b6574646576696c03636f6d00|' -j DROP # -m comment "DROP DNS Q packetdevil.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|046a756e6b087468657977616e7402696e00|' -j DROP # -m comment "DROP DNS Q junk.theywant.in"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0374787408707773657276657203636f6d02756100|' -j DROP # -m comment "DROP DNS Q txt.pwserver.com.ua"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0469657466036f726700|' -j DROP # -m comment "DROP DNS Q ietf.org"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0371686102636300|' -j DROP # -m comment "DROP DNS Q qha.cc"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|066c61326c6f7702636300|' -j DROP # -m comment "DROP DNS Q la2low.cc"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|057a7a67737403636f6d00|' -j DROP # -m comment "DROP DNS Q zzgst.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|01610B7061636b6574646576696c03636f6d00|' -j DROP # -m comment "DROP DNS Q a.packetdevil.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0778706c6f64696e03636f6d00|' -j DROP # -m comment "DROP DNS Q xplodin.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0261610661736433736303636f6d00|' -j DROP # -m comment "DROP DNS Q aa.asd3sc.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0962697473747265737303636f6d00|' -j DROP # -m comment "DROP DNS Q bitstress.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|026161066d6d7461633103636f6d00|' -j DROP # -m comment "DROP DNS Q aa.mmtac1.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0C6b696464793332333336353502727500|' -j DROP # -m comment "DROP DNS Q kiddy3233655.ru"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|05643639393103636f6d00|' -j DROP # -m comment "DROP DNS Q d6991.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0661613332343703636f6d00|' -j DROP # -m comment "DROP DNS Q aa3247.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|08666b666b666b666103636f6d00|' -j DROP # -m comment "DROP DNS Q fkfkfkfa.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0A677261707079626c6f6703636f6d00|' -j DROP # -m comment "DROP DNS Q grappyblog.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|05636d69756903636f6d00|' -j DROP # -m comment "DROP DNS Q cmiui.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|05346677686b03636f6d00|' -j DROP # -m comment "DROP DNS Q 4fwhk.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0673616e64696103676f7600|' -j DROP # -m comment "DROP DNS Q sandia.gov"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0A7a61696b617061696b6103636f6d00|' -j DROP # -m comment "DROP DNS Q zaikapaika.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|08766572697369676e03636f6d00|' -j DROP # -m comment "DROP DNS Q verisign.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0473656d6102637a00|' -j DROP # -m comment "DROP DNS Q sema.cz"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|04706b7473046173696100|' -j DROP # -m comment "DROP DNS Q pkts.asia"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0A69726c77696e6e696e6703636f6d00|' -j DROP # -m comment "DROP DNS Q irlwinning.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|053337397a6303636f6d00|' -j DROP # -m comment "DROP DNS Q 379zc.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|05333630383804696e666f00|' -j DROP # -m comment "DROP DNS Q 36088.info"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|067478743430390874656b6a65746f6e03636f6d00|' -j DROP # -m comment "DROP DNS Q txt409.tekjeton.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0D73757065726d65676174727565056d6364697202727500|' -j DROP # -m comment "DROP DNS Q supermegatrue.mcdir.ru"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|05333032353904696e666f00|' -j DROP # -m comment "DROP DNS Q 30259.info"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0762616279776f7702636f02756b00|' -j DROP # -m comment "DROP DNS Q babywow.co.uk"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|05333633373204696e666f00|' -j DROP # -m comment "DROP DNS Q 36372.info"

Comments

karma

@smurfmonitor
I couldn't help but notice that your count is, on both domains, 4 bytes after mine.

That would be consistent with a VLAN tag. Maybe YOU could share some pcap data with ME? ;)

karma

@John
Re: and is bound to fail as soon as someone introduces a new host.

Absolutely correct. However, attackers seem to use specific domains for their response properties, like a particularly long DNSSEC. I've personally only seen four or five different domains used against this server so it's something that can be kept on top of. Since they are regular DNS queries there's really no signature to go on but the domain unless you want to start dropping legit packets.

Re: The relevant DNS lookups have a recursion flag set. I thinkit best to ensure your DNS has recursion turned off, and then to drop traffic coming in from the internet (ppp0 in my case). The principal difficulty I have had is determining to look for the flag.

Also correct, it is because open DNS servers have recursion enabled for all hosts that they can be used for amplification; the size of a denied response in fact diminishes the outflow relative to the inflow. The proper course of action is to restrict recursive lookups to your own subnets. You can read more about that here: http://foxpa.ws/2010/07/20/making-the-case-for-access-controlled-recursive-lookups-with-bind/

Of course, once you've done that your DNS server is still probably taking a hit from attackers which have not updated their list of open dns servers so the netfilter rules do have value.

@smurfmonitor
Thanks, nice monitoring service!

If you mean pcap I don't think my clients would be amenable to that. The hex dumps in my post are the raw packets I am seeing minus the destination IP, you should be able to reconstruct them easily.

• smurfmonitor

Nice post!
Can you share some cpap data with me? I'd like to test my iptables rule on it.

Cheers

• Doug

Many thanks for your kind help

• John

This is a very error-prone way of going about it, and is bound to fail as soon as someone introduces a new host.

The relevant DNS lookups have a recursion flag set. I thinkit best to ensure your DNS has recursion turned off, and then to drop traffic coming in from the internet (ppp0 in my case). The principal difficulty I have had is determining to look for the flag.

I was working on it when the attacks stopped, but this seems to be getting close:
iptables -R INPUT 3 -i ppp0 -m udp -p udp --destination-port 53 -m string --algo bm --from 29 --to 30 --hex-string |0100| -j LOG --log-prefix Recursive DNS

Note I was replacing the rule, nod appending or inserting. Once I am confident I have it right I will add a DROP rule to my shorewall rules.